HomeBlogsMerlin's blog

Panic's stevenf: Time to Dump FTP

Submitted by Merlin on July 14, 2008 - 11:45am.

stevenf.com (“Don’t Use FTP”)

Transmit is Panic's FTP app -- which does indeed support SFTPSteven Frank, one of the boys wonder behind Panic and their excellent Transmit app says it’s high time to dump FTP in favor of its smarter, sexier sister, SFTP. Of which Steven says “It’s secure, it’s consistently implemented, and it’s machine-readable.”

A lot of people who have used FTP daily for years are surprised to learn that they’re sending everything in the clear – that means the stuff you’re uploading as well as your actual password. Makes you think twice about what you’re throwing through the air as you update your blog templates via “free WiFi.”

Steven says:

If your host doesn’t support SFTP, you should find a different host. It’s not hard to support, and it’s ridiculous to force people into using insecure protocols in the year 2008. Ask them, for example, why they don’t support telnet. FTP is no better.

FTP has served us well, but it’s time to move on. You wouldn’t use a 23 year old computer to do your work, so don’t use a protocol from the same vintage. Demand modern transfer protocols from your host.

I agree. If you’re unsure whether your host will let you do SFTP (and SSH in general), ask. You may indeed need special permission (many providers “jail” garden-variety users in a way that disallows SSH without special permission). You may also need to find the correct port. On my host, A2, for example, you have to run SSH and SFTP on the unconventional port 7822, but it works like a charm once you’re up.

Great suggestion, Steven. Worth getting the word out.

in

SFTP has its problems, too

Submitted by Nate on July 14, 2008 - 12:59pm.

That’s silly: SFTP has problems of its own. There’s no perfect solution, but most regular FTP servers can support SSL or TLS encryption, making them secure.

Many of his other complaints are legitimate issues from his point of view as someone who writes an FTP client. But from a hosting provider’s point of view:

  • SFTP requires you to use real accounts for each user.
  • Whereas, regular FTP servers support “virtual” users who do not need an actual Unix account.
  • SFTP requires each account to have an actual shell, since some of its functionality is accomplished by remotely executing commands. Usually that means the user can actually log in and get a shell prompt on your server using SSH – not a good thing if all you want to do is enable file transfers for your customers.
  • Regular FTP servers do not require users to have a shell, or even a Unix account on the server.
  • With regular FTP servers, adding a new virtual account can be as simple as adding a row to a database table. The users are restricted to their own directory (which can also be specified in the database).

To mitigate these problems, you can use various “fake” shells that provide just enough functionality to support SFTP. But that’s kind of dodgy and not nearly as simple as the virtual users approach.

For small-scale use (i.e., a few users whom you trust with a shell account), SFTP is great.

For commercial users, FTP-TLS can be a better choice, especially if you only want to enable file transfers and aren’t looking to give every user a shell account.

With that said, if your hosting provider doesn’t provide SFTP or FTP-TLS, then yes, dump them!