- \n
- People Don\u2019t Like Change<\/a><\/li>\n
- FTP is Faster than SFTP<\/a><\/li>\n<\/ul>\n<\/li>\n
- Some Regulations Prohibit the Use of FTP<\/a><\/li>\n
- Alternatives to FTP<\/a><\/li>\n
- FTP v FTPS<\/a><\/li>\n
- SFTP All The Way<\/a><\/li>\n<\/ul>\n
Man-in-the-Middle Attacks<\/h2>\n
Have you ever played the childhood game where you and a friend throw a ball back and forth to each other whilst another player stands in the middle and tries to intercept it?<\/p>\n
This is a great way to picture what happens during a man-in-the-middle attack (especially if the guy in the middle is invisible!).<\/p>\n
![\"Image](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/05\/PiggyInTheMiddle.png\")
If the person in the middle catches the ball (or data), you lose the game.<\/figcaption><\/figure>\n Attacks can come in a few different forms, but the main concept is that two parties are passing information between each other with someone in the middle desperately trying to snatch it from them.<\/p>\n
They can range from silently observing the data exchange whilst the attackers look for an opportunity to use the information to their advantage or interrupting the exchange by setting up camp in the middle and manipulating the information.<\/p>\n
<\/p>\n
![\"Image](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/05\/man-in-the-middle.png\")
Attackers can completely break the chain of communication between the two parties.<\/figcaption><\/figure>\n This means that if sensitive information is being traded such as bank details or client information, an attacker would have a field day.<\/p>\n
Unless, of course, the data is encrypted.<\/p>\n
If the files are encrypted, this shouldn’t pose much of a concern, because if the man (or woman) in the middle manages to get their hands on the files, they would be completely unreadable.<\/p>\n
Think of it as being able to speak only English and getting your hands on a ton of files in Elvish, with no way of translating them.<\/p>\n
When it comes to man-in-the-middle attacks, the key is being vigilant and acknowledging that whenever you\u2019re connected to the internet, there\u2019s always a chance you could be vulnerable to some form of attack.<\/p>\n
Whilst ensuring your files are only sent through encrypted channels a sensible backup in case your communication channel is breached, you should be actively trying to prevent attackers from gaining access to your files in this first place.<\/p>\n
Simple ways to do this include:<\/p>\n
- \n
- Use a Virtual Private Network (VPN), especially when connecting to public networks<\/li>\n
- Don’t use WiFi connections that aren\u2019t protected with a secure password<\/li>\n
- Never conduct financial transactions or sending sensitive data over public networks<\/li>\n
- Being cautious of websites that are flagged as unsecured by your browser.<\/li>\n<\/ul>\n
If you take all of these precautions but someone still manages to get access to your files (hackers are really smart these days – think Mr Robot), at least you have the fact that your files are encrypted to fall back on…<\/p>\n
…unless of course, you sent them using FTP.<\/p>\n
Why is FTP Still a Thing?<\/h2>\n
If I ran the world, FTP would be thrown promptly in the trash.<\/p>\n
It\u2019s outdated, it\u2019s unsafe, and with other much more secure alternatives readily available, it\u2019s hard to find valid reasons why people still rely on it.<\/p>\n
So, why do people still use it?<\/p>\n
People Don\u2019t Like Change<\/h3>\n
FTP has been around longer than the internet.<\/p>\n
No, seriously – the specification was written in 1971, more than a decade before the internet and the world wide web were created.<\/p>\n
So, it\u2019s not really a surprise that a concept created almost 50 years ago doesn\u2019t quite meet our needs in 2020.<\/p>\n
But, as many developers would say \u201cif it works, don\u2019t touch it\u201d.<\/p>\n
FTP does still do what it\u2019s supposed to, i.e. it moves files from one server to another…until you\u2019re the target of an attack.<\/p>\n
Think of it like leaving your front door unlocked. You know that thieves exist, and you probably even know someone who\u2019s had their house broken into in the past, but do you ever leave the door unlocked whilst you pop to the shop?<\/p>\n
The illusion of invulnerability, or optimism bias<\/a>, is often a reason behind someone not taking the proper precautions. People are reluctant to believe that something bad might happen to them, so until it does, they are more likely to take unnecessary risks.<\/p>\n
With so many safer alternatives out there, it\u2019s safe to say it\u2019s sensible to ditch FTP before you experience first-hand just how risky it can be.<\/p>\n
FTP is Faster than SFTP<\/h3>\n
If you\u2019re connecting to a server using SFTP after being a loyal user of FTP for many years, you may be slightly disappointed at the drop in speed compared to what you\u2019re used to.<\/p>\n
This is because there is a lot of additional packet and encryption<\/a> taking place during an SFTP transfer that isn’t present when using FTP.<\/p>\n
There are a few things that are worth sacrificing for speed, however, security probably isn\u2019t one of them.<\/p>\n
Some Regulations Prohibit the Use of FTP<\/h2>\n
Yes, you read that right.<\/p>\n
As it\u2019s widely known that FTP isn\u2019t a secure method of transferring files, many countries have outlawed it.<\/p>\n
There are various regulations that govern how data can and can’t be transferred, including the Health Insurance Portability and Accountability Act (HIPAA), which prevents healthcare organizations and their business partners from transferring files using FTP. It states that transfers should only be made using SFTP, and there may even be other components that need to be satisfied in order to ensure compliance.<\/p>\n
When it comes to any form of card transaction, the Payment Card Industry Data Security Standard (PCI-DSS) stipulates that card details should only be sent via FTP when absolutely necessary and demands that the sender document the full details of the transfer including port and firewall settings<\/a> and reasons behind using this method.<\/p>\n
The General Data Protection Regulation (GDPR) defines personal data as any data that relates to \u201can identified or identifiable natural person (\u2018data subject\u2019)”.<\/a> This means it includes data on an individual such as \u201c a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.\u201d<\/p>\n
There are so many pieces of information that can fall into this category that it\u2019s definitely better to play it safe rather than sorry. Even if you don\u2019t think the data you are sending is particularly valuable, you should check to make sure it doesn\u2019t fall under GDPR or other similar regulations before you opt for FTP.<\/p>\n
Better still, you could switch to another method for good.<\/p>\n
The bottom line is that if you are sending data that is confidential, sensitive, or contains any information that would be dangerous if it were to fall into the wrong hands, then FTP won\u2019t suffice.<\/p>\n
Alternatives to FTP<\/h2>\n
I can sit here all day and rave about the importance of binning FTP once and for all and switching to something more secure, but if it\u2019s going to be a lot of extra hassle or require additional tools or cost, I know a lot of people won\u2019t be convinced.<\/p>\n
The good news is that other methods of file transfer look exactly the same at the user\u2019s end.<\/p>\n
You can literally use the same client and follow the same steps – you just have to tell the client which method you are using.<\/p>\n
![\"Screenshot](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/05\/ftp-or-sftp.png\")
In FileZilla, you can easily switch from FTP to SFTP by heading to Edit>Settings.<\/figcaption><\/figure>\n ![\"Screenshot](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/05\/ftp-over-tls-filezilla.png\")
If you choose FTP as your transfer method, it will automatically set the encryption to \u2018FTP over TLS\u2019 if it’s available.<\/figcaption><\/figure>\n As you can see from the screenshot, there is an option to use plain FTP, however, it warns you that it\u2019s insecure.<\/p>\n
Only the port number should differ – at the user\u2019s end the interface will look the same no matter which method you use, so there\u2019s literally no reason to select the insecure FTP option.<\/p>\n
FTP v FTPS<\/h2>\n
FTPS (File Transfer Protocol Secure) is your simple FTP with the added security of either TLS (Transport Socket Layer) or SSL (Secure Socket Layer).<\/a><\/p>\n
This extra layer of security ensures that the connection is authenticated with certificates so that the client and server can form a trusted and secure connection.<\/p>\n
This provides a good level of protection as long as the required certificates are present.<\/p>\n
Of course, it\u2019s always advisable that you have a certificate on your site to reassure visitors of its legitimacy and secure the connection, but if this isn\u2019t possible, if, for example, you are uploading files to a new site you are currently working on, SFTP may be the better option.<\/p>\n
SFTP All The Way<\/h2>\n
So we\u2019ve mentioned SFTP a fair few times, but let\u2019s take a quick look at exactly what it means.<\/p>\n
Secure File Transfer Protocol (SFTP) also has a layer of protection that FTP does not benefit from, and that comes in the form of a Secure Shell (SSH) connection.<\/a><\/p>\n
When you use an SSH connection, your files are encrypted and can only be deciphered with the key, which the recipient\u2019s SFTP client will hold.<\/p>\n
This means that although the recipient server may not have been authenticated with a certificate like with FTPS, your files are \u2018bulletproof\u2019 on their journey as they are completely encrypted and protected.<\/p>\n
If you\u2019ve read this far and still think that FTP has any form of value in today\u2019s online climate, then I admire your commitment.<\/p>\n
- FTP is Faster than SFTP<\/a><\/li>\n<\/ul>\n<\/li>\n