FTP/FTPS looks like it's gradually being deprecated. What are Windows + browser clients moving to and what should I provide instead?

1

1

In the past I've used FTP over TLS to let non-technical friends and family remotely access important files on my server.

I've just found that they can't do so using Firefox any more, and the firefox bug/feature states that FTP is heading for being "clearly deprecated" and FTP over TLS is being tagged as WONTFIX (Mozilla link1 link2 but see also link3). I also can't get IE11 in Win8.1 to connect either (most family are on 8.1 not 10).

I do provide SMB on the LAN but not WAN, and I'd like to not start running a full web server locally if avoidable. (Because having far greater unnecessary functionality also means scope for a wider attack surface: best avoided if not needed).

Given that scenario, what is the substitute expectation for users who have been using FTPS (or who have been using FTP and want to add TLS transport) to be doing instead?

I assume a not-especially-technical client user who wants it to "just work"within the default OS or their usual browser, and not download specific FTP/client software just to add that capability. The functionality they need is as simple as "enter URI -> authenticate -> get file system root listing -> browse & search directories and up/download files".

Of course decent FTP clients will support this and will exist for many years, but the point was that an ftp(s):// URI has been usable in browsers for decades but now clearly won't be (or won't reliably be). So what should I do, to give them what they need/expect insead?

Stilez

Posted 2018-11-21T15:26:03.217

Reputation: 1 183

Question was closed 2018-12-03T01:19:00.940

Answers

1

So what should I do, to give them what they need/expect insead?

IMHO the expectations need to change. This is 2018, not 1992.

In the early 90's when Web browsers were a new thing, browsers had to plan to support things other than HTTP because:

  • The Web was barely out of the hands of the academics. So everything online was static text and image documents, and that's what HTML was doing back then. HTTP itself was really a file transfer mechanism.
  • Since HTTP was new, it wasn't a given at that time that HTTP would pretty much be the most common protocol on the web. There were others before HTTP - so you had browsers supporting Gopher, FTP, integrated with email clients, etc.

So back then integrating FTP support in the browser made sense.

Of course, it wasn't long before CGI made HTTP a primitive interactive protocol, then Javascript, XHR/AJAX, Webkit, websockets, Webkit, WebRTC, and all the other things browsers support besides display and formatting of static documents.

So now: HTTP(S) is not a simple file transfer mechanism like FTP any longer but really an application delivery mechanism - and static documents are just one possible application. The perspective of a browser not being in the same category as an FTP client and not supporting protocols other than HTTP(S) is very reasonable these days.

I do provide SMB on the LAN but not WAN, and I'd like to not start running a full web server locally if avoidable. (Because having far greater unnecessary functionality also means scope for a wider attack surface: best avoided if not needed).

Given that scenario, what is the substitute expectation for users who have been using FTPS (or who have been using FTP and want to add TLS transport) to be doing instead?

What non-technical people are doing these days is using cloud services like Dropbox/Google Drive/OneDrive to move files, at the cost of privacy of course.

The functionality they need is as simple as "enter URI -> authenticate -> get file system root listing -> browse & search directories and up/download files".

Microsoft is moving to the cloud model for this, and is pushing OneDrive for this purpose.

There is WebDAV, but you will have to run a webserver, and WebDAV is often difficult to get working properly due to Windows quirks.

Want to do it yourself and not run a webserver? The answer is SCP. Your non-technical users will simply have to learn to use an SCP client. It isn't hard.

SCP has many benefits over FTP, some of which are:

  • It's based on SSH, which has a long history, so it's secure and encrypted by default.
  • Uses one port instead of two and does not need "passive mode" or firewall workarounds. Simply forward the single port on your router and you are good.
  • You can administrate users in the same manner as FTP.

LawrenceC

Posted 2018-11-21T15:26:03.217

Reputation: 63 487

SCP can do file transfers. It does not provide directory listing or other file management features. So it's not really comparable to FTP. You maybe meant SFTP instead, didn't you? – Martin Prikryl – 2018-11-21T20:05:20.890

I really don't want them to need a separate client, too much handholding/"what-is-this" risk - and as a bonus I get to have to maintain it. I could use my freenas server, which has NextCloud built in. Could that do the job of replacing FTPS, if so what are the pros and cons? – Stilez – 2018-11-22T12:51:34.063

Asked: 2018-11-21T15:26:03.217

Viewed: 527 times

Active: 2018-11-21T16:10:07.153