The dirty little secret in information security is that anyone or company using FTP to transfer files is probably violating every security compliance requirement under the sun and most companies are guilty of it. The authentication and payload transmission system in the FTP protocol is completely unencrypted and in the clear. If those authentication credentials are shared by other access controls in the organization, then a lot more than the FTP server is at stake and a sniffed FTP password can lead to a much larger security compromise.
While HTTPS (HTTP over SSL) has solved the problem for data distribution (users downloading), it doesn’t solve the data collection problem (users uploading). FTP is primarily used to allow users to upload files to the server and if any form of access control is implemented on the FTP server, the user has to authenticate in clear text. If this is done over an insecure connection such as a wireless hotspot or if an attacker uses other means to snoop over a wired connection, then the user credentials and the data are completely exposed.
While a secure version of FTP called “FTPS” (FTP over SSL or TLS) has existed for years, it’s simply not commonly used because there is no bundled FTPS client in Windows or Internet Explorer which means most people are only exposed to FTP. On the server side, FTPS has been available in various commercial packages but it didn’t come out of the box until now. Microsoft has published a free FTP server add-on for Windows Server 2008 that supports FTP over SSL/TLS and I’ve included the links below.
- Microsoft FTP Publishing Service for IIS 7.0 (x86 32-bit edition)
- Microsoft FTP Publishing Service for IIS 7.0 (x64 64-bit edition for AMD & Intel)
On the client end, there are no reputable free FTPS clients that I am aware of. The closest thing to a free and good FTPS client is Smart FTP but it’s only free for personal, educational, or non-profit use. Kevin in the comment section recommended FileZilla which appears to be an Open Source client.
To deploy FTPS on the server side, you’re going to need a digital certificate that’s trusted by the client. I would recommend reading an article I wrote in 2007 “How to implement SSL or TLS secure communications“. The easiest way to do this is buy from a publicly trusted Certificate Authority and the cheapest one I’m aware of is GoDaddy.com SSL at $30/year per certificate.
Important note: There’s no need to get a $300 certificate from a name brand SSL company because THERE IS NO DIFFERENCE. Even if you insist on buying a $300 certificate from one of those name brand security companies, any compromise at GoDaddy.com will still affect you and everyone else in the world. If you buy a certificate at GoDaddy.com and there is a compromise at VeriSign (this has happened before), then that also compromises everyone. This is the trust model in commercial PKI and there’s nothing you can do about it. What you can do is refuse to overpay hundreds of dollars on a “name brand” digital certificate and make sure you implement best practice.I know so many “security experts” in corporations who refuse to buy anything but name brand certificates. Then because they don’t have the budget to buy all the brand name certificates they need, they use home grown certificates or use expired certificates and ask their users to bypass the warning which conditions users for future easy exploitation. The lesson here is that security shouldn’t be about brand names and ego.
When you’re buying a certificate, it is possible to use the same certificate for multiple servers and services if they share a common host name. So if I buy a certificate with a common name of www.ForMortals.com, I could use it for HTTPS or FTPS. That means https://www.ForMortals.com and ftps://www.ForMortals.com would both be valid because the certificate is only bound to the host name and not the protocol. If I load balanced on 10 servers, I can copy the same certificate to all 10 servers and that would be perfectly valid. But if I wanted to host an FTPS site ftp.ForMortals.com, then I would not be able to share the certificate with www.ForMortals.com.