FTP vs. FTPS

March 2nd, 2014 by Rossy Guide

What is FTP?

FTP is an acronym for File Transfer Protocol. It is a standard network protocol used to transfer files from one host to another host over a TCP-based network, such as the Internet.

FTP, you can update (delete, rename, move, and copy) files at a server. You need to logon to an FTP server. However, publicly available files are easily accessed using anonymous FTP.

Basic FTP support is usually provided as part of a suite of programs that come with TCP/IP. However, any FTP client program with a graphical user interface usually must be downloaded from the company that makes it.

What is FTPS?

FTPS (also known as FTP-ES, FTP-SSL and FTP Secure) is an extension to the commonly used File Transfer Protocol (FTP) that adds support for the Transport Layer Security (TLS) and the Secure Sockets Layer (SSL) cryptographic protocols. FTPS should not be confused with the SSH File Transfer Protocol (SFTP), an incompatible secure file transfer subsystem for the Secure Shell (SSH) protocol. It is also different from Secure FTP, the practice of tunneling FTP through an SSH connection.

- When establishing an SSL secure session, the following steps occur:
- Authenticate the server to the client.
- Allow the client and server to select the cryptographic algorithms, or ciphers, that they both support.
- Optionally authenticate the client to the server.
- Use public-key encryption techniques to generate shared secrets.

SSL is a commonly-used protocol for managing the security of a message transmission on the Internet. SSL uses the public-and-private key encryption system from RSA, which also includes the use of a digital certificate. The use of the digital certificate is the only difference between FTP and FTP/S. The FTP/S gateway supports standard FTP/S with clear control channel (CCC) enabled.

 Comparison

FTP

FTP classic

  • Plain FTP
  • Clear-text password sent over the network
  • Typically runs over TCP port 21
  • Defined by RFC 959 and 1123
  • Implemented in FTP/SSL component

FTPS

FTP over TLS/SSL

  • Often called ‘FTPS’
  • Often called ‘Secure FTP’
  • Plain FTP over TLS/SSL channel
  • Password is encrypted
  • Transfer is encrypted
  • Typically runs over TCP port 21 or 990
  • Defined by RFC 959, 1123, 4217 and 2228
  • Implemented in FTP/SSL component

 

 

 

 

 

 

 

 

 

 

 

Conclusion

SFTP and FTPS are both very secure with strong authentication options. In general, SFTP is technologically superior to FTPS. Since SFTP is much easier to port through firewalls, and FTPS due to this reason (needs a range of opts to be opened) puts additional security treats to the network, I believe SFTP is the clear winner in case you need a secure FTP for your application integration needs.

In our protocol evaluation, considering the above points, I feel we can go with SFTP for secured file transfer and can omit FTPS. FTPS is omitted not because it is not suitable, but because it does the same things as SFTP and is superior in many ways as opposed to FTPS. There are good reasons to support both FTPS and SFTP for secure file operations, and FTP for legacy devices. Organizations rarely have the option of supporting only one file transfer protocol, and solutions that supports all 3 are common-place today.

Leave a Reply