FTP: Better Than HTTP, Or Obsolete?

An anonymous reader asks "Looking to serve files for downloading (typically 1MB-6MB), I'm confused about whether I should provide an FTP server instead of / as well as HTTP. According to a rapid Google search, the experts say 1) HTTP is slower and less reliable than FTP and 2) HTTP is amateur and will make you look a wimp. But a) FTP is full of security holes. and b) FTP is a crumbling legacy protocol and will make you look a dinosaur. Surely some contradiction... Should I make the effort to implement FTP or take desperate steps to avoid it?"

Transparent

[mao+che+minh]

It's almost transparent - most people (99.9%) don't know the difference between http and ftp. The .1% that "gets it" don't care what you're using as long as the pr0n gets from point A to point B (point B being my computer, which I lovingly call "My Pr0ndex").

And I wouldn't care about the opinion of someone who would actually judge you over what friggin protocol you use to provide downloads. Such an utter nerd is somethig that I can not relate too. Maybe after I use Linux for a few more years, who knows.

Make your life simpler: use HTTP

[kazrak]

I question why people think FTP is 'faster' or 'more lightweight' than HTTP. HTTP is a fairly lightweight protocol, and what overhead it does have is massively outweighed by the size of the files when you get into the multi-megabyte range. Add in that everything can be done in one transaction via HTTP (compared to logging in, changing to the right directory, activating passive mode if needed, starting the transfer, opening up a second TCP connection for the data transfer, etc. for FTP) and I really don't see a performance advantage to FTP.

Security-wise, HTTP is a big win over FTP if only because it makes your port-filtering easier - "allow to 80" is simpler and less likely to cause unintended holes than all the things you need to do to support FTP active and passive connections. Certain FTP server software has a reputation as having more security holes than IIS, but there are FTP servers out there that are as secure as Apache.

Re:Forget them both....

[nuxx]

There's no reason to use sftp for publically available files. This is for the exact same reason that you wouldn't use https. There's no need for encyption of something that is freely, publically available. Checksums, yes, encryption, no.

I personally would say go with http for the files, as it'll be much easier for people behind http proxies to download, it'll get cached more often by transparant proxies, and most browsers support browsing http directories FAR better than FTP directories.

Re:Different, not better or wose

[neuroticia]

Unfortunately HTTP is still a more secure protocol because HTTP clients can easily implement SSL encryption for passwords and sensitive data transfer. When you're dealing with a client who insists on using an outdated, but "easy" FTP client, it's not easy to tell them they have to change, and it's even less easy to tell them what they have to change to.

FTP is notoriously difficult to secure while retaining ease of use for the clueless end-user.

-Sara

Re:Forget them both....

[neuroticia]

You're also slightly less likely to be threatened with root exploits when using HTTP instead of FTP. Especially if you're already maintaining an HTTP server on the particular machine in use--because you already HAVE that security hole open. Rather than opening another hole, you're using one that's already there.

-Sara

Re:Different, not better or wose

[LoneRanger]

What are you using Lynx to connect to the ftp server? That's the reason it's slow. Try a real client like NcFTP and when you do, make sure to take note of the sheer power.

mget blah[1,2,3].iso....

Get the drift? HTTP indexes are rather stupid if you ask me, it's FTP without the features. And before you whine "But I don't need the features", neither do I most of the time, but it's nice when they're there.

HOW ABOUT UPLOADING???

[craig1972]

It seems everyone talks about DOWNLOADING. How about UPLOADING? How fast and wonderful is HTTP for that?