Security's Everyman

Security's Everyman

Friday, June 29, 2007

FTP is Secure?

I'm a really nice guy and usually don't point out what is HOPEFULLY just an oversite on someone elses part but this is just TOO ridiculous and WRONG to let go.

This article on ComputerWorld.com starts off in very wrong way. To quote:

For years, file transfer protocol has been the standard for file transfer security. While FTP still offers the gold standard in security over the Internet,
Since when did FTP become the gold standard in security? Since when did FTP offer any form or security?

I really, really, really hope that the writer meant SSH or SFTP instead of FTP. I really hope that he wasn't quoting from a press release that was sent to him by the company who has finally solved all of our file transfer woes. I really hope that he retracts this statement and corrects this error.

7 comments:

Rebecca Herold said...

Wow...this is very disappointing. But unfortunately over the years I've met far too many IT folks with no information security backgrounds or experience have similar opinions. This points out the need to target some training and awareness to the IT area so these dangerous misunderstandings (to put it nicely) are not perpetuated.

It also makes the jobs of information assurance folks harder when such articles are published. I can just hear a manager saying now, "See, I told you FTP was secure; they said so in Computerworld!"

Rebecca

Rebecca said...

Wow...this is very disappointing. But unfortunately over the years I've met far too many IT folks with no information security backgrounds or experience have similar opinions. This points out the need to target some training and awareness to the IT area so these dangerous misunderstandings (to put it nicely) are not perpetuated.

It also makes the jobs of information assurance folks harder when such articles are published. I can just hear a manager saying now, "See, I told you FTP was secure; they said so in Computerworld!"

Rebecca

LonerVamp said...

The post seems to have continued evidence of some fundamental mistake or misconception about FTP. I tend to chalk things like this up to the whole "I say I'm in IT and know computers, but really I'm just a writer who has used a computer or video game machine at home for xx years...I frequently don't know what I'm regurgitating in my articles..."

Allen Baranov, CISSP said...

You mean that little issue about your username and password floating through untrusted networks in the clear?

Or the fact that copying files usually requires that a connection be made into your network from outside?

Unfortunately, FTP may not be the gold standard but it is the de facto standard. And it is better than sending huge attachments throught the mail system or on usb thingums.

But SCP is better still. ;)

Christian said...

I can't help but think that the phrasing is also a little confusing. By "file transfer security", is he meant to be implying that FTP is the standard method for transferring files securely - or just transferring files?

Null point I guess.

Byron Rashed, SSH Communications Security, Inc. said...

I'm hoping that Computerworld meant SFTP instead of FTP. While the FTP protocol is widely used for file transfer, it is far from secure. SFTP is the standard in SECURE file transfer.

Many companies are moving from FTP so SFTP for regualatory compliance, securing mission-critical data and to avoid reputaion damage like what happened with TJ Maxx.

SFTP is actually becoming a standard way of file transfers in organizations including the mainframe, not just from host to host or end users.

Kees said...

Well-- when FTP is used to transfer files that contain information that is not confidential and when integrity of data is not an issue, anonymous FTP meets all the requirements and /could/ (conceivably) be considered secure enough :)

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.