21

What are the basic differences and security implications of using SFTP, FTPS and SecureFTP.

AviD
  • 72,138
  • 22
  • 136
  • 218
Eric Warriner
  • 3,251
  • 3
  • 24
  • 20

1 Answers1

30

There are 3 different protocols commonly used for transferring files over the Internet, and they are commonly confused with each other:

  • FTPS - an extension to the FTP protocol to support using FTP over SSL/TLS. This is typically based on a client-requested negotiation, and there are specific FTP commands to request/enforce/implement the encryption using SSL.
  • FTP over SSH (commonly called SecureFTP) - tunneling standard FTP over a SSH connection. Take into account that it is a bit more complicated to force the data channels to continue tunneling over SSH, even if the control channel is tunnelled.
  • SFTP - This is a completely different protocol, SSH File Transfer Protocol. This is not related to FTP, but is a completely different protocol. SFTP is actually a sub-protocol from the SSH protocol suite, i.e. a SSH extension (however I understand that it can be used separately, too).

Advantage of FTPS is that it is similar to HTTPS - same type of certificate, etc. Many web servers support FTPS natively, and thus it is often "simpler" to set up and have admins up to speed faster.
SFTP has advantage in *nix shops, that are typically already more SSH-friendly - if they already set up a public SSH server securely, its pretty simple to add SFTP functionality.
Note that SecureFTP (FTP over SSH) is NOT trivial in any case (even if you already have the SSH set up), and I haven't seen it in use by security-conscious orgs (that's not to say it CAN'T be, but isn't commonly).

plr108
  • 107
  • 4
AviD
  • 72,138
  • 22
  • 136
  • 218
  • I guess differentiating sftp from scp would be of some use, but it might clutter things. And the non-trivial aspects of the extension and its own security issues. – hpavc Nov 29 '10 at 19:58
  • @hpavc, as far as I know SCP is pretty much a historical protocol, out of which grew SFTP (kind of like SSL -> TLS). Or am I wrong about that one? – AviD Nov 29 '10 at 20:02
  • @AviD, in a nutshell, SFTP is the elaborated version of SCP. It comes with more features, the tradeoff being it is slower than SCP at copying files. See http://superuser.com/questions/134901/whats-the-difference-between-scp-and-sftp – ack__ Mar 03 '14 at 18:49
  • 1
    Even though SFTP is a totally different protocol, it is designed to have an FTP-like interface with the same commands. People who are used to FTP or FTPS will generally be comfortable using SFTP. – forest Apr 07 '18 at 05:56
  • 1
    "_Advantage of FTPS is that it is similar to HTTPS - same type of certificate_" Yes, OTOH: advantage of scp, SFTP is that they are similar to ssh - same type of public keys (so same security model, same repository of keys, etc.) – curiousguy Jun 21 '18 at 12:57