File Transfer Protocol, also known as FTP is a protocol primarily used to facilitate the transfer of files over a network.

There are a large number of applications which utilise FTP (my favourite being Filezilla) the protocol is now vulnerable and has been for a long time.

What’s the issues with FTP?

FTP is one of those protocols falls firmly into the created before security was a serious consideration camp. In fact it was in use as early as 1971!

The problems with the protocol can be narrowed down into four general points:

1. Lack of Encryption

While all areas are significant, this is the serious reason why FTP is no longer used standalone to transfer files. All data is transmitted in plaintext which leaves contents, authentication details and session information in the clear for anyone who can insert themselves into the conversation.

2. Weak Authentication Controls

Perhaps a continuation from the above but login details are sent in the clear. This makes the protocol susceptible to packet sniffers and brute force attempts.

3. Integrity

FTP does not provide any built in data-authentication. This breaks CIA by failing to confirm that data received is actually provided by the intended sender.

4. Lack of Server-side controls

FTP has very limited functionality outside of the intended file transfer progress. Due to this directory traversal is quite easy.

So what’s the solution

Generally nothing. All organisations should ensure is that FTP traffic is barred and avoid misconfiguration to ensure that applications do not use FTP traffic. As an alternative FTP can be secured with Secure Shell resulting in the FTPS or SFTP protocol. These provide the much greater improvements of SSL or Secure Shell to improve on the above issues.