HyperText Transfer Protocol (HTTP) is a protocol commonly used to transfer hypertext documents between a Web server and a Web browser. HTTP also provides the ability to transfer files using GET and PUT commands. By default, HTTP performs no user authentication, nor does it do any sort of data encryption. Only files classified as Public or University Internal should be transferred using HTTP. Under no circumstances should passwords or passphrases be validated through an HTTP Webpage.
Encryption-in-transit can be added to HTTP using Transport Layer Security (TLS), rendering it safe for some applications. This combination of protocols is often called HTTPS and is supported by most web servers (or using an external program such as stunnel). HTTPS typically only provides authentication of the server end, so the server must often explicitly authenticate the client or use an authentication service such as CAS.
File Transfer Protocol (FTP), though efficient for transferring files, lacks any significant security features. The username, password, and data are sent across the network. In addition, there are no built-in safeguards to ensure the computer on the other end of the FTP connection (machine B in this example) is what it claims to be. These safeguards can be added with tools such as SSH or stunnel, but without them, FTP should only be used for data classified as Public or University Internal.
Email uses the Simple Mail Transfer Protocol (SMTP) for transmitting email messages and attachments across the Internet. While protocols such as FTP normally only transfer data between two computers, SMTP often sends data through several machines before it ends up in the recipient's email inbox. SMTP often performs no user authentication or data encryption. The Cisco Registered Envelope Service (CRES) provides some safeguards against the lack of safeguards typically found in SMTP. Except where CRES is used, only data classified as Public or University Internal should be transferred using SMTP.