File Transfer Protocol

FTP is built on a client–server model architecture using separate control and data connections between the client and the server.

[1] FTP users may authenticate themselves with a plain-text sign-in protocol, normally in the form of a username and password, but can connect anonymously if the server is configured to allow it.

In 2021, FTP support was dropped by Google Chrome and Firefox,[4][5] two major web browser vendors, due to it being superseded by the more secure SFTP and FTPS; although neither of them have implemented the newer protocols.

[6][7] The original specification for the File Transfer Protocol was written by Abhay Bhushan and published as RFC 114 on 16 April 1971.

[12] The server responds over the control connection with three-digit status codes in ASCII with an optional text message.

Another approach is for the NAT to alter the values of the PORT command, using an application-level gateway for this purpose.

Some servers (and clients) support nonstandard syntax of the MDTM command with two arguments, that works the same way as MFMT[21] FTP login uses normal username and password scheme for granting access.

Although users are commonly asked to send their email address instead of a password,[3] no verification is actually performed on the supplied data.

[25] Both the native file managers for KDE on Linux (Dolphin and Konqueror) support FTP as well as SFTP.

[28] For a long time, most common web browsers were able to retrieve files hosted on FTP servers, although not all of them had support for protocol extensions such as FTPS.

More details on specifying a username and password may be found in the browsers' documentation (e.g., Firefox[34] and Internet Explorer[35]).

By default, most web browsers use passive (PASV) mode, which more easily traverses end-user firewalls.

Some variation has existed in how different browsers treat path resolution in cases where there is a non-root home directory for a user.

[40] In May 1999, the authors of RFC 2577 listed a vulnerability to the following problems: FTP does not encrypt its traffic; all transmissions are in clear text, and usernames, passwords, commands and data can be read by anyone able to perform packet capture (sniffing) on the network.

[2][40] This problem is common to many of the Internet Protocol specifications (such as SMTP, Telnet, POP and IMAP) that were designed prior to the creation of encryption mechanisms such as TLS or SSL.

[40] Because FTP uses multiple TCP connections (unusual for a TCP/IP protocol that is still in use), it is particularly difficult to tunnel over SSH.

Implicit FTPS is an outdated standard for FTP that required the use of a SSL or TLS connection.

Unlike FTP, it encrypts both commands and data, preventing passwords and sensitive information from being transmitted openly over the network.

One of its primary uses is in the early stages of booting from a local area network, because TFTP is very simple to implement.

Illustration of starting a passive connection using port 21
A model chart of how FTP works
A computer at Amundsen–Scott South Pole Station logging into an FTP server and transferring a file, in 1994
FileZilla client running on Windows, one of the best known FTP client software
Primitive FTPd on Android, actively running an FTP and SFTP server