FTP is a well known file transfer protocol. It emerged in the early 1970’s and while the world changed a great deal ever since, FTP has proven its consistency by staying just about the same.
A while ago, security was not a huge concern, when people didn’t even bother locking their front doors or think about protecting their file transfer protocols. Hard to believe, huh? Those days have long passed and today, keeping our data safe from cyber attacks is no less important than keeping our home safe from potential burglars.
FTPS became the solution to the security issue, and was created as an extension to the FTP protocol, adding the critical security layer to it and ultimately upping its game.
How do FTP and FTPS differ from one another?
We had already mentioned the lack of security found in FTP prior to the addition of FTPS, so now we will elaborate on the subject:
FTP exchanges data using two separate, unencrypted channels, forsaking any data shared through those channels, leaving it exposed to potential threats. Usernames, passwords, commands, and file data are all passed in clear text, allowing just about anyone to capture or alter those packets over the network.
When you use FTPS, data travels through the network using either the Secure Sockets Layer (SSL) or the Transport Layer Security (TLS) protocols. The two are in charge of encrypting the data between the server and client (and vice versa). It’s essentially the exact same thing HTTPS has added to HTTP.
With FTPS, come two connection methods called “implicit” and “explicit”:
With the Implicit Method, the entire session is encrypted using TLS encryption. This means that if the client doesn’t immediately make the security request, the server is expected to drop the connection. Given this limitation, the implicit mode is generally considered deprecated.
Using the Explicit Method, a traditional FTP connection is established and as soon as the connection is made, right before authentication, a secure TLS connection is established. In contrast to the implicit mode, if the client doesn’t make the security request, it is up to the server to either decline the connection or continue with basic FTP processes. The client also has the option to choose whether or not to encrypt the data channel, and the server may once again choose whether to allow or prohibit insecure requests. If you follow best practices, you’d want to use explicit connections and make sure that unencrypted connections are not permitted by the server.
What do the two protocols have in common?
The two protocols actually have quite a bit in common, and would probably hit it off given their matching interests. Both FTP and FTPS utilize 2 ports, one for control and one for data transfer. This has to do with FTP being an ancient relic, prior to the invention of duplex channels. Additionally, this makes it more difficult to harden networks where FTP or FTPS are being used as firewall rules and NATs have to be set up a certain way to allow the data channel to open. The solution to this for both protocols is to use the passive mode, where the client opens both connections to the server.
Both protocols use the same basic commands to list, retrieve, and upload files, as well as to create or remove directories.
Last but not least, all modern clients support both protocols, and therefore, from the client perspective, it’s easy to switch between the two.
The choice is yours
Not to put you under any pressure, but it is clear that FTPS is the sensible (and secure) choice between the two if data security is at all important to you (we hope this is the case). So to wrap things up based on the information given, we recommend that you don’t rely on FTP alone, but rather use FTPS. But wait! There’s another contender for you to consider - SFTP! You can learn all about SFTP and the differences between the SFTP and FTPS protocols here.