--On Thursday, July 4, 2024 17:18 -0400 John Levine <johnl@xxxxxxxxx>
wrote:
> It appears that John C Klensin <john-ietf@xxxxxxx> said:
>> It is relatively easy to set up and run at least a minimal FTP
>> server. If the content of files being shared are sensitive, having
>> those files encrypted before being made available to the server is
>> perceived by those who have taken the FTP path as safer than having
>> them encrypted only in transit. By contrast, there is a widely
>> held perception that setting up and operating web services has
>> become difficult and complex enough that more organizations are
>> better off contracting those out. ...
>
> Perception among who? It's no harder to set up a little web server
> on a VPS than a little FTP server. I've done both and I'm sure I'm
> not the only one here who has.
>
> I suppose that since nobody cares about FTP any more, you're not
> going to get the complaints about an unencrypted FTP server that
> you do about a non-SSL web server, but even there, getting and
> installing a cert with certbot takes only a minute or two.
>
> On the third hard, most VPS setups come with ssh already set up,
> so you get scp for free.
This is by means of explanation, not trying to argue for or against a
position. The people I've heard from want, for reasons I at least
hinted at, nothing to do with VPS setups. They are running their own
servers on their own premises. That may make them hopelessly
backward, but that is how it is. Since they are sending or receiving
encrypted files, either their servers are set up to default to TYPE I
or it is built into the scripts.
I also thought the comment and the fact that those users and uses
existed might be of interest given the discussion Dave and Keith were
having. Because they are happy with what they are doing and believe
--correctly or not-- that FTP provides them advantages over using the
web, they are unlikely to be persuaded by IETF telling them that the
web is better. Were the IETF to deprecate FTP entirely, the only
effect on them would be to lower their opinion of the IETF and its
credibility. And, if their operating systems somehow stopped
supporting FTP, even partially at IETF's behest, they would either
decide to not upgrade (making the Internet worse if those upgrades
supported other important features) or would change to something that
did... and their opinion of the IETF would go down even further.
As I also indicated, they don't see a need for encryption on their
FTP servers because (1) they are encrypting the files themselves and
consider that to be safer and less dependent on others than encrypted
connections and (2) after whatever analysis they have run and
tradeoffs they have considered, they and those who might connect to
them don't care whether someone compromises an ISP sufficiently to
expose who is making connections and what files are being
transferred. Even if someone manages to capture a user ID and
password, they don't care because, again, the files themselves are
strongly encrypted. Their biggest concerns in that regard is the
possibility of DoS attacks but most VPS setups don't offer a lot of
protection against those either.
If this is going to turn into a discussion of why the web is better
or why they are making bad choices, I want to drop out of it right
now as a likely waste of time. As I say, they aren't interested and
I'm probably not either.
john
