Why the F*ck Is Anyone Still Using FTP⁉️
Source: Dev.to
TL;DR
FTP ships your credentials in plaintext—a protocol so old it predates disappointment itself. FTPS adds TLS, but the zombie still staggers on. Yet people keep using it, feeding it passwords like a cursed family tradition that should’ve died the moment we buried plain HTTP.
What FTP Still Does
- Plaintext usernames & passwords
- Unencrypted file transfers, shouted across the network
- Control/data channel chaos, perfect for torturing firewalls
- Zero integrity checks
Anyone running Wireshark can harvest your credentials with no hacks or skill—just “open program, click start, witness failure.”
Real‑World Breach Example
During a recent breach investigation, a single FTP login (no brute‑force) allowed a crypto miner to be deployed. The only sign the customer saw was a CPU spike. The attack chain was simple:
- FTP login →
- Miner installed →
- CPU usage spikes →
- Customer notices
Even a strong password is only marginally better when sent in plaintext.
Why FTP Refuses to Die
- Legacy scripts older than many careers
- Shared‑hosting defaults stuck in a mid‑2000s mindset
- “We’re behind a firewall.” Nothing bad ever happens internally, right?
- Tool defaults that prioritize consistency over security
Safer Alternatives
| Protocol | Key Benefits |
|---|---|
| FTPS | Adds TLS encryption; still a band‑aid if you can’t use SSH |
| SFTP | Encrypted, modern, and widely supported (runs over SSH) |
| SCP | Fast, simple, and uses SSH encryption |
| rsync over SSH | Efficient syncing with built‑in integrity checks |
| Git + CI/CD | Ideal for deployments; encourages proper version control |
Both SFTP and SCP share port 22, modern cryptography, and dramatically fewer reasons for your SOC team to drink.
Recommendations
- Never use plain FTP for production or sensitive data.
- If SFTP is blocked by policy, enable FTPS as a temporary band‑age, but plan migration to SSH‑based solutions.
- Review hosting defaults: many shared‑hosting panels (e.g., Plesk, cPanel) require manual opt‑in for FTPS or SFTP. Document and enforce secure defaults.
- Replace legacy scripts with tools that support SFTP, SCP, or rsync.
Using plain FTP today isn’t “retro,” “minimal,” or “simple.” It’s an invitation to security incidents with performance‑art enthusiasm.
If your business still uses FTP as the default transfer method, your platform isn’t outdated—it’s an operational archaeological dig that somehow charges customers.