Same same, but different? What is the difference exactly?
While both SFTP and FTPS are forms of secure file transfer protocols, each protocol has distinctive characteristics, and comprehending the distinctions between the two is essential to successfully managing your security system.
Let's start with a little background:
FTPS is a secure file transfer protocol, created as an extension to the legacy FTP (the standard client-server file transferring protocol), in order to provide an added layer of security while keeping the original protocol relatively unchanged, much like what HTTPS is to HTTP.
SFTP is a secure file transfer protocol as well, but unlike FTPS, it’s not an extension to FTP. It was built from the ground up, and has nothing in common with the original FTP. SFTP is based on the SSH protocol, which provides the security layer, while SFTP implements the file transfer and remote file access service.
Now that we’ve got that covered, it’s time to delve deeper into the details that really make the two protocols different:
File transfer and management
Both SFTP and FTPS allow file transfer and management. Nonetheless, SFTP has slightly better functionality in terms of file management since it standardizes file and directory listing formats, and character encoding. Additionally, SFTP defines a standard method for setting or obtaining file or directory attributes, permissions, and ownerships.
FTPS uses a combination of usernames, passwords and/or certificates to authenticate users. It encrypts file transfer and the control channel using strong algorithms such as AES and Triple DES. The FTPS server can be set up to fallback to non-encrypted communications (i.e. FTP), but that is definitely not recommended.
SFTP relies on SSH for both authentication and encryption. It supports both private/public key authentication and username/password combinations, while encrypting all communication using SSH crypto algorithms. SSH’s configuration can be altered to avoid encrypting communication, though this is not the default setting and again, it is advised that you don’t do that.
SFTP uses a single port connection, meaning it requires only a single port (22 by default) for both control and data transfer, making it easy to secure.
FTPS inherits the use of two ports from its predecessor, FTP. This makes the management of networking and security slightly more difficult when it comes to configuring firewalls and NATs. Using the Passive mode with FTPS is highly recommended to ensure that both connections are open from the client to the server. Otherwise, with Active mode, the server tries to establish the data channel with the client - which means that the client should expect inbound network traffic, which means you’ll have to create firewall rules and route traffic from the public network to the client machine.
FTPS servers can be set up as part of IIS on Windows servers or by installing 3rd party servers. It isn’t bundled with any other operating system.
SFTP is bundled with SSH on pretty much any Linux based server, one of its many desirable attributes contributing to its popularity.
Clients that support both protocols are available within all operating systems.
We’ve clarified that both SFTP and FTPS are widely used and secure and while in some countries IT teams may prefer one protocol over the other (for instance, we’ve found that FTPS is quite the star in Japan), SFTP is usually preferred because of the simplicity of its architecture.
SFTP To Go offers you the best of both worlds, as it supports SFTP as well as FTPS, so you don't have to choose one. Oh! And it even adds S3 to the party.
Post photo by Daria Shevtsova on Unsplash