FTP and SFTP are two common file transfer protocols, and just as common are the questions surrounding them. “What is the difference between them?” “How do I decide whether I should use FTP or SFTP?” In the following post, we’ll attempt to explain the distinguishing factors between the two to give you some insight into how you can share your data safely.
Let's start with the basics:
FTP stands for File Transfer Protocol. It has been around for 50 years or so, long before the internet! Using the client-server model, FTP supports the direct transfer of files over the network between a client device and a server. SFTP is a secure file transfer protocol and has been around for about 20 years. Despite the age gap with FTP, SFTP is reputable for presenting tested and proven, low risk technology. Its security (encryption, authentication, etc.) is based upon SSH (Secure Shell), which is the standard way to connect to UNIX/LINUX servers.
When using the FTP protocol, nothing is encrypted over the wire. This is due to its development in the 70’s, when security over the net was not as much of a priority as it is in the modern era. Even though basic authentication requires a password, this password is also transferred in the clear, leaving it vulnerable to potential attacks.
SFTP, on the other hand, is equipped to protect your data and passwords against sniffing and man-in-the-middle attacks by encrypting all communication between the client and the server. It also gives you the option of private/public key authentication which is more secure than simple user/password authentication.
FTP allows anonymous access, meaning that a user isn’t required to authenticate herself before she gets a hold of your files. You can certainly disable this feature, and we strongly recommend that you do so.
SFTP relies on SSH for its authentication processes as well as encryption. It doesn't permit any anonymous access, although creating and sharing the information of a passwordless account is solely up to you.
FTP uses two separate channels to transfer information: one connection is used for control information (i.e. commands and responses), and the other is used for data transfer. Opening multiple channels complicates networking and security management when it comes to configuring firewalls and NATs, since the data channel uses random ports. Additionally, if you’re using the ACTIVE mode, this requires the server to connect to the client (which usually shouldn’t be exposing any open ports to the internet).
SFTP’s communication approach is more simple, using a single port connection (port 22 by default) for both control and data transfer. This, in turn, doesn’t require creating inbound network rules on the client-side.
FTP is bundled with IIS on Windows servers, but it is recommended to use the FTPS extension to ensure data security. You can read more about FTPS here.
SFTP is bundled with SSH on pretty much any Linux based server, one of its many desirable attributes contributing to its popularity.
Modern GUI clients support both FTP and SFTP, so this shouldn’t be a concern. The SFTP command line comes bundled with all modern operating systems, and the FTP command line interface can be installed if you really want to.
So, which is the better choice?
What’s the common theme here? The distinction between the two file transfer methods clearly boils down to security. FTP might get the job done, but it proves to be insecure and given that SFTP’s top priority is to provide a secure experience, the wise choice would be to go with SFTP.