A Free Educational Resource Created by Carnegie Mellon University to Empower You to Secure Your Part of Cyberspace

File Transfer Protocol (FTP)

A common method for transferring files between two computers on a network

A communications protocol is a set of rules for the exchange of data over a channel of communication. There are many such protocols, and the file transfer protocol (FTP) is one of the most widely used. FTP allows any two computers to transfer files over a network like the Internet or Intranet, as long as both support another protocol called TCP/IP.

The main objectives of FTP as outlined by the standard are:

  • To promote sharing of files (computer programs and/or data)
  • To encourage indirect or implicit use of remote computers.
  • To shield a user from variations in file storage systems among different hosts.
  • To transfer data reliably and efficiently.

To distinguish the roles of the two computers in an FTP transfer, one is called the FTP server and the other is called the FTP client. The FTP client initiates the connection, and the FTP server listens over the network for incoming connection requests. When an FTP client sends a connection request to the FTP server and the server responds back, a connection is successfully established between the two, provided the resources are available.

Once the connection is made, the client can perform various file commands on the server, including uploading/downloading files, creating, deleting, or renaming files. Since the protocol is an open standard, any company or individual can create FTP client/server software. Thus, any computer on a TCP/IP network can connect to any other computer, irrespective of what operating system it is running.

FTP is not a secure protocol. Passwords and files sent by FTP are in “clear text”, meaning that they are not encrypted in any form and can be intercepted and easily read. However, there have been recent protocol enhancements to address this problem. Commonly used solutions used are SFTP  (SSH file transfer protocol) or FTPS (FTP over secure socket layer) which adds encryption. In both cases, the data being sent is now encrypted, but different security protocols are used to achieve the encryption. An attacker trying to obtain private information by observing packets transferred by SFTP or FTPS would be unable to make any sense of the data captured.

References

My home page