Re: Call for Community Feedback: Retiring IETF FTP Service

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/17/20 9:53 AM, Livingood, Jason wrote:

Personal views - no hats.

Time to retire the FTP service, just as other legacy protocols have been retired in the past. The IETF does not shy away from recommending that others encrypt everything, so we should take our own advice. As well, data clearly show there remains essentially no demand for FTP - users have adopted the HTTPS alternative.
I cannot say this often enough:   Traffic volume is not an indicator of importance.

More detailed rationale:
- Clearly the market has moved on. It does not cross the cost/benefit threshold to continue maintaining a service for so few connections (that all appear to be scripted machine-to-machine).
There is not one "market".   FTP is a different service than the web, with distinct advantages over the web.   And traffic volume is not an indicator of importance.
- FTP support has been removed from browser clients. As Mozilla wrote, "FTP is an insecure protocol and there are no reasons to prefer it over HTTPS for downloading resources."
I personally find that unfortunate, but support in browser clients is not an indicator of FTP's utility either.   One reason to use FTP is that browser clients are really poor tools for some kinds of file transfer, especially if you want to transfer multiple files with minimum human interaction.
- It is not encrypted. The IETF & IAB have been aggressive in pushing for pervasive encryption [1] so it is illogical that we would not make such a change on our own information resources. Per the IAB, "The IAB now believes it is important for protocol designers, developers, and operators to make encryption the norm for Internet traffic."

"the norm" != "required".   I'd be happy to see a version of FTP that supports encrypted transmission as an option, as long as it were optional.   (Are those web browsers that are deprecating FTP also deprecating HTTP without TLS?)

And as Ned pointed out, there are still reasons to use unencrypted transmission on occasion.

Also, perhaps the IETF and IAB should be a bit less dogmatic, in light of experience.  I keep seeing situations in which deprecation of old TLS versions is breaking systems for which there is no browser that supports the new TLS versions.  IMO this does significant harm.   I realize some people believe in planned obsolescence, but I don't think they have a good case.

Keith





[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux