What is FTP, and why is it considered a security relic in 2026?
FTP (File Transfer Protocol, RFC 959, 1985) transfers files between hosts. It's insecure because credentials and data travel in plaintext — modern systems use SFTP, FTPS, or HTTPS instead.
The basic flow:
ftp ftp.example.com
> Username: anonymous
> Password: anything@somewhere.com
> ls
> get file.txt
> quit
Why FTP is dangerous:
| Issue | Consequence |
|---|---|
| Plaintext credentials | Anyone sniffing the network sees username/password |
| Plaintext data | File contents visible to eavesdroppers |
| Two ports | Complicates firewalling — port 21 (control) + port 20 (active data) |
| NAT issues | Active mode breaks behind NAT — IPs in protocol payload don't match |
| No integrity | Attacker can modify files in transit |
Anonymous FTP:
A historical convention: anonymous user with any email as password. Used for public file repositories (e.g., Linux mirrors, software distributions). Still common but increasingly replaced by HTTPS download links.
Common FTP response codes:
| Code | Meaning |
|---|---|
| 200 | Command OK |
| 220 | Service ready (banner) |
| 331 | Username OK, password needed |
| 230 | Login successful |
| 425 | Can't open data connection |
| 530 | Login incorrect |
Modern replacements:
| Replacement | What it adds |
|---|---|
| SFTP | SSH-based, single port (22), encrypted, fully replaces FTP |
| FTPS | FTP + TLS — adds encryption, still uses two ports |
| HTTPS download | Simpler, browser-friendly, encrypted |
| rsync over SSH | Efficient incremental sync |
Why FTP is still worth understanding:
Pedagogically clear — the protocol is plain text, you can literally read commands and responses in Wireshark. Excellent for understanding how application protocols are structured.
Tip: If you encounter a real FTP server in 2026, treat it as a legacy critical issue. Either upgrade to SFTP/FTPS or wrap it in a VPN. Never use plain FTP across the internet.