2

I am exploring the ability of the FTPs(FTP over SSL using explicit TLS) to encrypt the data channel. I read online that the secure data channel can be entered by entering the PROT command. PROT P for private.

Sorry if my question is too naive as I new to this area, but doesn't SSL offer encryption of data channel anyway by default? Or does TSL encrypt the data channel by default if explicit TLS is used?

Any help would be much appreciated.

Castaglia
  • 560
  • 8
  • 19
Nicki
  • 23
  • 3
  • https://en.wikipedia.org/wiki/FTPS#Secure_data_channel – schroeder Feb 24 '16 at 00:29
  • @schroeder Thanks so much for sharing the link. I suppose my question is doesn't using SSL and TLS explicit offer encryption of the data channel thereby making the PROT command obsolete/redundant? I am trying to avoid the need for my dev team to make a codebase change, deployment etc etc as I don't think we encrypt the data channel at the moment. – Nicki Feb 24 '16 at 00:36
  • 2
    Nicki, the page @schroeder linked to is for FTPS and it says the data channel is not encrypted by default. It seems pretty unambiguous to me. That said, I too am dumbfounded that, in 2016, it is insecure by default. But, dumbfounded or not, that seems the case. – Neil Smithline Feb 24 '16 at 02:10

1 Answers1

3

You are correct in that SSL/TLS does provide encryption of the data. However, one thing to keep in mind with FTPS is that there are actually two TCP connections involved: the control connection (e.g. to port 21) over which FTP commands are sent and responses received, and the data connection, over which requested data such as directory listings and file uploads/downloads are transferred.

The PROT FTP command is for configuring the protection for those data transfers; see RFC 4217, Section 9 for the specification/details. The control connection will have its SSL/TLS session, and thus be encrypted (and protecting your USER and PASS values). But should the data connection also use SSL/TLS? Some use cases may say yes, some may say no. Most sites wishing to use the full benefits of SSL/TLS for data private and confidentiality will want to use PROT P for encrypting the data connection, in addition to the protection on the control connection. Sites that don't want this may allow FTPS clients to send PROT C, to request that data transfers not be encrypted. (And some FTPS servers also allow the CCC command, which can be used to remove the SSL/TLS encryption from the control connection.)

Hope this helps!

Community
  • 1
Castaglia
  • 560
  • 8
  • 19
  • You may want to include a reference link. Perhaps schroeder's https://en.wikipedia.org/wiki/FTPS#Secure_data_channel makes sense. – Neil Smithline Feb 24 '16 at 02:07
  • And thus we realize again that SFTP is a better choice. Good writeup! As always, whenever setting up a TLS server or client, be very careful in your [cipher suite](https://security.stackexchange.com/q/76993/39623) choices! – Anti-weakpasswords Feb 24 '16 at 03:26
  • @Castaglia Thank you so much!! That makes perfect sense. You are a legend :-) Also thank you Neil Smithline and Anti-weakpasswords for your valuable inputs and suggestions. – Nicki Mar 03 '16 at 00:19