It's the only standard for file transfer we have, and it can be secure. Why does it have to die? (NOTE: WebDav has even more issues but that's the only other standard.)
> It's the only standard for file transfer we have
No, its not.
> Why does it have to die?
Because its problematic in a whole lot of ways, and FTPS doesn't help much for most of them. [1] identifies a lot of them (in the context of implementing a MacFUSE filesystem, but the issues apply to most applications.)
> (NOTE: WebDav has even more issues but that's the only other standard.)
You keep using that word "only"; I do not think it means what you think it means.
WebDAV certainly has issues, though its probably less bad, on balance, than FTP/FTPS, but the more commonly used alternative for FTP/FTPS isn't WebDAV but SFTP (the SSH File Transfer Protocol, not the Simple File Transfer Protocol.)
WebDAV is terrible. Run, don't walk, away from it. Nobody at apache has any responsibility for it, the mod_dav author is totally MIA ... it's just a mess. Further, every single DAV implementation[1] is both broken and completely unique.
[1] Like DAV in Finder, or DAV in MS Word or in MS explorer, or in IE ... they are all completely different ... and also all of them are horribly broken.
I was mostly saying WebDAV was less bad than FTP because many of its problems are (as you note) problems with the existing implementation, rather than inherent in the protocol design (though those problems do manifest a problem with the protocol design -- it tries to do too much for what most uses need and does so in a baroque manner.)
I think all this makes it clear that it is a software issue and not a protocol issue.
That is my point here. People hate FTP (or SFTP/FTP-SSL/WebDav) because the software is implemented poorly. (NOTE: I know SFTP and FTP-SSL are different protocols.)
FTP/FTPS has serious, protocol level issues (including things that are underspecified enough that its poor as a protocol for apps on top of, and things that are just bad decisions.)
WebDAV arguably has fewer essential protocol level issues (aside from being overly large and baroque) -- that is, it has fewer problems that are necessarily included in a correct implementation -- but lots of implementation issues (which, arguably, stem largely from the spec being overly large and baroque.)
OTOH, even to the extent that the problems (e.g., with WebDAV) are issues with the existing software and not the protocol, the main benefit of building a specialized app to a standard protocol is interoperability with other tools using the protocol -- if the existing implementations are incomplete and buggy in mutually incompatible ways, that negates the benefit of writing to the standard.
The only reason FTP is insecure is because system admins still allow unencrypted FTP connections.
POP3 and HTTP is also insecure- it's up to the system admin to block insecure connections.
With most FTP server software I know (such as ServU or FileZilla Server) once you force SSL connections, the server will disconnect users on the USER command (before sending the password) if they are connected insecurely. So only if your system administrator wants to allow insecure connections, will you be allowed to transmit the password insecurely.
Why do people still connect using the old insecure FTP standard? It's the software.
I personally think FileZilla should connect using SSL Explicit by default. IQBox defaults to SSL, and prompts the user for a fallback.
So again I think it's a software issue, not a protocol issue.
dragonwriter, first, I want to say, you are correct that FTP/FTPS is not the World's Best Protocol. In fact, maybe it is the worst protocol in the world.
What I'm saying is, that doesn't matter. It's still the most common and easiest to set up for a novice user.
Trust me, I don't enjoy reading obscure RFCs on FTP's UTF8 encoding.
I'm using FTP/FTP-SSL because it's the easiest and most common for the end user. FileZilla Server does not support SFTP.
The goal of the project is simple: Let the average tech-savvy person use their own private server to sync. So it needs to be simple and free: FileZilla Server backend (runs on Windows or Linux) and IQBox front-end. I'm open to ideas but I think that's the easiest option.
Even a QNAP will support FTP out-of-the-box.
HTTP-1.0 was a mess. POP3 was a mess. All these protocols were insecure and evolved because software makers put up with their madness and made great software.
> I'm using FTP/FTP-SSL because it's the easiest and most common for the end user.
That's quite a bit different than your original argument (which was the self-contradictory argument that FTP is the only standard for file transfer, and that WebDAV is the only other standard for file transfer.)
> It's still the most common and easiest to set up for a novice user.
I don't think there are many "novice users" that can setup an FTP server that would fall down at setting up an SFTP server.
> FileZilla Server does not support SFTP.
There are plenty of open-source SFTP servers for windows and that support linux (not necessarily the same server for both windows and linux, but see the next point.)
> So it needs to be simple and free: FileZilla Server backend (runs on Windows or Linux)
> HTTP-1.0 was a mess. POP3 was a mess. All these protocols were insecure and evolved because software makers put up with their madness and made great software.
Right, and once HTTP/1.1 and IMAP were widely available and well supported with F/OSS servers and clients for most platforms, it wouldn't make a lot of sense to tie a new product to HTTP/1.0 or POP3.
There's a difference with putting up with a protocol that is suboptimal but the best available for the role that has widespread support and, on the other hand, doing so when alternatives that address its problems have been well established.
If someone els is running software on your system, it's not your system anymore.