[ndsipa_pomu]

How would you know if the transfers were interfered with? Do you take checksums of the files you upload and then check that the files apparently uploaded are the same?

Also, how do you know that there isn't someone performing a MITM (man in the middle) attack? FTP has no mechanism that I know of to verify that you're connecting to the server that you think you are.

It may well be that you're not a sizeable target and that no-one is interested in hacking your site, but that's just luck and not an endorsement of unencrypted FTP.

[carlosjobim]

How would you know that your neighbours aren't secretly spying together on you and interfering with your life in ways you don't notice?

We have to put a limit to paranoia. If things work correctly for decades and there are no signs of foul play after endless real world usage, it's safe to say nobody is hacking our FTP.

It's different if you're a bank or the KGB or the CIA.

> It may well be that you're not a sizeable target and that no-one is interested in hacking your site, but that's just luck and not an endorsement of unencrypted FTP.

Do you drive an armored car?

[ndsipa_pomu]

Needing an armored car or protection from neighbours is specifically to guard against proximity based exploits and those are very unlikely threats to most people. FTP interception can be easily performed from anywhere in the world with a little bit of DNS poisoning and then perform a MITM attack (or even just alter the data in transit from a malicious wifi hotspot).

It costs approximately zero to use encryption and protect against the FTP exploits, so why continue to use FTP? There's literally no advantage and several possible disadvantages. Just relying on not being hacked before seems a foolish stance to me.

[carlosjobim]

If it's so easily done, then most FTP websites would be hacked every week. But hundreds of millions of people have FTP websites and never get hacked in decades.

I challenge you to select any FTP website of your choosing and make a tiny change to prove that you've hacked it and let me know here.

[DANmode]

Do you drive a doorless car?

A frame-less one?

[carlosjobim]

Yes, and it only has two wheels.

[DANmode]

Don't complain when you get run over.

I don't even know if I'm talking about your servers or your bike at this point, ha

[carlosjobim]

There's little reason to expect to be run over when you're on a bike, jut like there's little reason to expect your website to be hacked because you use FTP. If you're a normal person.

We have to be proportional when we do risk assessment. Just because it's part of modern programmer faith to be against FTP, doesn't mean it's sensible. Most hackers are just repeating what others have told them, and a lie becomes common sense.

If FTP is considered unsafe, then riding any non-armored vehicle should also be unacceptable.

[DANmode]

It is, if your threat model includes texting general populace in large trucks.