RFC 959

Standards & Rfcs Jan 6, 2025 HTTP

Definition

RFC 959 is the official specification for FTP (File Transfer Protocol), published way back in 1985. Before cloud storage, before Dropbox, before you could email large attachments, FTP was how people moved files across networks. It was revolutionary for its time - a standardized way to upload and download files from remote servers.

Here’s the problem: FTP was designed in an era when the internet was a small, trusted network of universities and research institutions. Security wasn’t a major concern because everyone knew everyone. So FTP sends your username and password in plain text, completely unencrypted. Anyone watching the network can see your credentials. The actual files you transfer? Also unencrypted. It’s like writing your password on a postcard and mailing it - anyone along the delivery route can read it.

Despite being fundamentally insecure, FTP hung around for decades because it was simple and ubiquitous. Today, you should almost never use plain FTP for anything. Modern alternatives like SFTP (SSH File Transfer Protocol), FTPS (FTP over TLS), or simply HTTPS provide the same functionality with actual security. When you see an API that still requires FTP access, it’s usually a sign of very old legacy systems that haven’t been updated in years.

Example

Legacy Banking Systems: Some old banking batch processing systems still use FTP to transfer transaction files overnight. Banks have spent billions trying to modernize these systems because FTP credentials are often hardcoded in scripts from the 1990s.

Old Web Hosting: Traditional web hosting used to give you FTP access to upload your website files. Type your credentials into FileZilla, connect to ftp://yoursite.com, and drag files over. Many hosting providers have now switched to SFTP by default due to security concerns.

Government File Exchanges: Some government agencies still require FTP for data submissions because their systems are decades old. You might need FTP to submit regulatory filings, even though the agency knows it’s insecure - they just can’t afford to replace the entire system.

Printer and Scanner Integration: Old enterprise printers and scanners often only support FTP for sending scanned documents. When you scan-to-folder, it might be using FTP under the hood, sending your scanned documents without encryption.

Modern Replacements in Action: Today, when you use Dropbox, your files transfer over HTTPS - encrypted end-to-end. When developers deploy code through CI/CD pipelines, they use SFTP or secure cloud storage APIs. These aren’t just better - they’re the minimum standard for responsible data handling.

Analogy

The Unlocked Mailbox on a Busy Street: Using FTP is like having a mailbox on a busy street with no lock and no lid. You put your important documents in the box with a note saying “For John at 123 Main St.” Anyone walking by can look inside, see your documents, and see the note. They could even take the documents and put fake ones in their place. SFTP and HTTPS are like using a locked mailbox, sealed envelope, and registered mail with signature confirmation.

Speaking Secrets Out Loud in a Crowded Room: Imagine you’re in a crowded coffee shop and you need to share a secret password with someone. With FTP, you’d just shout it across the room for everyone to hear. With SFTP, you’d walk over and whisper it directly in their ear. Same message delivered, completely different level of privacy.

The Old Unlocked Building vs. Modern Security: FTP is like an old warehouse from the 1950s with no security cameras, no locks, and the guard just asks your name without checking ID. Sure, it worked when the warehouse was in a quiet rural area with only trusted workers. But in today’s world? You need key cards, cameras, biometric scanners, and encrypted communications. That’s what SFTP and HTTPS provide.

The Difference Between Postcards and Sealed Letters: FTP is a postcard - everyone who handles it during delivery can read what’s on it. SFTP is a sealed letter in a locked briefcase handcuffed to a courier. Both deliver the message, but only one keeps it private.

Code Example


// FTP (AVOID - insecure)
ftp://username:[email protected]:21/path/file.txt

// Why FTP is problematic:
// 1. Credentials sent in plaintext
// 2. Data transmitted unencrypted
// 3. Multiple ports (control + data) complicate firewalls
// 4. Active/passive mode complexity
// 5. No built-in integrity checking

// Modern alternatives:

// SFTP (SSH File Transfer Protocol)
sftp://[email protected]/path/file.txt

// HTTPS with multipart upload
POST /api/files/upload [HTTP/1.1](https://reference.apios.info/terms/http-1-1/)
Authorization: Bearer eyJhbGc...
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary

------WebKitFormBoundary
Content-Disposition: form-data; name="file"; filename="upload.txt"

[file contents]
------WebKitFormBoundary--

// S3 presigned URL
PUT https://bucket.s3.amazonaws.com/file.txt?AWSAccessKeyId=...