When the Internet was in its infancy and computer networks were already in place, there was a need to transfer files from one computer to another. In 1971, data links were not as reliable (and not as fast) as they are now, so a tool was needed to help people exchange documents with each other over a distance. The main requirements were ease of use and reliability in sending and receiving. FTP protocol was such a tool.
Working principle
FTP stands for File Transfer Protocol. It differs from other protocols in that if during the transfer occurs some error, the process stops and the message for the user is displayed. If there were no errors it means that the user received the exact file he wanted, intact and without missing elements. Via FTP protocol you can download anything: movies, music, documents, programs, drivers, and pictures. Nowadays, many hardware manufacturers put device drivers on FTP servers so that everyone can download them. In the corporate environment, FTP is used to organize the local storage of internal documents and files for work. For example, video lectures or archive scans of documents can be stored there. FTP also allows you to upload your files to a server for anyone to download.
Programmers sometimes use these servers for file exchange and code backups, though many prefer GIT. We will talk about it separately.
Client and Server
FTP requires two things: an FTP server and an FTP client. What the server does:
- provides login and password access to the desired files;
- shows the user only those files and folders that he can view or download to them;
- monitors the quality of the transfer and makes sure there are no errors;
- manages the connection settings in passive mode.
Since FTP came to us from the days of UNIX systems, any connection requires a login and password. If the user doesn’t have one, the server won’t let him through. But to make the files available to everybody, an anonymous mode is used. The login will be the word anonymous, and the password is any e-mail address. Modern browsers can access anonymous FTP servers and substitute your e-mail. From the outside, it looks as if there is no login and password, but there is. When the FTP server starts up, he is told, “Dear server, here is the list of files and folders to show on the server. If a user with this login and password knocks on you, show him everything, and if he has this login, give him only this folder. Do not let anonymous users in. Another mandatory parameter – is the server address and port on which the files will be transmitted. To connect to the server, you need a special program, they are also called FTP-clients. There are many clients for each operating system, such as FileZilla or CuteFTP. Those who work on Linux-like systems often use the command line.
This scheme is often used in shared hosting when you need to access the content of the site or change the configuration files.
What’s the point in general
Well, it would seem – what prevents the transfer of files, as usual, through sites via HTTP? There are plenty of sites and forums, where the files are lying, and they can be safely downloaded. And the difference is this:
- You don’t need a website for FTP, that is, a web interface. You don’t need to run a web server, configure file list output templates, and bring up a separate program that will give us those files (like WordPress). FTP is like access to a remote folder: you see the files immediately and can download them without intermediaries. But on the web, you need some program that “draws” you to the file system and puts links to the files.
- FTP already implements authorization and rights issues. But you have to create them on the web: you can set WordPress and bolt on plugins with the access system. Or you need to set up Apache, generate access keys, and put configuration files in folders – it’s much less elegant than setting up FTP.
- With FTP, you can allow or disallow individual users to upload files to the FTP server. On the web, uploading files from the user to the server is an order of magnitude more difficult.
Vulnerability and reliability
The FTP protocol itself is secure and is guaranteed to deliver the files the user wants if the connection is OK. The problem is that the protocol is unsecured from the beginning and it is assumed that the data transfer channel is always secure. That’s why FTP transmits everything in the clear: files, passwords, usernames, and any data. Now, the default assumption is that every channel is insecure, and that data needs to be encrypted additionally. FTP does not support this. If someone intercepts your Wi-Fi traffic or connects to your local network, he can intercept all this data and download it to himself, in parallel with you. There’s also the issue of login security: by default, the FTP protocol has no protection against password guessing and login attempts, so someone can simply brute-force the available passwords to gain access to the folders. If you’ve seen in hacker movies how they go through passwords when logging in, this is a very likely situation for FTP. From the point of view of modern security, the right solution is to use one of the encrypted FTP implementations (FTPS, SFTP) or use FTP via VPN.