FTPS vs SFTP

In this article we outline the FTP/FTPS and SFTP protocols as well as comparing FTPS vs SFTP.

The File Transfer Protocol (FTP) has been used widely around the world for transferring files across networks, especially the Internet. Almost every organization with an IT infrastructure has used FTP to a greater or lesser extent.

But there is a critical security issue: FTP transfers passwords, commands and file contents in plain text. Anyone who can sniff the packets can read what is being sent. And if the Internet is being used, in practical terms that means almost everyone. This means FTP is no longer appropriate for corporate needs. Security is essential.

If file transfers are to be secure, there are basically two alternatives: FTPS and SFTP.

FTPS

FTPS, defined in RFC 4217, is the standard FTP protocol transmitted over secure connections. FTPS is often described as FTP over SSL (or FTP over TLS), where SSL is the Secure Sockets Layer. TLS, or Transport Layer Security, is a revised version of SSL.

SFTP

SSH File Transfer Protocol or SFTP is a completely different protocol to FTP, and runs over the SSH (Secure SHell) protocol. SSH is used to secure the connection, and SFTP provides the file transfer commands.

Previous posts have explained how FTPS and SFTP work. Essentially, both protocols achieve exactly the same thing - secure file transfer and secure, remote manipulation of file-systems.

They are, however, completely different protocols, and people implementing a secure file transfer solution will need to decide which protocol (FTPS vs SFTP) to use.

FTPS v SFTP

Existing usage is naturally an important consideration. If SFTP and/or SSH is already used in other areas of an organization, it is prudent to use SFTP. Existing knowledge and skills within the organization can be leveraged, as well as technical infrastructure. Similarly, if FTP and/or FTPS is already used elsewhere, it may be best to use FTPS.

Project requirements may also dictate the protocol. If a server-side solution is being implemented, it may be that clients are restricted to a particular protocol, and so no decision need be made.

But what if there are no initial constraints on which protocol that could be used? Is there a clear winner?

SFTP - a clear winner

Yes, and it is SFTP. A few years ago, such a decision was not as straightforward, mainly because of the dominance of the FTP protocol in most organizations. Now client- and server-software is widely available for both SFTP and FTPS - in fact many applications such as CompleteFTP support both.

This means a decision can be made on purely technical grounds, and SFTP has at least two important technical advantages over FTP and FTPS.

SFTP is better with firewalls

FTPS can be painful to get working with firewalls. This is because directory listings and file transfers are made on a new network connection that is separate to the control channel on port 21. By default, firewalls will not permit these connections in FTPS (although it will usually work with FTP as firewalls are able to inspect the network traffic and open the appropriate port in advance). Instead, the firewall and the server must be configured for a certain range of ports for data transfer, which can get complicated.

By contrast, SFTP just works with firewalls. Data and commands are both sent over a single connection to the standard port 22, which is usually enabled with firewalls by default. This is a significant advantage over FTP.

SFTP doesn't use SSL certificates

FTPS uses certificates to identify the server to the client. Server identification is important, as it is how the client verifies that it is connecting to the correct server. To be useful, however, certificates must be issued by a certificate authority - an organization that is authorized to issue them. Obtaining a certificate can be expensive and time-consuming.

SFTP doesn't use certificates - the server is identified by its public key (which is what a certificate contains, so they are both ultimately using the same mechanism). So as long as a client has the public key of the server on hand, they can confirm the server is the correct one. The server's public key (unlike a certificate) can be generated by the organization, and a certificate authority is not required. This significantly reduces the amount of administration necessary to get a server up and running.

There are some advantages in having a recognized organization such as a certificate authority to issue certificates, but much of the time it is not necessary, particularly for internal projects.

Are there any SFTP disadvantages?

The main disadvantage of SFTP is that it is a complex protocol that is technically difficult to implement. Developing an FTP client is orders of magnitude simpler than developing an SFTP client. This, however, is very unlikely to affect organizations using SFTP as part of their infrastructure - a large variety of excellent clients and servers are available on various platforms, and they need only select the most suitable software. All clients and server should interoperate, so there is considerable latitude in the choice of products. It is likely that features additional to the protocol will dictate the final selection.