SFTP Vs. FTPS

The Internet has grown by leaps and bounds to become the biggest data sharing network in the world.

Every data packet transfer over the Internet, from servers to client computers is enabled by a range of Internet protocols like HTTP (Hypertext Transfer Protocol), FTP (File Transfer Protocol), Telnet, POP (Post Office Protocol) and TCP (Transmission Control Protocol).

All these protocols operate at various levels of the OSI (Open Systems Interconnection) model that defines the structure of any computer network, from the link layer to application layer. This Techspirited article is focused on comparing two protocols - SFTP and FTPS that provide secure file transfer over the Internet.

FTP was the first protocol exclusively designed to provide file transfer functionality over the Internet. However, it was found to be vulnerable to brute force attacks, spoof attacks and other hacking techniques like packet sniffing because the data transported through this protocol is not encrypted.

Both FTPS and SFTP were developed as an improvement over FTP to provide encrypted file transfer over the Internet. Let me provide a brief overview of both these protocols, before comparing them.

FTPS (File Transfer Protocol Secured) is a substantially more secure and an improved version of the older FTP, which provides secure data transfer through implementation of the SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols.

Using cryptographic techniques, SSL and its successor- TLS encrypt data that is transmitted between FTPS servers and clients, thus making it impervious to hacking. There are two types of this protocol, namely

• Implicit FTP: Servers using implicit implementation of this protocol strictly enforce an encrypted connection between clients and servers. If the client doesn't comply, the connection is dropped.

• Explicit FTP: Here clients connecting with the server are provided with an alternative of opting out of implementing an encrypted connection. It is only implemented if requested by the FTP client.

Secure command channel which encrypts control commands can be entered into through the input of the AUTH SSL or AUTH TLS command, while a secure data channel can be opened by the PROT command. FTP uses a dynamic secondary port, which can be untraceable for strong firewalls, when the connection is encrypted using TLS or SSL, leading to a connection failure.

Therefore, firewall incompatibility is a major problem with FTPS. Its connection ports are 989 (for data channel) and 990 (for control channel). BitKinex and Captain FTP are two client programs, which implement the FTPS.

While FTPS is the successor to FTP, SFTP (Secure File Transfer Protocol) or SSH FTP (Secure Shell File Transfer Protocol) is an entirely different protocol, built independently. It should not be confused with the 'Simple File Transfer Protocol'.

This protocol provides secure file transfer over a computer network, besides providing a facility for remote file management.

It is based on the Secure Shell Protocol (SSH), which provides a secure mode for data transfer and control over a client server network. For using the SFTP, you need special clients as FTP clients don't work with it. Graphical SFTP clients make it easy to transfer files from server to client computers quite easily.

Under this protocol, TCP and UDP port 22 are used for setting up the connection. Both command and data connections are supplied through the same data packets and encryption is enforced by default in the session. WinSCP is an open source SFTP client, which one may use.

So let me summarize the prime differences between the two file transfer protocols. While FTPS uses SSL or TLS protocols, SFTP uses the SSH (Secure Shell) protocol. FTPS provides implicit or explicit implementation of its encryption protocol while SFTP enforces encryption by default.

This makes SFTP substantially more secure than FTPS based file transfer. Compared to FTPS, SFTP clients rarely report any firewall related problems. Since all data is pre-encrypted by default through the session, there are lesser chances of login name, password and other data being intercepted or hacked.

Thus, one can conclude that SFTP is a substantially more secure protocol to bank upon for file transfers, compared to FTPS. Weigh the pros and cons of using both protocols, before choosing one which would be most secure for your particular requirements. My recommendation would be to go for SFTP.