If you are using FTP, you should really stop!

February 28th, 2013

FTP, the “File Transfer Protocol” has been around almost since the inception of the Internet.  As anyone with a web site knows, it permits files to be easily uploaded to and downloaded from servers.  It is built into every kind of web site authoring software and even into most web browsers.

Unfortunately, FTP suffers from the same design flaw that pervades the basic usage of email services like POP, IMAP, and SMTP.  If used in its default form, all data sent between your computer and the server is sent unencrypted, in “plain text”.  This includes your username, your password, and all file data.

Essentially, if you are in a wifi hotspot, anyone there can likely get your username and password and read your files.   Similar things can happen even though your direct or or office network connections …. connecting via FTP is like walking down the hall with your username and password taped to your forehead.  Any one (or any hidden camera) can see it and use it.

So, what can you do

You can use “Secure FTP“.  This is FTP over an “Secure Shell” connection and it provides encryption for your files, your username, and your password.  It solves the inherent security issues with using regular FTP (just like use of SSL and TLS resolve the security issues inherent in regular POP, IMAP, SMTP, and WebMail).

Most modern web design programs now support SFTP in addition to FTP (e.g. Dreamweaver); many web browsers support browsing SFTP sites via add ons (e.g. the FireFTP add on for Mozilla FireFox); and there are many free SFTP programs for direct file uploading and downloading (e.g. FileZilla).

You should abandon FTP in favor of SFTP for your own safety.

FTP and SFTP and HIPAA

HIPAA demands that all possible ePHI is transmitted securely across the Internet and also demands that authentication credentials be protected.  This automatically makes FTP a “no go” for customers who require HIPAA compliance; they must use SFTP.  At LuxSci, all HIPAA accounts are restricted from using regular FTP (as well as any other unencrypted network service to access possible ePHI or which requires your username or password).