There is plain old FTP protocol, but there is also FTPS and SFTP. So, how do they differ? Here’s a comparison of FTP vs FTPS vs SFTP.
FTP, FTPS, and SFTP are protocols that are used to transfer files over a network. While the acronyms for these protocols are similar, there are some key differences among them. The main ones are how data is exchanged, the level of security provided and firewall considerations.
While choosing between FTP, FTPS, and SFTP, weighing the pros and cons of each option will allow users to have a better understanding of the available choices.
Here is a head-to-head FTP vs FTPS vs SFTP comparison that overviews the advantages and limitations of each transfer protocol.
What is FTP
FTP stands for File Transfer Protocol. It was developed in the 1970s to allow files to be transferred between a client and a server on a computer network.
FTP exchanges data using two separate channels known as the command channel and data channel. The command channel typically runs on server port 21 and is responsible for accepting client connections and handling the exchange of simple commands between an FTP client and server. For transferring the files and folders FTP uses a separate connection called data channel.
In short, FTP uses one connection for commands and the other for sending and receiving data.
This connection can be established in two ways:
- Active Mode: In an Active FTP connection, the client opens a port and listens and the server actively connects to it. Active FTP servers generally use port 20 as their data port.
- Passive Mode: In a Passive FTP connection, the server opens a port and listens (passively) and the client connects to it.
Most FTP client programs select passive connection mode by default because server administrators prefer it as a safety measure. In addition, firewalls generally block connections that are initiated from the outside.
As great as FTP was at the time, it lacked security measures to encrypt usernames and passwords or other data going across the protocol. Unlike FTPS and SFTP, when using FTP both the command and data channels are unencrypted. Any data sent over these channels can be intercepted and read.
What is FTPS
Concern about internet security grew during the 1990s. In response, in 1994, Netscape released the application layer wrapper known as Secure Sockets Layer or SSL to protect communications over a network. SSL was applied to FTP to create FTPS.
FTPS stands for File Transfer Protocol Secure. It is an extension of FTP which adds an extra tier of security to FTP. FTPS uses an SSL/TLS layer underneath FTP, which encrypts its data channels. To put it simple, FTPS is FTP with SSL for security.
Just like FTP, FTPS works in a client-server model, utilizing a control channel and a data channel for exchanging FTP commands and data during an FTPS client session.
FTPS connections are authenticated with a user ID, password, and certificate. When connecting to an FTPS server, an FTPS client will first verify the trustworthiness of the server’s certificate. Tools such as OpenSSL allow key certificates to be requested and created.
What is SFTP
SFTP stands for SSH File Transfer Protocol. As opposed to FTPS, it is not an extension to FTP and was built from the ground up. While it sounds similar in name to FTP and FTPS, it actually uses a completely different protocol, called the Secure Shell (SSH). SFTP was created as an extension of SSH to transfer files through the secure channel.
Using SFTP the data is actually encrypted using SSH during data transfer and no data is sent in clear text. SFTP authenticates both the user and the server and it uses port 22.
Unlike FTP and FTPS, SFTP does not use separate command and data connections. Both data and commands are transferred in specially formatted packets via a single connection. This makes file and data transfers using the SFTP faster than other FTP connections.
With SFTP you can simply use a user ID and password. The other authentication method you can use with SFTP is SSH keys.
Since SFTP shares the default port 22 with other SSH services, it is usually bundled with the SSH server implementation, meaning that it is built-in with any Linux machine.
FTP vs FTPS vs SFTP: Which Protocol Should I Use?
Above all, when transferring data from a flat file system, if you have other options such as FTPS or SFTP, please use them. FTP is not as secure as the other protocols on this list.
FTP works for legacy devices that don’t support any sort of encryption, but if you have access to encryption, it’s better to use FTPS or SFTP.
So that leaves FTPS vs SFTP. Both are secure FTP protocols with strong authentication option, but they are also two completely different protocols. The key distinguishing feature of FTPS and SFTP protocols is the underlying transport mechanism.
If you’re concerned at all with the security of your data, SFTP is the way to go, as it is the most secure and compliant method of file transfer. Like FTP and FTPS, you can use usernames and passwords to authenticate. However, with SFTP, these credentials are encrypted, making it more secure.
In addition, SFTP uses only one connection to transfer data, as opposed to two for FTP and FTPS, and encrypts both authentication credentials and data being transferred on this single channel.
FTPS requires a secondary data channel, this makes it hard to use behind firewalls. Since SFTP is much easier to port through firewalls, however, we believe SFTP is the winner between the two.
Learning about the different protocols might seem daunting. We’ve compiled a shortlist of the differences that can help clarify which protocol would be best for your use.
These days if you want encryption and reliability, it is difficult to go wrong with either FTPS or SFTP. So, if you care about security with a capital ‘S’, then you should give a ‘S’ about FTP too.
Hopefully this article clarifies things around FTP vs FTPS vs SFTP. Please feel free to drop you comments if you want to share more information about the topic discussed above.