There is a plain old FTP protocol, but FTPS and SFTP. So, how do they differ? Here’s a comparison of FTP vs. FTPS vs. SFTP.
FTP, FTPS, and SFTP are protocols used to transfer files over a network. While the acronyms for these protocols are similar, some key differences among them. The main ones are how data is exchanged, the level of security provided, and firewall considerations.
While choosing between FTP, FTPS, and SFTP, weighing the pros and cons of each option will allow users to understand the available choices better.
Here is a head-to-head FTP vs. FTPS vs. SFTP comparison that overviews the advantages and limitations of each transfer protocol.
What Is FTP
FTP stands for File Transfer Protocol. It was created in the 1970s to allow file transfers between a client and a server on a computer network.
FTP exchanges data using two separate channels known as the command and data channels. The command channel typically runs on server port 21 and is responsible for accepting client connections and handling the exchange of simple commands between an FTP client and server.
FTP uses a separate connection called a data channel to transfer the files and folders.
In short, FTP uses one connection for commands and the other for sending and receiving data.
This connection can be established in two ways:
- Active Mode: In an Active FTP connection, the client opens a port and listens, and the server actively connects to it. Active FTP servers generally use port 20 as their data port.
- Passive Mode: In a Passive FTP connection, the server opens a port and listens (passively), and the client connects to it.
Most FTP client programs select passive connection mode by default because server administrators prefer it as a safety measure. In addition, firewalls generally block connections that are initiated from the outside.
As great as FTP was at the time, it lacked security measures to encrypt usernames and passwords or other data going across the protocol.
Unlike FTPS and SFTP, both the command and data channels are unencrypted when using FTP. As a result, any data sent over these channels can be intercepted and read.
What Is FTPS
Concern about internet security grew during the 1990s. In response, in 1994, Netscape released the application layer wrapper known as Secure Sockets Layer or SSL to protect communications over a network. SSL was applied to FTP to create FTPS.
FTPS stands for File Transfer Protocol Secure. It is an extension of FTP which adds an extra tier of security to FTP. FTPS uses an SSL/TLS layer underneath FTP, encrypting its data channels. To put it simply, FTPS is FTP with SSL for security.
Like FTP, FTPS works in a client-server model, utilizing a control channel and a data channel to exchange FTP commands and data during an FTPS client session.
FTPS connections are authenticated with a user ID, password, and certificate. When connecting to an FTPS server, an FTPS client will first verify the trustworthiness of the server’s certificate.
Tools such as OpenSSL allow key certificates to be requested and created.
What Is SFTP
SFTP stands for SSH File Transfer Protocol. Unlike FTPS, it is not an extension to FTP and was built from the ground up.
So while it sounds similar to FTP and FTPS, it uses an entirely different protocol, called the Secure Shell (SSH). SFTP was created as an SSH extension to transfer files through the secure channel.
Using SFTP, the data is encrypted using SSH during data transfer, and no information is sent in plain text. SFTP authenticates both the user and the server and uses port 22.
Unlike FTP and FTPS, SFTP does not use separate command and data connections. Instead, both data and commands are transferred in specially formatted packets via a single connection. This makes file and data transfers using the SFTP faster than other FTP connections.
With SFTP, you can use a user ID and password. The other authentication method you can use with SFTP is SSH keys.
Since SFTP shares the default port 22 with other SSH services, it is usually bundled with the SSH server implementation, which is built-in with any Linux machine.
FTP vs. FTPS vs. SFTP: Which Protocol Should I Use?
Above all, when transferring data from a flat filesystem, if you have options such as FTPS or SFTP, please use them. FTP is not as secure as the other protocols on this list.
FTP works for legacy devices that don’t support encryption, but if you have access to encryption, it’s better to use FTPS or SFTP.
So that leaves FTPS vs. SFTP. Both are secure FTP protocols with robust authentication options, but they are also two completely different protocols.
The key distinguishing feature of FTPS and SFTP protocols is the underlying transport mechanism.
If you’re concerned with the security of your data, SFTP is the way to go, as it is the most secure and compliant file transfer method.
Like FTP and FTPS, you can use usernames and passwords to authenticate. However, with SFTP, these credentials are encrypted, making it more secure.
In addition, SFTP uses only one connection to transfer data instead of two for FTP and FTPS and encrypts both authentication credentials and data being transmitted on this single channel.
Furthermore, FTPS requires a secondary data channel; this makes it hard to use behind firewalls. Since SFTP is much easier to port through firewalls, however, we believe SFTP is the winner between the two.
Learning about the different protocols might seem daunting. We’ve compiled a shortlist of the differences that can help clarify which protocol would be best for your use.
These days if you want encryption and reliability, it is difficult to go wrong with either FTPS or SFTP. So, if you care about security with a capital ‘S,’ you should also give an ‘S’ about FTP.
Hopefully, this article clarifies things around FTP vs. FTPS vs. SFTP. Please feel free to drop your comments if you want to share more information about the topic discussed above.