FTP protocol security

Mirjana's picture
The original FTP specification is an unsecure method of transferring files because there is no method specified for transferring data in an encrypted fashion. This means that under most network configurations, user names, passwords, FTP commands and transferred files can be captured by anyone on the same network using a packet sniffer.
This is a problem common to many Internet protocol specifications written prior to the creation of SSL, such as HTTP, SMTP and Telnet. The common solution to this problem is to use either SFTP (SSH File Transfer Protocol), or FTPS (FTP over SSL), which adds SSL or TLS encryption to FTP.
Just to make things more complicated, FTPS is available in two forms known as FTPS Implicit SSL and FTPS Explicit SSL.

 FTPS Implicit SSL

In implicit SSL mode a required SSL session is established between client and server before any data is exchanged. In other words, the use of SSL is implied because any attempt made by a non-SSL client would automatically be refused by the server. Typically FTPS implicit SSL services run on port 990.
FTPS Explicit SSL
In explicit SSL mode the client can optionally switch from unencrypted mode to SSL. This is useful in that the server can support both unencrypted FTP and encrypted FTPS sessions on a single port, typically port 21. In an explicit SSL session the client first establishes an unencrypted connection to FTP service. Prior to sending user credentials, the client then requests that the server switch the command channel to an SSL encrypted channel using the client AUTH TLS or AUTH SSL commands. Upon successful setup of the SSL channel the client then sends user credentials to the FTP server. These credentials along with any other commands sent to server during the FTP session are automatically encrypted by the SSL channel.

Risks when using the FTP protocol

Using the FTP protocol is regarded to be very unsafe because a password must always be entered for the transfer. The password is subsequently transmitted over the Internet without encryption. Despite the fact that FTP is one of the oldest and most widely used Internet protocols, there are security risks when using it. These include:
·         A user's name and password are transferred in clear text when logging on and can therefore be easily recognized.
·         When using an FTP connection, the transferred data could "stray" to a remote computer and not arrive at their intended destination. Third parties can then download data from the remote system to their own computers, or existing data can be viewed and edited. This presents a significant risk, particularly when transferring company confidential information.
·         FTP can also be used to determine the passwords of individual users, since the password is transferred in clear text when logging on. As a result, even those with unauthorized access to this network can record the password information.
It is therefore advisable to use SFTP connections to ensure that data is securely transferred. This data transfer protocol encrypts the connection between your computer and the FTP server. Data is then transferred to your computer over an encrypted connection (SSH-Tunnel).