Not to be confused with FTTP (Fibre To The Premises), FTP stands for File Transfer Protocol. It is a classic protocol, first published as RFC 114 in 1971. Since the personal computer has been a thing, it’s been helpful. Or even necessary to be able to transfer files. In the modern world, we have multi-gigabyte USB thumb drives and multi-terabyte external hard drives. And cloud storage provides a range of storage capacities and feature sets for most use cases.
Before USB was standardized and some of the biggest cloud storage companies had even been founded, things were a bit different. In 1971 the floppy disk had just been invented, an invention that would quickly enable data transfer between devices. FTP allowed transfer over the network, though the internet wasn’t a thing yet.
FTP was so early that it didn’t even use TCP, as that hadn’t been standardized yet, either. Instead, it used NCP or the Network Control Protocol, the precursor to TCP/IP. This led to a particularly distinctive feature of FTP that has never been changed, the dual port system. NCP was a simple protocol.
So for bidirectional communication, it was essential to have two connections on two different ports, one to send and one to receive. Despite eventually being moved to use TCP/IP, which doesn’t have this requirement and can operate perfectly well with a single duplex port, the FTP standard was never updated and retains its pair of port numbers.
Use of FTP
The two port numbers that FTP uses are 20 and 21. Port 21 is used for controlling and issuing commands, while port 20 is used to transmit the data. One of the core things that need to be arranged in a connection before transferring files is the use of active or passive mode. In active mode, the client requests a file. Then the server opens a data connection to the client. Both firewalls and NAT present a considerable problem because the incoming transmission from the FTP server is on a different port and so can’t be linked to the correct device easily.
To get around this issue, the passive mode can be used. In passive mode, when the user requests a file from the server, instead of directly attempting to connect to the client on a different port, the FTP server informs the client of the port to which it should connect and lets the client initiate the connection. This effectively solves the connection issue of active mode and offers no downside beyond a slight delay in the start of file transfers.
Technically, the server must agree with the client on sending data. However, only one mode is used. That’s image mode, also commonly referred to as binary mode. In image mode, each file is sent byte by byte. The alternative modes include translating the entire file into 8-bit ASCII, which is only suitable for text files.
Authentication and Security
Being a particularly early protocol standard, you might not be surprised to hear that FTP isn’t particularly secure. FTP does offer username and password authentication. However, it doesn’t encrypt any communications, meaning that anyone in a MitM or Man in the Middle position can “listen” to the traffic “on the wire” and just read the username and password used to sign in.
FTP also offers an anonymous login feature, useful for open FTP servers, such as those used to provide software updates. In an anonymous login, the username anonymous is used. The server will then ask for an email address as a password, but any value is accepted. The lack of encryption also means that files are transmitted insecurely, so FTP isn’t ideal for use with sensitive documents.
Over time a range of extensions and alternatives have been proposed to add security to FTP. FTPS is the primary option. It extends FTP with an option to encrypt the authentication and file transfer process with TLS and is interoperable with standard FTP clients. SFTP, specifically SSH File Transfer Protocol, essentially offers the same functionality as FTP but over SSH, a secure communication protocol, which makes it incompatible with standard FTP clients and servers.
It is possible to route connections over existing SSH tunnels. However, in practice, this often leads to the control connection being over the SSH tunnel and the separate data connection being insecure. VPNs offer some protection against a hacker on the same network as you but leave the VPN provider in a position to perform the same attack.
FTP stands for File Transfer Protocol. It’s an early client-server protocol for uploading and downloading files to and from an FTP server. FTP offers no security by default. While a username and password can be used, they are transmitted in plaintext, leaving them vulnerable to network sniffing. More recent extensions to FTP add the option to connect over TLS for security.
Browsers used to include an FTP client so that you could browse FTP servers directly without needing a separate client. In 2021, however, Chrome and Firefox dropped support for FTP, limiting support to discrete FTP clients. In the modern world, cloud storage solutions – and to a lesser extent, fast and spacious USB storage – have essentially replaced the use case for FTP by offering improved convenience, security, and speed.