On 11/17/20 10:45 AM, Keith Moore wrote:
On 11/17/20 9:53 AM, Livingood, Jason wrote:
Personal views - no hats.
Time to retire the FTP service, just as other legacy protocols have
been retired in the past. The IETF does not shy away from
recommending that others encrypt everything, so we should take our
own advice. As well, data clearly show there remains essentially no
demand for FTP - users have adopted the HTTPS alternative.
I cannot say this often enough: Traffic volume is not an indicator
of importance.
More detailed rationale:
- Clearly the market has moved on. It does not cross the cost/benefit
threshold to continue maintaining a service for so few connections
(that all appear to be scripted machine-to-machine).
There is not one "market". FTP is a different service than the web,
with distinct advantages over the web. And traffic volume is not an
indicator of importance.
- FTP support has been removed from browser clients. As Mozilla
wrote, "FTP is an insecure protocol and there are no reasons to
prefer it over HTTPS for downloading resources."
I personally find that unfortunate, but support in browser clients is
not an indicator of FTP's utility either. One reason to use FTP is
that browser clients are really poor tools for some kinds of file
transfer, especially if you want to transfer multiple files with
minimum human interaction.
I find wget a great tool as well. I have used it on sites with multiple
documents that do not support other mechanisms. I have scripts running
wget for some of these. I just see rsnyc as a more efficient use of
resources than a script running wget(s).
- It is not encrypted. The IETF & IAB have been aggressive in pushing
for pervasive encryption [1] so it is illogical that we would not
make such a change on our own information resources. Per the IAB,
"The IAB now believes it is important for protocol designers,
developers, and operators to make encryption the norm for Internet
traffic."
"the norm" != "required". I'd be happy to see a version of FTP that
supports encrypted transmission as an option, as long as it were
optional. (Are those web browsers that are deprecating FTP also
deprecating HTTP without TLS?)
And as Ned pointed out, there are still reasons to use unencrypted
transmission on occasion.
Also, perhaps the IETF and IAB should be a bit less dogmatic, in light
of experience. I keep seeing situations in which deprecation of old
TLS versions is breaking systems for which there is no browser that
supports the new TLS versions. IMO this does significant harm. I
realize some people believe in planned obsolescence, but I don't think
they have a good case.
Keith
