Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 12 Apr 2012 11:00:10 +0100
From:      Matthew Seaman <>
Subject:   Re: FTP oddness, over SSH session.
Message-ID:  <>
In-Reply-To: <>
References:  <> <> <> <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 12/04/2012 10:28, Frank Bonnet wrote:
> why not ftp over TLS ? like proftpd or pure-ftpd can do ?

Because it is pretty much impossible to firewall securely.  Either you
don't encrypt the control channel or you have to give any firewalls
between you and your destination keys to be able to decrypt the traffic
(in which case you might just as well not bother encrypting it at all)
or you have to open up a whole load of ports to accept incoming traffic
('you' being typically the FTP server admin for PASV mode FTP;
otherwise, you'ld need to do similarly on the client for active mode
FTP.)  FTP is fundamentally broken and simply encasing it in a layer of
encryption only exacerbates the fundamental flaws.

The FTP protocol is an archaic remnant of some mythical golden age of
the internet when you could generally trust anyone else with access to
the net[*].  Given what the past 40 years or so have shown us about the
realities of global networking, it is high time that it was obsoleted
and the world switched to some of the many better alternatives that have
since been developed.

   * HTTP -- obviously works fine for download.  It can support upload
     too: there's a little-used PUT command, or you can use such things
     as WEBDAV.  Easy to run over TLS by using HTTPS.

   * RSYNC -- has an anonymous mode which works fine for generic
     downloads.  For authenticated access defaults to ssh(1) for all

   * SFTP or SCP -- for those who are unwilling or unable to
     contemplate using anything other than an FTP client, SFTP will
     pose as one, while still properly securing all your traffic.  SCP
     is (IMHO) a nicer interface for general day-to-day copying stuff
     between machines though.



[*] Believe it or not, at one time it was generally accepted that mail
servers should be configured as open relays.  This was so that if your
own mailserver was playing up, you could easily borrow a neighbours
server to send messages.  Then spam was invented.

Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP:     Ramsgate
JID:               Kent, CT11 9PW

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla -



Want to link to this message? Use this URL: <>