[ale] Still using plain FTP? Why?

David Millians millia at panix.com
Tue Jan 20 10:01:51 EST 2015


On 1/19/2015 9:22 AM, JD wrote:
> For folks using plain FTP still, I'd like to know why?
> We all know it isn't secure and should have been removed from offers in the
> 1990s (along with telnet).
> So, if you are still using plain FTP, why?

I can't speak for them, but there's an interesting use that switched 
from ftp recently.
SAT score delivery. ETS encrypts scores with GPG and then puts them on 
an 'FTP' server. They mail you the link.
Since they changed, the 'FTP' link is of the form:
https://ets-scorelink.ets.org/edsasftp/SAT/SA######.###

So it's security through obscurity mixed with GPG. I don't honestly know 
why they switched from real FTP to https. There must be something about 
ftp traversal which is less secure than http traversal, because (on the 
net, encrypted, with security through obscurity) of whatever modality is 
all one and the same to my way of thinking.

They still refer to it as an FTP server in all their docs and mail:
"The FTP address is:"

All of their instructions for this data download and decryption process, 
btw, refer to using Symantec PGP rather than GPG in order to do the 
decryption. I suspect this is mainly to make it easier on their help 
desk staff. GPG works a-ok.

Your other methods for schools to get SAT scores are paper copies and 
CD-ROMS. ETS uses SSN as primary key, and sends stuff in fixed length 
records (yuck) that changes every year. (double yuck)
And the CD-ROMS are a hodge-podge of data that invariably has to be 
de-duplicated.


More information about the Ale mailing list