The original File Transfer Protocol or FTP is one of the most popular ways to transfer files, but also one of the least secure. It has been around longer than the World Wide Web, but it lacks features for dealing with today’s cybersecurity threats.
Sending sensitive information over FTP is quite risky since it transfers your credentials and files in plain text without any encryption.
However, there are two mainstream secure file transfer protocols, namely, SSH File Transfer Protocol (SFTP) and FTP over SSL (FTPS). Both SFTP and FTPS implement robust algorithms for encrypting data and files to offer a high level of protection.
They also support a wide variety of functionality with a full command set for transferring and working with files.
Depending on your needs, either option could work to secure your file transfers.
In this article, we will illustrate the distinguishing features of both SFTP and FTPS so that you can decide which protocol is right for you.
What is FTPS?
FTPS, an acronym for FTP over SSL, is the secured version of the file transfer protocol.
It adds support for the Transport Layer Security (TLS) / Secure Sockets Layer (SSL) cryptographic protocols on a standard FTP connection. It is also known as FTP Secure.
Like FTP, FTPS also works in a client-server model. It utilizes a command channel and a data channel for exchanging FTP commands and data during an FTPS client session.
The authentication of an FTPS connection happens using a user ID, password and public key certificate (X.509).
SFTP is an extension of the network protocol SSH (Secure Shell). SSH is best known for its use in providing secure access to shell accounts on remote servers. That’s why it is known as SSH File Transfer Protocol.
In short, SFTP is a network protocol that provides file transfer and manipulation functionality over any reliable data stream.
Unlike both FTP and FTPS, SFTP uses a single connection to transfer data between the client and the server.
SFTP encrypts both authentication information and data files.
It has been extended to provide not just file upload/download operations, but also some file-system activities, such as file lock, symbolic link creation, etc.,
What are the Pros and Cons of using SFTP and FTPS?
To have a better understanding of both SFTP and FTPS, we need to analyze the pros and cons of both of these transfer protocols.
Let’s first start with FTPS.
Pros of FTPS
- FTPS is popular and widely used.
- In FTPS, all communication between the client and the server can be read and understood by a human.
- FTPS provides services for server-to-server file transfer.
- FTPS uses SSL/TLS which has proper authentication mechanisms, such as usage of X.509 certificate.
Cons of FTPS
- FTPS has no consistent directory listing format.
- It needs a secondary Data channel, which makes it challenging to use behind firewalls
- FTPS does not define a standard for file name character sets (encodings) and also has no standard way to get and change file or directory attributes.
- Not all FTP servers support SSL/TLS.
Pros of SFTP
- STP contains a detailed requirements background which strictly defines most, if not all, aspects of operations.
- SFTP uses a single connection. There is no need for any secondary Data connection.
- An SFTP connection is always secured.
- SFTP is more comfortable to port through firewalls.
- The directory site listing is consistent and machine-readable.
- The protocol includes operations for permission and attributes manipulation, file locking, and more functionality.
Cons of SFTP
- The communication is binary and is not human-readable.
- SSH keys are difficult to manage and validate.
- The standards define a few things as optional or recommended, which leads to specific compatibility problems between different software titles from different vendors.
- SFTP does not provide server-to-server copy and recursive directory removal operations.
- There is no built-in SSH/SFTP support in VCL and .NET frameworks.
Are there any similarities between SFTP and FTPS?
SFTP and FTPS are both protocols used to connect to a server through an encrypted connection and transfer files.
They both use public keys over encrypted tunnels for authentication and are very reliable encryption methods that make it difficult for hackers to break into.
What are the differences between SFTP and FTPS?
While FTPS affixes an additional layer to the legacy FTP protocol, SFTP essentially acts as an extension to the SSH protocol. The key distinguishing factor of SFTP and FTPS protocols is the type of encryption that they use and the process of authentication.
Let’s discuss the differences in detail in the below points.
SFTP does not make use of different data and command channels. Transfer within SFTP takes place through the means of a single connection through uniquely formatted packets.
On the other hand, FTPS uses a data channel and command channel as two separate channels for facilitating exchanges on the FTPS protocol.
The command channel has the role of managing simple command exchanges between server and FTP client.
Accordingly, the data channel holds the responsibility of data exchange concerning file transfers or directory listings.
In SFTP, data encryption occurs through an encryption cipher upon agreement.
For further protection of SFTP sessions, you can deploy public and private keys, which gives an alternative way of authentication known as public key authentication.
You can implement it as a substitute to or in conjunction with the traditional method of authentication of usernames and passwords.
In FTPS, you have two options to choose from regarding how you will secure your communications. Both utilize SSL encryption.
FTPS sessions where encryption of both the command and data channels happens at all times is known as Implicit SSL.
An implicit SSL encryption at the start of the session means that secure FTPS connection is compulsory. In that case, a non-FTPS client has no allowance to communicate with the FTPS server.
For secure connections, the FTPS server defines a specific port (990) for the client.
When a user wants to upload non-confidential files to the FTPS server, an explicit FTPS connection would be used rather than implicit FTPS connection.
In explicit FTPS, the client directly asks for security from the FTPS server. It is a non-mandatory request.
If there is no request for security from the client, the FTPS server can either allow the client to continue in unsecured mode or dismiss or limit the connection.
Scenarios where the need is to secure only the command channel and not the data channel, you can use Explicit FTPS.
Port 21 is the default port that the FTP server uses to communicate with the client.
FTPS uses a control channel to transfer commands and a new data connection for each file transfer. While the control channel is easy to connect, it is common to experience firewall related issues when connecting data channels.
It happens mostly in FTPS where the FTP specific features of most firewalls are ineffective due to encryption. That’s why, FTPS utilizes multiple port numbers.
The initial port number (port 21) helps in authentication and passing any commands. However, whenever a file transfer request or directory listing request arises, another port number needs to be opened.
Since SFTP depends on a single network connection, it does not suffer from these issues.
SFTP is very firewall friendly, requiring a single port number (port 22) for both inbound and outbound connections.
This single port will help in all SFTP communications, including the initial authentication, any commands issued, and any data transferred.
Both FTPS and SFTP use integration of an asymmetric algorithm (RSA, DSA), a symmetric algorithm (DES/3DES, AES, etc.) and key-exchange algorithm.
For authentication, FTPS uses X.509 certificates, while SFTP uses a couple of authentication mechanisms.
- For the standard authentication of SFTP connections, you or your trading partner may require an encrypted user ID and password to connect to the SFTP server.
- You can also use SSH keys to authenticate SFTP connections in addition to, or instead of, passwords.
It involves first generating an SSH private key and public key.
You then transfer your SSH public key to your trading partner, and they load it onto their server and connect it with your account.
When they associate to your SFTP server, their client software will send your public key to the server for authentication.
If this public key matches your private key, along with any user or password entered, then the authentication becomes successful.
An FTPS connection is authenticated using a user ID, password, and certificate.
X.509 certificates contain the public key and some details about the certificate owner. This detail lets the other side validate the integrity of the certificate itself and the authenticity of the certificate owner.
An X.509 certificate includes an associated private key, which is usually stored separately from the certificate for security reasons.
SFTP or FTPS – Which one should you choose?
So, now the question arises, which secure file transfer method should you use? Well, the answer solely depends on you as each user has unique goals and requirements when it comes to selecting the most appropriate transfer protocol.
You can use FTPS if a server requires accessibility from portable devices, such as tablets and Smartphones, or from some specific operating systems that have FTP support but don’t have SSH / SFTP clients.
Accordingly, SFTP is the way to go if you are building a custom security solution.
As for the client side, the server defines the requirements with which they intend to establish a connection.
While developing a connection with internet servers, SFTP is a more favored choice as Linux and UNIX servers support it by default.
In the case of private host-to-host transfer, you can use both SFTP and FTPS. However, for FTPS you have to search for a free FTPS client and server software to use FTPS or purchase a license for commercial usage.
If you opt for SFTP support, installation of an OpenSSH package can secure a free client and server software.
Many web developers prefer SFTP over FTPS as it is easier to use in conjunction with firewalls and in general, is technologically superior.
However, there is no crucial difference in the level of security offered by both FTPS and SFTP. Overall, both protocols provide a high level of protection and are much secure to use than original FTP.
Furthermore, based on your requirements it may even be quite beneficial to support both protocols to improve compatibility.
There are two commonly used protocols, FTPS and SFTP for the secure transfer of files. Although the naming of both of these protocols is quite similar, apart from the placement of the “S,” they do have some notable differences.
SFTP is an extension to the SSH protocol, whereas FTPS adds a layer around the legacy FTP protocol.
The objective of both of these protocols is offering a high level of security, but their differentiation points exist primarily in authentication and implementation of connections.
Both SFTP and FTPS have different encryption mechanisms, but when properly implemented, they can both sufficiently protect the authentication, commands, and data transferred.
You should start avoiding the traditional FTP protocol and choose any of these secure file transfer options. Based on exploring the differences between SFTP and FTPS and understanding your requirements as a user, you will be able to select the right transfer protocol.