A recent report by Censys has revealed that out of approximately 6 million internet-facing FTP servers, nearly half are operating without encryption. This lack of security poses a considerable risk to enterprises and users who continue to rely on this outdated protocol.
FTP’s Enduring Security Issues
FTP, a protocol that has been used for over fifty years, facilitates file and folder transfers between computers through a client-server model. Despite its longevity, it has long been criticized for transmitting data in an unencrypted format, leaving information vulnerable to interception. The persistence of its use continues to expose significant security risks.
According to Censys, the number of FTP hosts visible on the internet has decreased by 40% since 2024, dropping from 10.1 million to 5.94 million. However, FTP still constitutes 2.72% of all internet-visible systems, indicating its ongoing prevalence despite known vulnerabilities.
Encryption Lapses in FTP Servers
The report highlights that 2.45 million FTP services show no sign of encryption, lacking any observed TLS handshake. This situation suggests that these servers either do not support encryption, have not been updated, or did not complete the handshake during the Censys scan. While this does not confirm that all 2.45 million transmit data in clear text, the absence of encryption evidence is concerning.
Geographically, the United States hosts the largest number of these FTP-visible systems, with 1.2 million servers, followed by China, Germany, Hong Kong, Japan, and France. Major hosting and broadband providers such as China Unicom and Alibaba account for a significant portion of these unencrypted servers.
Recommended Security Measures
Censys’ analysis shows that Pure-FTPd is the most widely used FTP server, with 1.99 million instances, followed by ProFTPD and vsftpd. Microsoft’s IIS platform also contributes to this figure with 259,000 services, many of which lack encryption setup.
To enhance security, organizations are encouraged to eliminate FTP from their systems or transition to more secure alternatives like SFTP and FTPS, which offer encrypted transfer capabilities. For those who must continue using FTP, enabling Explicit TLS is advised as a straightforward configuration adjustment.
The report underscores the need for improved security practices, as millions of FTP servers remain vulnerable to potential breaches. By migrating to safer protocols, organizations can significantly reduce their exposure to cyber threats.
