How insecure is FTP?
With plain FTP the credentials are passed in plain and thus can be easily sniffed. Also, the files are not only send in plain but they are also not protected against modifications, i.e. an active man in the middle might change the files on the fly. Insofar the risks are similar to plain HTTP, i.e. it might be fine within a trusted network but is a bad idea if you cannot fully trust the network.
Credentials are transfered in clear text, but you know that from the other posts. But how easy is it to get those details?
As an example I ran tcpdump and connected to an FTP server. Lets take a look at the pcap with strings:
220 (vsFTPd 3.0.2)
6USER joe
CT'X
331 Please specify the password.
CTXY
PASS superSecretPassword
230 Login successful.
What about content of commands? Here is the output from the pcap:
PASV
227 Entering Passive Mode (192,168,1,2,238,178).
LIST
150 Here comes the directory listing.
MNt@
drwxr-xr-x 2 1000 1000 4096 Aug 28 20:27 Desktop
drwxr-xr-x 2 1000 1000 4096 Aug 28 20:27 Documents
drwxr-xr-x 2 1000 1000 4096 Aug 28 20:27 Downloads
drwxr-xr-x 2 1000 1000 4096 Aug 28 20:27 Music
-rw-rw-r-- 1 1000 1000 58677 Jun 12 2010 pic1.jpg
And if you wanted file content here is a get of the jpg.
200 Switching to Binary mode.
PASV
227 Entering Passive Mode (192,168,1,2,64,224).
RETR pic1.jpg
150 Opening BINARY mode data connection for pic1.jpg (58677 bytes).
JFIF
http://ns.adobe.com/xap/1.0/
<?xpacket begin="
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/"
x:xmptk="XMP Core 4.1.1"> <rdf:RDF
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
<rdf:Description rdf:about=""
So if someone could sniff packets on the client, server or network then you have a security issue. Mitigating the issue by moving the SFTP or similar is an easy and good idea.
How insecure… really… is FTP?
As insecure as any other application layer protocol that is not encrypted, for example HTTP.
But what exactly is the risk being posed?
The major risk is exposure (to eavesdroppers on the network) of all the data sent over FTP.
What about a user's credentials, password, etc.?
Yes, those are exposed too. They are sent using the application layer commands USER and PASS.