The Persistent Use of FTP: A Security Blindspot
The File Transfer Protocol (FTP), despite its antiquated design, continues to remain in widespread use, with approximately six million systems globally employing it as of the latest Censys analysis. Alarmingly, nearly half of these systems transmit data without encryption, exposing both enterprises and individual users to significant risks. FTP, rooted in a client-server architecture, was never designed to adhere to modern security practices. Instead, its reliance on unencrypted data transmission has rendered it fundamentally insecure for decades.
Although the number of internet-facing FTP hosts has decreased by 40% since 2024, the protocol still represents a staggering 27.2% of all internet-visible systems. Such persistence highlights a concerning lack of urgency in transitioning to secure alternatives. Enterprises must recognize that the continued use of FTP not only risks sensitive data leakage but also undermines efforts to adhere to global security standards.
Encryption Gaps: The Numbers Don't Lie
The absence of encryption across 2.45 million FTP services is a glaring vulnerability, as highlighted by the Censys report. These systems lack evidence of a TLS handshake, which is a critical mechanism for ensuring encrypted communication. Without this, either the servers do not support encryption, were misconfigured, or failed during scanning attempts. While not every one of these systems necessarily transmits data in cleartext, the sheer volume of services devoid of encryption paints a bleak picture.
Systems that fail to implement AUTH TLS or require passwords before establishing encrypted channels exacerbate security risks. Enterprises using such configurations essentially leave themselves open to targeted attacks, including credential theft and man-in-the-middle interception. Proactive measures to enforce encryption protocols should become a mandatory practice, with legacy FTP servers either upgraded or decommissioned entirely.
Global Distribution of FTP Hosts
The geographical distribution of FTP-visible systems reveals concentrated clusters in leading technological and industrial hubs such as the United States (1.2 million hosts), China (866,000), and Germany (467,000). These nations house significant numbers of internet-facing FTP services, emphasizing a systemic gap in addressing legacy protocol vulnerabilities. Hosting providers such as China Unicom, Alibaba, and OVH are top contributors to this issue, with hundreds of thousands of unencrypted FTP services under their management.
While these providers are instrumental in global connectivity, their apparent lack of enforcement for secure configurations reflects poorly on their cybersecurity posture. For nations and enterprises alike, prioritizing secure file transfer protocols should not be optional. Instead, large-scale audits and mandatory encryption enforcement should become part of regulatory frameworks.
Server Software and Legacy Systems
The Censys report identifies PureFTPd as the most commonly running FTP server software, accounting for 1.99 million services. Following this are ProFTPD (812,000 services) and vsftpd (379,000 services), the latter being the default FTP daemon for most Linux distributions. Microsoft's legacy Internet Information Services (IIS) platform also contributes significantly, with 259,000 services still active, many of which have never had encryption enabled.
These statistics underscore the persistence of legacy systems that fail to integrate modern encryption standards. Organizations relying on outdated FTP server software are essentially operating without a secure safety net. Transitioning to protocols such as SFTP or FTPS should be treated as an operational imperative, not a discretionary upgrade.
Actionable Solutions for Enterprises and Providers
To mitigate the risks posed by unencrypted FTP services, enterprises must take a multi-pronged approach. First, the replacement of traditional FTP with secure protocols such as SFTP (Secure File Transfer Protocol) or FTPS (FTP Secure) should become standard practice. These alternatives offer encryption capabilities that align with current cybersecurity standards.
Second, organizations must conduct thorough security audits of their infrastructure to identify and decommission legacy FTP servers. Misconfigured systems, particularly those failing to establish TLS handshakes, should be prioritized for immediate remediation. Third, hosting providers must enforce mandatory encryption protocols across their services, leveraging automated tools to detect and disable unencrypted configurations.
Finally, training IT teams on the risks associated with legacy protocols is critical. Awareness and education are key components in building a secure operational environment. The persistence of FTP demonstrates that technical solutions alone are insufficient cultural and organizational shifts must accompany technological upgrades.