HTTPS or SFTP - which is best?

We were recently asked by a CompleteFTP user which was the best protocol to use for file transfers - HTTPS or SFTP. In particular, the user was interested in large transfers and security.

SFTP and HTTPS are quite different protocols. SFTP is a protocol for file transfer over SSH (secure shell), and is very similar in functionality to FTP - it is designed for secure file transfer. If you're also considering FTPS, please refer to FTPS vs SFTP.


HTTPS is a secure version of HTTP (using SSL), and inherits the limitations (and the advantages) of HTTP.

The limitations of HTTPS are significant. HTTP is primarily used for downloads, and so if uploads are required, you need to ensure that HTTPS is sufficiently capable. Uploads via an HTML form are generally limited in size because browsers time out. The official HTTP method for uploading is HTTP PUT, which is supported by few (if any) browsers. Instead, more specialized tools such as curl or wget must be used. CompleteFTP supports PUT.

HTTP and HTTPS are also stateless protocols. They may require new connections for each transfer, and so they may not be suitable if a large number of files need to be transferred.

HTTPS does have one advantage over SFTP - anyone with a browser can use it to download files securely. SFTP requires the use of an SFTP client - while these are widely (and freely) available, they require installation and a degree of familiarity that is not necessary when sending someone an HTTPS link.


Security is also a consideration, but there is little to distinguish HTTPS and SFTP here. Although the security models are very different - SSL/TLS for HTTPS, and SSH for SFTP - they are both very secure protocols. HTTPS has a slight advantage in that it relies on a widely used trust model for validating the domain name of servers that are being connected to. Certificate authorities issue SSL/TLS certificates and validate that they are issued to the owners of the domain name, and so users can have some degree of confidence that they are connecting to the correct website. SFTP uses keys that are not issued by a certificate authority - the server's public key must be issued directly to users by the server administrator.

There is also little difference in speed. HTTPS may have a small advantage over SFTP, but this will depend on client implementations. Both are fast in CompleteFTP.


So what protocol should be chosen - HTTPS or SFTP? If your scenario is lots of naive users who need to download only, HTTPS is probably best. But if more sophisticated file transfer is required, use SFTP. For larger file transfers (especially uploads) we recommend SFTP.

It should be noted that both SFTP and HTTPS are both supported in CompleteFTP, so it is straightforward to use both protocols simultaneously. Users who only require download can use HTTPS, while users with more advanced requirements can use SFTP.

Refer to How to secure your SFTP server for more information.

Posted by John Faulds in