Approximately 6 million internet-accessible systems are using FTP today, and almost half of them do not use encryption, a fresh Censys report shows.
In use for more than half a century, FTP uses a client-server model architecture to facilitate the transfer of files and folders between computers.
Unlike modern protocols, however, FTP transmits data unencrypted and has been deemed insecure for years. Its continued use exposes enterprises and end users alike to avoidable risks.
The number of hosts running an internet-facing FTP service has dropped by 40% since 2024 (from 10.1 million to 5.94 million), but the protocol still accounts for 2.72% of all internet-visible systems, Censys says.
Also alarming is the fact that 2.45 million of the observed FTP services show no evidence of encryption. With no observed TLS handshake, these servers either lack support for encryption, were not upgraded, or did not complete a handshake during Censys’ scanning.
“This is not a guarantee that all 2.45 million transmit files and credentials in cleartext, but it is the population with no observed evidence of encryption,” the internet intelligence provider notes.
Most of the FTP-visible hosts are in the US (1.2 million). China (866,000), Germany (467,000), Hong Kong (415,000), Japan (366,000), and France (343,000) also house significant numbers of such systems.
Some of the largest hosting and broadband providers worldwide account for the most FTP hosts, including China Unicom’s CHINA169 (405,000), Alibaba (227,000), OVH (177,000), Hetzner (138,000), KDDI Web Communications (127,000), and GoDaddy (126,000).
Censys’ analysis of the FTP hosts revealed that Pure-FTPd is the most commonly running server, accounting for roughly 1.99 million services. It is followed by ProFTPD with 812,000 services and vsftpd (the standard FTP daemon in most Linux distributions) with 379,000 services.
Microsoft’s legacy web and FTP server platform, IIS (Internet Information Services), accounts for 259,000 services. All Windows Server instances with the FTP role enabled would run IIS FTP by default, and more than 150,000 of these services have never had encryption set up, Censys says.
In fact, of the 2.45 million FTP hosts that lack encryption, 994,000 services do not implement AUTH TLS on the scanned port, 813,000 ask for a password before establishing an encrypted channel, and more than 170,000 do not have explicit TLS support.
“The geography, ASN distribution, and server technology mix in this dataset all point toward the conclusion that most Internet-facing FTP configurations are a byproduct of commodity hosting and broadband defaults,” Censys notes.
Organizations are encouraged to either completely remove FTP from their environments or transition to more secure alternatives, such as SFTP (SSH File Transfer Protocol) and FTPS, which offer encrypted file transfer capabilities and have broad client compatibility.
“For most use cases, FTP can be replaced without significant disruption. If FTP must remain, enabling Explicit TLS is a configuration change, not a protocol upgrade, and both Pure-FTPd and vsftpd support it natively,” Censys notes.
Related: Millions of Internet Hosts Vulnerable to Attacks Due to Tunneling Protocol Flaws
Related: BlastRADIUS Attack Exposes Critical Flaw in 30-Year-Old RADIUS Protocol
Related: Thousands of Websites Hijacked Using Compromised FTP Credentials
Related: Up to 25% of Internet-Exposed ICS Are Honeypots: Researchers
