Slashdot Mirror

← Back to Stories (view on slashdot.org)

FTP: Better Than HTTP, Or Obsolete?

Posted by timothy on from the don-your-holy-vestments dept.

An anonymous reader asks "Looking to serve files for downloading (typically 1MB-6MB), I'm confused about whether I should provide an FTP server instead of / as well as HTTP. According to a rapid Google search, the experts say 1) HTTP is slower and less reliable than FTP and 2) HTTP is amateur and will make you look a wimp. But a) FTP is full of security holes. and b) FTP is a crumbling legacy protocol and will make you look a dinosaur. Surely some contradiction... Should I make the effort to implement FTP or take desperate steps to avoid it?"

5 of 870 comments (clear)

  1. hmm by nomadic · · Score: 5, Interesting

    I haven't really noticed any reliability issues with http anymore. If it starts loading it usually finishes, and I haven't run into any corruption problems. Maybe if you were serving huge files ftp would be a good idea, but for 1-6 mb it's probably not worth it.

  2. SCP by elliotj · · Score: 5, Interesting

    If you're only offering files to a group of users who you can give passwords to, you could even use SCP. (Secure copy...uses sshd on the server side)

    It all depends on the application. I only use SCP to move files around if I have the choice, just because I like better security if I can have it.

    But if you want to offer files to the public, I'd recommend offering both FTP and HTTP so people can use the most convenient.

  3. Re:Different, not better or wose by Anonymous Coward · · Score: 5, Interesting

    Everyone disables the only unique thing FTP can do (third-party transfers) to prevent a variety of attacks by proxy. It might be worth accomodating decrepit machines that lack HTTP clients, but there are no actual advantages to using FTP.

  4. Re:Different, not better or wose by Anonymous Coward · · Score: 5, Interesting

    They serve different purposes, and each was designed to meet those needs. Each one has its own positives and negatives.

    True, but ftp has far more negatives. The connection model ftp uses, in which the server connects back to the client for data transfers, is a horrible idea. Surely, there must be a benefit to this method (or else why would ftp have become such a standard?), but I've yet to hear it. Passive ftp (PASV) is supposed to compensate for the fact that clients behind NAT can't use ftp, and passive is pretty much supported everywhere now. But passive doesn't solve the problem of many-connections, it just shifts it: With passive ftp, there is still a seperate "data" connection for every file transfer, or transfer of directory contents. It's just that with passive ftp the data connection is initiated by the client to some high-numbered port on the server. This allows clients behind NAT to do ftp, but it makes firewalling the server a pain in the ass, especially if the server is (god forbid) behind nat itself. It's relatively easy to setup a mailserver, or webserver, or ssh server, on a machine behind nat (assuming you can forward ports on the nat gateway). But try doing the same with ftp. Passive connections won't work, unless the ftpd is configured to only use a certain range of high ports for it's data connection, and the firewall forwards that entire range. You'd think with all these connections, the protocol might support multiple connections from one login, ie list another directory while downloading. Well, thats not the case at all, you have to login again if you want simultaneous transactions.

    And then if you want tunneled connections... oh boy, what a pain in the ass:

    I set this all up for someone recently, and it DOES finally work, with tunneled passive ftp connections to a proftpd server behind a nat gateway, but it was a big pain. Due to the way proftpd works (not sure about other daemons...) the passive connections are directed to the interface the client is connected to. So, with an ssh tunneled connection, proftpd sees the client connection TO 127.0.0.1 (because thats where sshd is). So it tells the client, connect back to me for the data connection, my IP is 127.0.0.1. And the client tries to connect to itself, and fails saying "can't open data connection". The solution was to point the tunnel not to 127.0.0.1, but to the external IP, and have the nat gateway forward internal traffic back to itself. So traffic comes in over ssh, over to the firewallwall (where the nat rewriting happens), and then back to the same machine for ftp.

    If people could just use sFTP clients, this wouldn't be an issue _at_all_ (One client connection, one tcp connection! Hey, what a concept!). But due to the integrated ftp clients in programs like bbedit and dreamweaver, I suspect we'll be dealing with that bastard protocol known as ftp for quite a long time....

    Damn, reading back over this, I'm kind of ranting. BUT ITS ALL TRUE!
    Sorry bout that.
    [X] Post Anonymously

  5. Re:Different, not better or wose by alangmead · · Score: 5, Interesting

    In FTP the sender connects to the receiver, but client issuing commands does not have to be either of those two machines. As designed, FTP should be able to allow a client to send data between two arbitrary machines. Its an infrequently used feature, and I'm not sure if it is implemented by all clients, but it is, technically, a feature that HTTP doesn't have.