Learn more about how FTP, FTPS, and SFTP work, their pros and cons, and when you should use them.

FTP, FTPS, SFTP – so many acronyms and letters, so little time to decipher what they all mean.

Why should I use SFTP over FTP? Is FTPS secure enough for my data? What’s the difference between FTPS and SFTP?

We get these questions often, so it’s time to lay it all out in a blog post.

For each file transfer option, we’ll review:

  1. How each technology works
  2. Their pros and cons
  3. When you should use each

Let’s go!

FTP, FTPS, SFTP blog image

FTP (File Transfer Protocol)

How FTP works

FTP, which stands for File Transfer Protocol, was developed in the 1970s to allow files to be transferred between a client and a server on a computer network.

The FTP protocol uses two separate channels – the command (or control) channel and the data channel – to exchange files.

The command channel is responsible for accepting client connections and executing other simple commands. It typically uses server port 21. FTP clients will connect to this port to initiate a conversation for file transfer and authenticate themselves by sending a username and password. The command channel remains open until the client disconnects, or the server ends the connection due to inactivity or other reasons.

After authentication, the client and server will then negotiate a new common server port for the data channel, over which the file will be transferred. Once the file transfer is complete, the data channel is closed. If multiple files are to be sent concurrently, a range of data channel ports must be used.

The control channel remains idle until the file transfer is complete. It then reports that the file transfer was either successful or failed.

Pros of FTP

FTP has been around forever, so most are familiar with the protocol. And there are many desktop tools, such as FileZilla, Cyberduck, WinSCP, and more, that make using FTP very easy.

FileZilla

FileZilla interface

FTP allows you to transfer multiple files at a time, resume file transfers if the connection is lost, add items to an upload and download queue, and schedule transfers.

You can also create scripts to automate file transfers.

And most FTP clients provide the ability to synchronize files so all your files will be up to date regardless of their location.

Cons of FTP

The biggest drawback of FTP is security.

Usernames, passwords, and files are all sent in plain text, so hackers can easily access your information.

Additionally, FTP typically requires a block of ports to remain open for the data channel to be created. But for security reasons, businesses are limiting the number of server ports that are publicly accessible, which makes FTP tougher to use for these organizations.

And servers can be tricked to send data to random ports on an incorrect computer.

All of these security concerns may make FTP a non-starter for many businesses.

When you should use FTP

If you need to quickly and easily transfer files that don’t require security measures, FTP may be a good option.

But if you’re concerned at all with security, which most businesses are, you should avoid using FTP for most situations.

FTPS (File Transfer Protocol Secure)

How FTPS works

FTPS uses the same data exchange protocol as FTP but adds support for Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL, which is the “S” in FTPS), for increased security. (Note: even though SSL has been deprecated, it is still a very commonly used term, so we’ll continue to refer to it in this post.)

FTPS allows for encryption of both the command and data channels, and authenticates your connection using a user ID and password combination, a certificate, or both.

When connecting to a partner company’s FTPS server, your FTPS client will check if the server’s certificate is trusted. The certificate is considered trusted if it was 1) signed by a known third-party certificate authority or 2) if it was signed by your partner and you have a copy of their public certificate. Your partner may also require that you supply a certificate when you connect to them. If your certificate isn’t signed by a third-party CA, your partner may allow you to self-sign your certificate, sending them the public portion beforehand to load into their trusted key store.

There are two methods where FTPS can be invoked.

First is Implicit FTPS, which runs on port 990. If a client connects via port 990, the server assumes that SSL will be invoked and automatically looks for authentication credentials. If these are not provided, the connection is shut down.

The other method is Explicit FTPS, which runs on port 21. Explicit FTPS requires that the client explicitly state that they intend to use SSL. Once the server receives this command, it will then look for authentication credentials. Explicit FTPS provides more flexibility and allows the client to achieve increased security when necessary or more speed when security is less of an issue.

Pros of FTPS

FTPS provides many of the pros that FTP has, with increased security.

Also, SSL is a widely used authentication mechanism that many are familiar with and is built into many internet communication frameworks.

Cons of FTPS

Like FTP, FTPS requires a block of ports to remain open for the data channel to be created, which makes it difficult to use behind company firewalls.

And not all FTP servers support SSL, which makes the increased security aspect moot.

When you should use FTPS

You should use FTPS when you have a server that supports FTP (but not SSH/SFTP) and need more security. FTPS may also be helpful when transferring files from mobile devices such as phones and tablets to an FTP server.

But if you have the capability to use SFTP, you should choose that option.

Let’s go over SFTP now.

SFTP (SSH File Transfer Protocol)

How SFTP works

SFTP, or SSH File Transfer Protocol or Secure File Transfer Protocol, was developed in the 1990s and allows for the secure transfer of files. While it sounds similar in name to FTP and FTPS, it actually uses a completely different protocol, called the Secure Shell (SSH) protocol, to move files.

While you can use usernames and passwords to authenticate, SSH also provides public key authentication, which uses computer-generated, cryptographically-secure keys that act as a replacement for a user’s password. Because the keys are generated by a computer, they can be much longer than a regular password, making it nearly impossible for a hacker to replicate during brute-force attacks. (Our file transfer products, SFTP Gateway for AWS and SFTP Gateway for Azure, default to public key authentication but allow for usernames and passwords as well.)

Here’s how SSH key authentication works:

  1. The computer generates a public-private key pair.
  2. You then link your public key to your account on the SFTP server.
  3. When you connect to that server, your client will produce a signature with your private key that the server can confirm with the already-stored public key.
  4. If the public and private keys match up, the connection is authenticated.

To read more about the comparison between SSH and password authentication, read our article titled Passwords vs. SSH keys – what’s better for authentication?

How SFTP works

How SFTP works – image courtesy of WPEngine

 

Additional differences between SFTP and FTP/FTPS include:

  1. SFTP uses only one connection to transfer data, as opposed to two for FTP/FTPS, and encrypts both authentication credentials and data being transferred on this single channel.
  2. SFTP sends packets of data instead of data in plain text.
  3. There is no non-secure version of SFTP.
  4. Most SFTP server software provides a more detailed set of metadata of transferred files such as date, time, size, and other characteristics.

Pros of SFTP

The biggest benefit of SFTP is its security.

Like FTP/FTPS, you can use usernames and passwords to authenticate. However, with SFTP, these credentials are encrypted, making it more secure.

And as mentioned above, you can use public key authentication for increased security.

Or you combine public key authentication with usernames and passwords, making SFTP even more secure.

Additionally, because SFTP uses only one server connection to transfer data, no other server ports need to be open for it to work, which increases security and firewall-friendliness.

SFTP is also faster over the long term. Because it sends packets instead of text, less data is being transferred, making SFTP faster.

And you can obtain much more metadata about the files being transferred, such as date, time, and size. This is helpful for logging and analysis purposes.

Cons of SFTP

The biggest drawback is the difficulty in managing SSH keys.

The private key needs to be stored on the device from which you want to transfer files, which needs to be protected against theft or loss.

SSH keys take a bit more work for administrators to set up for employees.

And while everyone knows how usernames and passwords work, not everyone is aware of how SSH keys work. So there needs to be a bit of education.

When you should use SFTP

The primary reason you should use SFTP is when you have to transfer or receive sensitive data.

Data breaches are becoming more common, and even the largest companies are getting hacked. Breaches can cost your company millions of dollars, so it makes sense to use the highest level of security when transferring files. And SFTP provides that.

You may also have to comply with regulations such as the Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), and others that aim to protect consumer data. These compliance regulations provide guidelines on how you need to manage the sensitive data your business works with. SFTP helps comply with these regulations.

Finally, because SFTP is the most secure method of file transfer, you can use it as the default protocol to ensure employee compliance with your company’s security requirements. If usernames and passwords for used for file transfer authentication, many employees may create easy-to-guess passwords like “password” or “123456”. No good. SFTP allows you to create a blanket security policy that is less susceptible to negligence.

Conclusion

Hopefully this article clears up the fog around FTP, FTPS, and SFTP.

For the most part, the difference between these file transfer methods boils down to security.

If you’re concerned at all with the security of your data, SFTP is the way to go, as it’s the most secure and compliant method of file transfer. If not, FTP and FTPS may be viable options.

What file transfer technology do you use? Did we miss any important differences in these protocols? Please write your comment below, we’d love to hear from you.

Like this post? It likes you too. 🙂 Please share it using the share buttons to the left. Then join our mailing list below, follow us on Twitter @thorntech, and join our Facebook page for future updates.