FTP History and Origins
FTP predates much of what we recognize as the modern internet. The first FTP specification appeared in RFC 114 in 1971, when the ARPANET connected a handful of research institutions. The protocol was designed to solve a real and immediate problem: how to move files reliably between computers running different operating systems with different filesystem conventions. The current FTP standard, RFC 959, was published in 1985 and remains the definitive specification.
For two decades, FTP was the primary mechanism for distributing software, publishing websites, and sharing research data. University FTP servers hosted software archives accessible to anyone. Web hosting companies offered FTP as the standard way to upload HTML files. The protocol served this role reliably because the threat model of the early internet — a small, cooperative community of researchers — bore no resemblance to the adversarial public internet that followed.
How FTP Works: The Dual-Channel Design
FTP's most distinctive architectural feature is its use of two separate TCP connections for a single file transfer session. The control channel connects to TCP port 21 on the server and remains open for the entire session. All FTP commands — authentication, directory listing requests, file transfer commands — travel over this channel as human-readable ASCII text. Commands like USER, PASS, LIST, RETR, and STOR are plain text strings followed by server response codes (e.g., 220 for service ready, 230 for login successful, 550 for file not found).
The data channel is a separate TCP connection opened only when data needs to transfer — a directory listing or a file upload or download. After the transfer completes, the data channel closes. The next transfer opens a new data channel. This design separates the conversation from the data, which was elegant in 1971 but creates significant complications with modern network infrastructure.
Active Mode vs Passive Mode
How the data channel is established defines the two FTP modes. In active mode, the client tells the server its IP address and a port number via the PORT command. The server then initiates a TCP connection from its port 20 to the client's specified port. This worked fine on the early ARPANET where every host had a public IP address. It breaks completely when the client is behind NAT — the server tries to connect to the client's private IP address (like 192.168.1.x), which is unreachable from the internet.
In passive mode (triggered by the PASV command), the client asks the server to open a data port instead. The server picks an available high-numbered port, tells the client the IP and port in the response, and waits. The client then connects to the server's data port. Because the client initiates both connections (to port 21 for control, to the ephemeral port for data), passive mode works correctly through NAT and stateful firewalls. Passive mode is the default in virtually all modern FTP clients.
FTP Authentication and Why It Is Insecure
FTP authentication happens over the control channel using the USER and PASS commands. Both the username and password are transmitted as plaintext ASCII strings. There is no option to negotiate encryption on the control channel in standard FTP — the credentials are simply sent in the clear before any authentication decision is made.
The data channel is equally unprotected. Every byte of every file transferred over FTP travels without encryption. This means an attacker with access to any network segment between client and server can capture both the credentials and the complete content of every file transferred. On shared hosting networks, cloud provider infrastructure, or any environment where physical network security cannot be guaranteed, FTP provides no meaningful protection.
Anonymous FTP
Anonymous FTP allows public access without requiring a real account. The convention is to connect with the username anonymous and an email address as the password (the server typically accepts any string). Anonymous FTP servers were the dominant method for distributing public software and documents through the 1990s. The Linux kernel source code, BSD distributions, and IETF RFC documents were all distributed via anonymous FTP. CPAN (the Perl archive) and many other package repositories used anonymous FTP mirrors extensively. Today, HTTPS downloads have replaced nearly all of this use.
Common FTP Clients
FileZilla is the most widely used cross-platform FTP client — open source, available for Windows, macOS, and Linux, and supports FTP, FTPS, and SFTP. WinSCP is a Windows-only client focused on SFTP and SCP but also supports FTP and FTPS. The command-line ftp client is available on most Unix-like systems and Windows, though it is minimal and lacks passive mode by default on some older versions. Cyberduck is a Mac and Windows client with a clean interface supporting FTP, SFTP, FTPS, and cloud storage protocols.
Browser FTP Support Removed
For many years, web browsers supported FTP URLs natively — entering ftp://ftp.example.com/ in the address bar would display a directory listing and allow file downloads. Google Chrome removed FTP support in Chrome 88 (January 2021). Mozilla Firefox removed it in Firefox 90 (July 2021). Both teams cited the same reasons: FTP is unencrypted, fewer than 0.1% of navigations used FTP, and maintaining the FTP implementation added complexity and attack surface for negligible benefit. Users who need FTP access should use a dedicated client like FileZilla.
FTP Active vs Passive Mode Compared
| Aspect | Active Mode | Passive Mode |
|---|---|---|
| Who initiates data connection | Server connects to client | Client connects to server |
| Server data port | Port 20 (fixed) | Ephemeral high-numbered port |
| Client data port | Ephemeral port specified by client | Ephemeral port chosen by client OS |
| Firewall friendliness (client side) | Poor — inbound connection to client required | Good — client initiates both connections |
| NAT traversal | Fails — server cannot reach client's private IP | Works — all connections outbound from client |
| When to use | Controlled server environments, legacy systems | All modern deployments; default in FTP clients |
Frequently Asked Questions
What ports does FTP use?
FTP uses two TCP ports. Port 21 is the control channel — all commands and responses (LIST, RETR, STOR, authentication) travel here for the entire session. Port 20 is used for the data channel in active mode — the server initiates a connection back to the client from port 20. In passive mode, the server picks an ephemeral high-numbered port for the data channel and tells the client which port to connect to. Passive mode is far more common today because active mode breaks through NAT and stateful firewalls.
What is the difference between active and passive FTP?
In active mode FTP, the client tells the server its IP and a port number, and the server opens the data connection back to the client from port 20. This breaks when the client is behind NAT or a firewall — the server cannot reach the client's internal address. In passive mode (PASV), the client asks the server to open a data port, the server picks an available high-numbered port and tells the client its address and port, and the client connects to it. Since the client initiates both connections, passive mode works correctly through NAT and firewalls.
Is FTP secure?
No. FTP transmits the username, password, and all file data in plaintext over both the control and data channels. Anyone on the network path can capture credentials and file contents with a standard packet sniffer. FTP has no mechanism for adding encryption — it is a structural limitation of the protocol, not a configuration option. For internet-facing file transfers, use SFTP (which runs over SSH) or FTPS (which adds TLS to FTP). SFTP is the recommended choice for new deployments.
What replaced FTP?
SFTP (SSH File Transfer Protocol) is the most widely used secure replacement for FTP. It runs over a single SSH connection on port 22, encrypts all data including credentials, and is supported by all major FTP clients including FileZilla and WinSCP. FTPS (FTP over TLS) is the other secure alternative, but it retains FTP's dual-channel complexity and firewall challenges. For public file distribution that FTP anonymous servers once handled, HTTPS with a standard web server has become the standard approach.
What is anonymous FTP?
Anonymous FTP allows users to connect without a real account by using anonymous as the username and an email address (by convention) as the password. It was widely used in the 1980s and 1990s to distribute public files — software archives, RFC documents, and academic papers were commonly available via anonymous FTP servers. Public mirror networks like kernel.org used anonymous FTP extensively. Most of this function has been superseded by HTTP/HTTPS downloads, and anonymous FTP servers are now rare outside of legacy institutional deployments.
Why did browsers drop FTP support?
Chrome removed FTP support in Chrome 88 (January 2021) and Firefox followed in Firefox 90 (July 2021). Browser vendors cited several reasons: FTP has no encryption, its dual-channel design creates security edge cases in the browser's network stack, less than 0.1% of browser navigations used FTP, and maintaining FTP code added complexity and potential attack surface for a negligible use case. Users needing FTP access from a browser can install a dedicated FTP client such as FileZilla or use a browser extension, though a dedicated client is always preferable.