Future of FTP

[dnb]

My question is inspired by the fact that ftp.freebsd.org is listed in the list of projects that still use vsftpd

I like the old school style of FTP and would like to use it to give access to a wide range of users of my server. Here I mean read-only anonymous access without any TLS. Just using FreeBSD, Jails and vsftpd.

I need to provide quite heavy files to users, including virtual machines and ZFS snapshots (obtained by zfs send -R zpool/test@test > test.zfs). These are files ranging in size from 30Gb to perhaps 120Gb or even more. I'd like to support ftp even though I give HTTPS access to the same directory on server.

Unfortunately, in the above list there are fewer and fewer hosts that support FTP. Not only are they unavailable, but, as far as I can see, the A-record in the DNS zone for ftp is already missing. Of the most famous working hosts, I can list:

ftp.freebsd.org
ftp.suse.com
ftp.redhat.com
ftp.gnu.org

1 - Since ftp.freebsd.org is on this list, may I have your reasons why this protocol is being supported? Is this done for completeness of the protocols?

2 - What about accusations about FTP being vulnerable to attacks like MITM and others?

3 - What are your future plans for FTP?

 

[zirias@]

I can give partial and unofficial answers...

1. the ftp hosts are still there because they weren't deprovisioned yet.

2. ftp uses a separate connection for each data transfer (typically in the opposite direction), which is a bit dodgy concerning security, and also inefficient.

3. ftp support was recently removed from the pkg tool, so that's the first necessary step to take down the ftp servers some day.

All in all, ftp is dead for good. For anonymous downloads, http serves you much better nowadays. For anything else, I'd recommend sftp because ftp is inherently insecure.

 

[dnb]

Thanks for the reply, and since I didn't wait for multiple replies, I'd like to point out some inconsistencies in typical explanations for why FTP still works. Typically these arguments I've come across are not detailed enough, like just saying "FTP is deprecated" (when, in 2022 or in 2002?) or is it vulnerable (but in what configuration exactly?)

1. the ftp hosts are still there because they weren't deprovisioned yet.

Oh, if some system administrator just forgot to turn it off, then this must be done immediately right now , because users may be at risk. If it is not possible to do this right now, then a clearly reasonable maximum period should be determined when this should be done.

2. ftp uses a separate connection for each data transfer (typically in the opposite direction), which is a bit dodgy concerning security, and also inefficient.

You are right, this circumstance could explain why the protocol was used at least until the end of the 90s. But many of the same threats (like MITM) and inefficiencies have existed for the last 20 years. Thus, the above hosts should have been disabled years ago.

 

[zirias@]

Oh, if some system administrator just forgot to turn it off, then this must be done immediately right now , because users may be at risk.

You should have considered the context I gave in the answer to your third question:

3. ftp support was recently removed from the pkg tool, so that's the first necessary step to take down the ftp servers some day.

As long as using ftp is a valid configuration in the tooling distributed with the system, the project probably won't take down infrastructure. But first steps were taken to change the tooling.

There's no pressing need either. With anonymous, download-only ftp, the only risk I'm aware of is someone might be able to tamper with the data the client receives. The same would be possible (although probably a bit more complicated) with unencrypted http. Mitigations against this are possible and in use (like signed package repositories).

Still, it makes very little sense to deploy new ftp infrastructure nowadays.