You might be wondering how the inner workings of various file transfer protocols differ and we are here to provide you with just that information. By distinguishing the components of the three, we can outline the benefits of using one protocol over the others.
Let’s Talk FTP
File Transfer Protocol has been around the block since the early 1970s. It was created as one of the first two application layer network protocols (the other one being Telnet) to facilitate file transfer between hosts over the ARPANET Network Control Program (NCP) - the internet’s granddaddy.
FTP was initially designed to work on top of NCP, a simplex protocol, meaning that communication travels one-way per connection, requiring two ports for two-way communication, from the client to the server and back. What a pain! First, the client connects to the server and then, following a successful authentication, the server connects back to the client. TCP/IP, NCP’s successor, is a duplex protocol and allows for two-way communication over a single port. However, when FTP was ported to work on top of TCP/IP, it was never altered to use just one port, for the sake of backward compatibility.
At the dawn of computer networking, security was not really on the minds of FTP’s creators. So, naturally, it was never designed to be a secure protocol. It doesn't encrypt any of its traffic, so therefore, usernames, passwords, commands and file data are all passed in clear text, allowing anyone to capture or alter these packets over the network.
In addition, the use of two ports, as mentioned above, is problematic when the client is behind firewalls and NATs, where they have a local IP address that isn’t even exposed to the public network - the server has no means to connect back to the client. There are two possible approaches that can be taken to solve this issue, the popular choice being the “Passive” mode - where the client opens both connections to the server.
Despite its faults, FTP was a great way to share files throughout the years, long before HTTP or even TCP/IP were invented. It facilitated sharing, uploading and downloading files with simple and optional means of authentication - user and password.
The birth of FTPS
In the 1990s, thanks to the internet, a much broader population obtained access to files on FTP servers from all over the world, which also meant that data traversed longer paths, creating more opportunities for third parties to eavesdrop on non-encrypted data transmissions. As a solution to this problem, in 1994, Netscape released the application layer wrapper known as Secure Sockets Layer or SSL. This allowed applications to communicate over a network in a secure, private fashion and to this day, we all use it with the HTTPS protocol. The SSL protocol was also applied to FTP and so an extension to FTP was born - FTPS.
There are two methods in which to invoke client security with FTPS:
- Implicit Method: the entire session is encrypted using SSL (or later, TLS) encryption. If the client doesn’t immediately make the security request, the server is expected to drop the connection. This limitation is the reason that the implicit mode is generally considered deprecated.
- Explicit Method: a traditional FTP connection is established and once the connection is made, right before authentication, a secure SSL/TLS connection is established. Unlike the implicit mode, If the client doesn’t make the security request, it is up to the server to either decline the connection or continue with basic FTP. The client can also choose whether or not to encrypt the data channel (keep in mind that there are 2 ports used with FTP). The server again can choose whether to allow or prohibit insecure requests.
Quick recap - FTP vs FTPS
- Both use 2 ports (and both support the passive mode, where the client opens both connections)
- Basic Commands: Both support the same basic commands
- Most modern clients support both protocols
- FTP doesn’t encrypt any communication between the client and the server.
- FTPS may or may not encrypt some or all of the communication between client and server depending on client and server configuration.
SFTP, Secure File Transfer Protocol, or SSH File Transfer Protocol, is the youngest protocol and yet, it’s been around since the late 1990s. As opposed to FTPS, it’s not an extension to FTP. It was built from the ground up. It uses just one port and the protocol itself doesn’t provide authentication or security but rather expects the underlying protocol, SSH, to provide this.
We won’t go into all the nitty gritty details, but SSH, or Secure Shell, is the cryptographic protocol used to secure network connections over an unsecured network and is also used to login to remote servers and to forward or tunnel ports. SSH uses public-key cryptography to authenticate users and machines, but it also supports username/password authentication (which are also encrypted if used).
Since SFTP shares the default port (22) with other SSH services, it’s usually bundled with the SSH server implementation, meaning that it’s built-in with any Linux machine.
The basic commands used in SFTP are the same as in FTP or FTPS (i.e. ls, get, put) but there are also some differences. For instance, the SFTP response when listing files is more consistent and contains more details, SFTP allows file system operations that FTP does not (like changing permissions and file ownership).
SFTP vs. FTP/FTPS
The one common ground that all three protocols share is that they allow file transfer and management. Let’s take a look at what sets them apart.
On the one hand we have SFTP:
- Single port connection
- Relies on SSH for secure public-key authentication (with optional user/password authentication)
- Relies on SSH for data encryption over the wire - commands and data are all encrypted.
- Slightly better functionality in terms of file management
On the other, FTP and FTPS:
- FTP/S uses two ports, which make it harder to manage ports, firewalls and NATs
- Authentication is optional (you can access servers anonymously, if they allow)
- Encryption and security is optional, which leads to issues with compliance.
- FTPS certificates must be managed well. Expired certificates lead to server inaccessibility.
The default choice for secure file transfer nowadays is SFTP because of its superior security and its vast distribution as part of the Linux operating system.
SFTP To Go allows you to instantly set up encrypted cloud storage with SFTP, FTPS and Amazon S3 protocol support.