Implicit FTPS and Explicit FTPS

Before the FTPS Internet Draft was published a somewhat abortive attempt at offering a secure version of FTP was made.  This is now referred to as implicit FTPS.  It is a very simplistic technique which involves using standard secure TLS sockets in place of plain sockets at all points.  Since standard TLS sockets require an exchange of security data immediately upon connection, it is not possible to offer standard FTP and implicit FTPS on the same port.  For this reason another port needs to be opened – usually port 990. 

Implicit FTPS is in the process of being phased out in favour of FTPS as described in the Internet Draft.  This newer variant of FTPS is now referred to as explicit FTPS.  It has a some substantial advantages over implicit FTPS:

1. It is a standard extension of FTP and is therefore supported by most FTP servers.
2. It uses standard FTP ports meaning that there is no need to open addition ports in firewalls when upgrading from FTP to FTPS.
3. It is more flexible in that it allows security to be turned off and on in a single session.
4. It is compatible with the RFC2228 standard.

Both implicit and explicit FTPS are supported by edtFTPnet/PRO.  Most of the rest of this guide will apply to explicit FTPS as this is the protocol that is recommended for any but applications requiring compatibility with legacy applications, however examples of usage of implicit FTPS will be given in Section 7.4.

Next: Securing Control and Data Channels