43 Folders

Back to Work

Merlin’s weekly podcast with Dan Benjamin. We talk about creativity, independence, and making things you love.

Join us via RSS, iTunes, or at 5by5.tv.

”What’s 43 Folders?”
43Folders.com is Merlin Mann’s website about finding the time and attention to do your best creative work.

Panic's stevenf: Time to Dump FTP

Merlin Mann | Jul 14 2008

stevenf.com ("Don't Use FTP")

Transmit is Panic's FTP app -- which does indeed support SFTPSteven Frank, one of the boys wonder behind Panic and their excellent Transmit app says it’s high time to dump FTP in favor of its smarter, sexier sister, SFTP. Of which Steven says “It’s secure, it’s consistently implemented, and it’s machine-readable.”

A lot of people who have used FTP daily for years are surprised to learn that they're sending everything in the clear -- that means the stuff you're uploading as well as your actual password. Makes you think twice about what you're throwing through the air as you update your blog templates via "free WiFi."

Steven says:

If your host doesn't support SFTP, you should find a different host. It's not hard to support, and it's ridiculous to force people into using insecure protocols in the year 2008. Ask them, for example, why they don't support telnet. FTP is no better.

FTP has served us well, but it's time to move on. You wouldn't use a 23 year old computer to do your work, so don't use a protocol from the same vintage. Demand modern transfer protocols from your host.

I agree. If you're unsure whether your host will let you do SFTP (and SSH in general), ask. You may indeed need special permission (many providers "jail" garden-variety users in a way that disallows SSH without special permission). You may also need to find the correct port. On my host, A2, for example, you have to run SSH and SFTP on the unconventional port 7822, but it works like a charm once you're up.

Great suggestion, Steven. Worth getting the word out.

9 Comments
POSTED IN:
TOPICS: Internet, Security
stevenf's picture

It's not just the crypto

Submitted by stevenf on July 14, 2008 - 3:00pm.

Nate, you make several good points from the POV of a hosting provider that I hadn't considered.

Encryption is important, and FTP-TLS does provide that, but it doesn't help with any of the other issues, as it's just the same old protocol tunneled over a secure connection.

We get daily emails from users baffled by why "simple" things like setting modification dates or changing permissions won't work for them. Or why they get timeouts when trying to upload or download something, even though it works fine for the guy down the hall. We can sometimes resolve these problems, but a lot of the time, it's genuinely a server problem that we can't fix without breaking some unknown other number of users with the opposite problem.

It's an unwinnable balancing act that we workaround as best we can, but there is no 100% reliable set of workarounds that works for everybody as there are simply so many different varieties of FTP server, each with their own unique bugs and behaviors. A great deal of buggy servers don't even uniquely identify themselves, so we can only guess which set of workarounds to apply.

SFTP provides a better experience at the end-user level. For people who want to just get a file from here to there, it just works. And that's why I think it's a better option for the future.

» POSTED IN:
 
EXPLORE 43Folders THE GOOD STUFF

Popular
Today

Popular
Classics

Oldies but goldies

An Oblique Strategy:
Honor thy error as a hidden intention

STAY IN THE LOOP:

Subscribe with Google Reader

Subscribe on Netvibes

Add to Technorati Favorites

Subscribe on Pageflakes

Add RSS feed

The Podcast Feed

Cranking

Merlin used to crank. He’s not cranking any more.

This is an essay about family, priorities, and Shakey’s Pizza, and it’s probably the best thing he’s written. »

Scared Shitless

Merlin’s scared. You’re scared. Everybody is scared.

This is the video of Merlin’s keynote at Webstock 2011. The one where he cried. You should watch it. »