just say no to ftp

general = { about, articles, links, projects } meta = { date-posted: 2006-12-15 }

FTP is bad. It is pain. Nobody should use it.

Why you ask? Ok then.

FTP is a clear text protocol. It passes authentication over the wire unencrypted. This means you can sniff packets, and see usernames and passwords. I tend to not like that very much.
FTP is a 'hassle' to get working well through firewalls. It requires that you open many ports. This ties into 'Active' vs 'Passive' ftp. Here is a good definition of Active vs Passive. Active FTP is more friendly to servers, as you allow in port 21, and allow out port 20. Active FTP is a hassle for clients though. If they are behind a firewall, they could get the data connection on any ephemeral port. Passive FTP is the opposite. It is friendly for clients, but a pain for servers. Pick your poison. Often you will run into situations where a client is trying Passive FTP, but you might only be allowing Active FTP type traffic to your server. Messy messy.

Now, there are work-arounds for some of the above. For the second issue, there are smart ftp proxies, and connection helpers (like netfilter's conntrack) that alleviate some of this. For the first issue, there is Secure FTP, which encrypts the traffic. Secure FTP causes problems for many of the smart ftp proxies that solve the second problem.

FTP is a pain. Nobody should need to use such a broken protocol.

So, why use FTP at all? Let me try to outline some of the reasons I see people using it.

Easy to set up. The are many FTP servers that are reasonably simple to set up. Many of them are horribly insecure, but that is beside the point.
FTP is pervasive. There are a tons of free FTP servers out there. If you use an OS, most likely you have a server and a client available to you in some form.
Permissions. People often setup FTP servers for read only, for write only, they base it on groups, time of day, or color of the dirt outside their house. You get the idea. This is not inherent in the protocol, and should be considered features of the FTP servers built atop the protocol. Still, I will list it here because it often factors into the decision to use FTP.

Given the above requirements, what else could be used? I often think of WebDav when I think of FTP replacements. WebDav offers a lot.

(Pervasive) WebDav is relatively pervasive. Most OSes have a WebDav client. Many browsers support it, for reading definitely, but some support writing to WebDav as well. There are command line WebDav clients too. I have used cadaver and it works great.
(Easy to set up) WebDav is a bit more difficult to set up, but I wouldn't say it is leaps and bounds more difficult. This largely depends on the server being used, as some servers are easier to set up than others.
(Permissions). The permissions are determined by the server. Most WebDav servers have a reasonable permission set. The one thing I notice missing from most servers, is the concept of a 'ratio' for upload vs download data count.

WebDav also solves a few problems that FTP has. WebDav is built atop of HTTP, and can easily be wrapped in SSL (HTTPS). To the end user, the difference is only a URI with an 's' in it.

WebDav, due to the fact that it sits atop HTTP, has very good support through firewalls. Many web proxies have support for WebDav as well.