+1, FTP is insecure (no validation whatsoever that your connection did not get intercepted), needlessly forces the requester to distinguish between the text and binary files before initiating a request, and defaults to pushing a file back by opening a new connection to the requester (which is not useful in time when NAT is prevalent, nor is it a security measure given the concern is that inflight connections can also get intercepted and manipulated).
FTP is tolerable if users validate hashes and signatures of hashes of received files, but otherwise isn’t fit for purpose anymore. I’m ok running a readonly server for those who really want to fetch files over FTP (or need to, for various reasons), but they need to secure their downloads themselves at that point. (This is off topic for discussion on whether ftp url schema should be supported, but I’ll also state that I am unwilling to run a readwrite FTP server, as that encourages login attempts where the passphrase is unencrypted in flight.) > On 22 Oct 2023, at 15:38, Daniel Boyd <[email protected]> wrote: > > I’m very much in favor of protesting the unnecessary obsolescence of > perfectly good technologies, but FTP is a pretty terrible protocol. Securing > an FTP server properly is a bit of a minefield, particularly if you need to > accommodate active mode. Of course, many tools and methods exist to do that, > but it’s kind of silly to think how much collective effort the open source > community has put into working around the flaws and limitations of FTP :) > > Sent from my iPhone > >> On Oct 22, 2023, at 09:33, Richard Frith-Macdonald >> <[email protected]> wrote: >> >> >> >>>>> On 22 Oct 2023, at 15:16, Riccardo Mottola <[email protected]> >>>>> wrote: >>>>> >>>>> Hi Marco, >>>>> >>>>> Marco Cawthorne wrote: >>>>> I was wondering about the download links on the page. They still use >>>>> the ftp:// protocol which has regrettably been phased out by every >>>>> major browser. >>> >>> well, ftp support is intentional, since it is traditional. Every major >>> browser... you mean every chrome-clone, since Chrome dropped support for >>> it? If Google is too ignorant to distinguish between a hyper-text (transfer >>> protocol) and a file... I don't know... >>> But I guess it is evil that spreads like URL part and protocol hiding, >>> https enforcement for pages that don't need it at all, etc, etc. >> >> I think ftp is (like telnet) being dropped in most places because of it's >> lack of security, and in general I'm in favour of the trend to always use >> encrypted communications. >> >> What seems regrettable is that browsers have dropped ftp:// without >> implementing sftp:// as a replacement, though to be fair, support for large >> file download over https:// is normally fine nowadays. >> So I guess there's no compelling need for sftp:// >
