[Sysadmins] FTP considered harmful

Colm MacCárthaigh colm at allcosts.net
Tue Jul 14 10:13:41 IST 2009


There seem to be a bunch of FTP-account exploiting worms doing the
rounds, abusing FTP accounts to upload material to websites. Problems
of this nature are very hard to protect against, and the mechanism
would work against other protocols. It's not the fault of FTP that the
user credentials are being compromised.

But it still seems incredulous that in 2009, that any service
providers would still be using FTP - a protocol riddled with security
and network problems. Are we, as a profession, simply incapable of
managing productive change where end users are concerned? (yes FTP can
be secured, via kerberos, or SFTP or FTPS, but there are still many
many problems). What gives?

I simply don't buy the excuse that customers and clients won't allow
for it. DAV over HTTPS, and SCP are both very credible alternatives -
with browser and other client support. At my previous employer, we
migrated to using DAV, and it took very little documentation to get
all of our customers used to it - I'm pretty sure our support queue
went down. Are you using FTP? what kind of arguments do you come
against when proposing change?

-- 
Colm



More information about the Sysadmins mailing list