2

Are the risks of using FTP essentially the same as the risks of using HTTP? That is my current understanding, and reading an answer (Risks of using HTTP when I trust the local network) on the topic seems to offer little help.

Let's say I am moving backend code via FTP. Is there really a risk of someone getting the code if there is no one tapped between my computer and my modem? Is the main concern someone at the internet provider company reading it?

Community
  • 1
VSO
  • 523
  • 1
  • 5
  • 10
  • 1
    More than a code you should be concerned about the username and password sent in clear. – techraf Dec 11 '16 at 03:35
  • 1
    Besides the security aspect there is also the fact that [FTP is a stupid protocol](http://mywiki.wooledge.org/FtpMustDie) and should not be used in 2016. – André Borie Dec 11 '16 at 04:37

3 Answers3

3

As you correctly noticed, the risk of using plain FTP is essentially the same as using plain HTTP: it provides neither encryption nor tamper resistance. This means passwords are transmitted in clear and an attacker can sniff the passwords. And the attacker can also modify the traffic like injecting malware into downloads. This means that plain FTP should not be used for anything were these attacks can be a problem, i.e. for most things were FTP is actually still used today.

Is there really a risk of someone getting the code if there is no one tapped between my computer and my modem?

If you are inside a local network where you control all the software running and all the systems connected and were nobody can tap into the network (i.e. strong WiFi password or no WiFi at all, fully secured router...) then the risk of somebody attacking you insecure FTP connection inside the network is probably low. It still might be your ISP or it might be somebody at or in front of your FTP server. But even the local network might be less secure than you consider it because we live at a time of insecure routers and where even light bulbs might be a way in your network.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
1

The main concern is that neither are encrypted, so HTTP and SFTP are used. The only real secure way to transfer a file, without any middleman involved, is by a clean flash drive, DVD, floppy, etc., Just like only an unplugged computer is truly secure.

Have you considered encrypting the code first, then transferring over SFTP? That way, even the ISP will have a tough time seeing the code, but I've never heard of ISPs having interest in such things.

LampShade
  • 31
  • 3
1

Well, it's true that FTP sessions are completely "in the clear"... with the most significant risk being the user name and password being exposed.

So, yes... if anyone was "listening in" during your upload, they would be able to see all of your code. But, it's difficult to assess the risk, not knowing how hostile the environment is.

There are alternatives, there is a "Secure FTP" that essentially uses SSL/TLS (the stuff that makes HTTPS secure)... and another technique that uses SSH.

egray
  • 121
  • 3