What's Happening?
A recent report by Censys reveals that approximately 6 million internet-accessible systems are using the File Transfer Protocol (FTP), with nearly half lacking encryption. FTP, a protocol in use for over
50 years, facilitates file transfers between computers but transmits data unencrypted, posing significant security risks. The number of hosts running FTP services has decreased by 40% since 2024, yet it still accounts for 2.72% of all internet-visible systems. Alarmingly, 2.45 million of these FTP services show no evidence of encryption, lacking support for TLS or failing to complete a TLS handshake during scans. The majority of these unsecured FTP hosts are located in the U.S., China, and several European countries. Censys suggests that many of these configurations result from default settings in commodity hosting and broadband services.
Why It's Important?
The lack of encryption in nearly half of the internet-facing FTP servers presents a significant cybersecurity threat, exposing sensitive data to potential interception and misuse. This situation underscores the need for organizations to transition to more secure file transfer protocols like SFTP or FTPS, which offer encrypted data transmission. The continued use of unencrypted FTP could lead to data breaches, impacting businesses and individuals by compromising confidential information. The report highlights the importance of updating legacy systems and adopting modern security practices to protect against cyber threats.
What's Next?
Organizations are encouraged to phase out FTP in favor of secure alternatives. For those that must continue using FTP, enabling Explicit TLS is recommended as a configuration change rather than a protocol upgrade. This shift is crucial to mitigate the risks associated with unencrypted data transmission. Additionally, there may be increased pressure on hosting providers to update default configurations to enhance security. As awareness of these vulnerabilities grows, regulatory bodies might also consider implementing stricter guidelines for data protection.
