Because TFTP sends data in cleartext (unencrypted) and typically requires no password, anyone with access to the network can download files if they know the filename. In a worst-case scenario, if a server allows writing, an attacker could overwrite boot files with malicious code.
It operates on , unlike FTP which uses TCP ports 20 and 21. This choice of User Datagram Protocol (UDP) is a double-edged sword: it makes the protocol extremely lightweight with low overhead, but it also means the protocol itself must handle packet loss and order, as UDP does not guarantee delivery. TFTP Server
Client (Port: random) Server (Port: 69) | | |------- RRQ (Filename, octet) --->| | | |<------- Data Block #1 (512B) ----| |------- ACK #1 ---------------->| |<------- Data Block #2 (512B) ----| |------- ACK #2 ---------------->| |<------- Data Block #0 (last) ---| (<512B indicates EOF) |------- ACK #N ---------------->| Because TFTP sends data in cleartext (unencrypted) and
Several Internet-Drafts and RFCs have extended TFTP functionality to support modern network needs: draft-raj-dhc-tftp-addr-option-00 - IETF Datatracker This choice of User Datagram Protocol (UDP) is
Protocol: TFTP uses UDP (connectionless); FTP uses TCP (connection-oriented).Ports: TFTP uses port 69; FTP typically uses ports 20 and 21.Security: TFTP has no encryption or login; FTP (and SFTP/FTPS) supports robust security.Overhead: TFTP is extremely "light" and fast for small files; FTP is better for large, reliable transfers over unstable networks. Security Risks and Best Practices