Newest year evokes freshest tender mercies
OpenMPE legacy: Knowledge door now ajar

FTP may fail both migrators, homesteaders

Unix history Some HP 3000 sites use FTP everyday, but others found the stale support for MPE's FTP one more reason to migrate. Recent news indicates that the File Transfer Protocol, secured or unsecured, has had freshness problems of its own, regardless of your hosting environment.

One of the world's biggest hosting organizations, Google, is ending support for FTP and SFTP this spring. If you're unaware of Google's FTP support, it's no wonder. The only way this venerable standard enters the Google customer base is through Blogger, the blog creation and hosting tool that's pushing up on its 10th birthday soon. Early bloggers used Blogger, a tool that was simple and quite a value (at free).

Before there was a 3000 NewsWire blog, I tuned up my blogging skills at Blogger. And right up to this day, my writing workshop blog The Write Stuff has been created using the Google tool. I chose to transfer my content files to my own host some years ago (at least four), while FTP didn't have the cracks in its armor that Google points out now. If you're using FTP or SFTP, Google wants you to reconsider. I didn't know it, but FTP is one of the oldest protocols on the Internet, nearly four decades old by now. That's older than the bedrock for HP-UX, whose System III roots were born in the middle 1970s. FTP was almost 15 years old when HP-UX hit the streets, as the chart above shows (click for an expanded image).

Standards are good, but few have can claim the tenure of MPE's design. If a 3000 site would rather not trace their file transfer's roots back four decades, then both the homesteader and migrator will be in the same place: looking at more secure ways than FTP to shift data.

Google and its Blogger Engineering Tech Lead Noah Fiedel do more than point to the age of FTP, however. They compare its functions to the Web page protocol HTTP, while they explained why I'll need to migrate to a newer protocol if I want to create in Blogger, then post elsewhere.

Unlike nearly all other Internet protocols, FTP uses two insecure and unencrypted ports simultaneously. This makes securing FTP effectively impossible on both the server and network levels. FTP servers at ISPs are therefore vulnerable to attack, and your password can be 'sniffed' by anyone with access to the traffic to or within your ISP. sFTP, while more secure than FTP, still requires us to store your user credentials — which itself is undesirable from a security perspective.

Compare this to the HTTP protocol, drafted 20 years later in 1991: FTP doesn't have a mechanism to discover whether an FTP server is up, down, slow, or temporarily unavailable. HTTP supports all of these and more, and is now the basis for nearly all activity on the Internet.

Due to FTP's weaknesses, many ISPs restrict access to their FTP servers. They do this by limiting your FTP account to a list of approved Internet addresses.

You can substitute "HP enterprise servers" for "ISPs" in the sentence above. These days, the security requirements for IT operations are a matter for auditors, rather than technology enthusiasts. It's not optional to keep data secure, so the likes of SSLv3 and more are well-established for HP-UX, Windows and Linux.

The HP 3000 has some support for encryption, especially through three vendors (Orbit Software, Minisoft and even Paul Taffel), but this is a feature that wasn't popular with the 3000 user base while the important groundwork was being crafted for today's standards. That might have been because HP had already dropped its exit-the-market 3000 news in the same encryption growth era. But the end-result is the same: file transfer security looks better in other environments.

We may not need to remind migrating sites how weak SFTP or FTP look today, since the auditing community is glad to do that after the fact. But planning a stronger path than "supported by HP SFTP" is the prudent way to transition for the future.

I'll be migrating The Write Stuff very soon, working to ensure that the Web address doesn't disappear into the maw of Google's host servers. Few of the Blogger customers use FTP posting by now, about one in a thousand. (Lucky me, to be so special; I'm headed to WordPress instead.) Unless your files are meant for that kind of public consumption -- like a blog article or multimedia -- you'll want to reach for something more secure than a standard launched in 1971. Some IT tools don't age as well as others.

Comments