FTPS vs. SFTP: What to Choose

File transfer over the network using FTP protocol (defined by RFC 959 and later additions) has its roots in 1980, when the first RFC for FTP protocol was published. FTP provides functions to upload, download, and delete files; create and delete directories; and read directory contents. Although FTP is very popular, it has certain disadvantages that make it harder to use. The major drawbacks are lack of the uniform format for directory listing (this problem has been partially solved by introducing the MLST command, but it's not supported by some servers) and the presence of the secondary connection (DATA connection). Security in FTP is provided by employing SSL/TLS protocol for channel encryption as defined in RFC 2228. The secured version of FTP is called FTPS.

In UNIX systems, another security standard has grown. It was the SSH family of protocols. The primary function of SSH was to secure remote shell access to UNIX systems. Later, SSH was extended with file transfer protocol—first SCP (in SSH 1.x), and then SFTP (in SSH2). Version 1 of the SSH protocol is outdated, unsecure, and generally not recommended for use. Consequently, SCP is not used anymore and SFTP gains popularity day by day.

The "SFTP" abbreviation is often mistakenly used to specify some kind of Secure FTP, by which people most often mean FTPS. Another (similar) mistake is that SFTP is thought to be some kind of FTP over SSL. In fact, SFTP is an abbreviation of "SSH File Transfer Protocol." This is not FTP over SSL and not FTP over SSH (which is also technically possible, but very rare).

SFTP is a binary protocol, the latest version of which is standardized in RFC 4253. All commands (requests) are packed to binary messages and sent to the server, which replies with binary reply packets. In later versions, SFTP has been extended to provide not just file upload/download operations, but also some file-system operations, such as file lock, symbolic link, creation, and so forth.

Both FTPS and SFTP use a combination of an asymmetric algorithm (RSA, DSA), a symmetric algorithm (DES/3DES, AES, Twhofish and so on), and a key-exchange algorithm. For authentication, FTPS (or, to be more precise, SSL/TLS protocol under FTP) uses X.509 certificates, whereas SFTP (SSH protocol) uses SSH keys.

X.509 certificates include the public key and certain information about the certificate owner. This information lets the other side verify the integrity of the certificate itself and authenticity of the certificate owner. Verification can be done both by computer and to some extent by the human. An X.509 certificate has an associated private key that is usually stored separately from the certificate for security reasons.

A SSH key contains only a public key (the associated private key is stored separately). It doesn't contain any information about the owner of the key. Neither does it contain information that lets one reliably validate the integrity and authenticity. Some SSH software implementations use X.509 certificates for authentication, but in fact they don't validate the whole certificate chain—only the public key is used (which makes such authentication incomplete and similar to SSH key authentication).

Here's the brief list of pros and cons of the two protocols:

FTPS

Pros:

  • Widely known and used
  • The communication can be read and understood by humans
  • Provides services for server-to-server file transfer
  • SSL/TLS has good authentication mechanisms (X.509 certificate features)
  • FTP and SSL/TLS support is built into many Internet communication frameworks

Cons:

  • Doesn't have a uniform directory listing format
  • Requires a secondary DATA channel, which makes it hard to use behind the firewalls
  • Doesn't define a standard for file name character sets (encodings)
  • Not all FTP servers support SSL/TLS
  • Doesn't have a standard way to get and change file and directory attributes

SFTP

Pros:

  • Has good standards background that strictly defines most (if not all) aspects of operations
  • Has only one connection (no need for DATA connection)
  • The connection is always secured
  • The directory listing is uniform and machine-readable
  • The protocol includes operations for permission and attribute manipulation, file locking, and more functionality

Cons:

  • The communication is binary and can't be logged "as is" for human reading
  • SSH keys are harder to manage and validate
  • The standards define certain things as optional or recommended, which leads to certain compatibility problems between different software titles from different vendors
  • No server-to-server copy and recursive directory removal operations
  • No built-in SSH/SFTP support in VCL and .NET frameworks

What to Choose

As usual, the answer depends on what your goals and requirements are. In general, SFTP is technologically superior to FTPS. Of course, it's a good idea to implement support for both protocols, but they are different in concepts, in supported commands, and in many other things.

It's a good idea to use FTPS when you have a server that needs to be accessed from personal devices (smartphones, PDAs, and the like) or from some specific operating systems that have FTP support but don't have SSH/SFTP clients. If you are building a custom security solution, SFTP is probably the better option.

As for the client side, the requirements are defined by the server(s) that you plan to connect to. When connecting to Internet servers, SFTP is more popular because it's supported by Linux and UNIX servers by default.

For private host-to-host transfer, you can use both SFTP and FTPS. For FTPS, you would need to search for a free FTPS client and server software or purchase a license for commercial one. For SFTP support, you can install an OpenSSH package that provides free client and server software.

Developer Tools

If you are a software developer and need to implement file transfer capability in your application, you will be searching for the components to do the job.

In .NET, you have built-in support for FTPS in the .NET Framework (see the FtpWebRequest class). However, functionality of this class is severely limited, especially in the SSL/TLS control aspect. The .NET Framework doesn't include any support for SSH or SFTP.

In VCL, you have a selection of free components and libraries that provide FTP functionality. When you add OpenSSL to them, you can get FTPS for free. If you don't want to deal with OpenSSL DLLs, you can use one of the commercially available libraries for SSL and FTPS support. Again, there are no freeware SFTP components available for .NET.

If you use a tool with which you have to use ActiveX controls, you need to search for commercial FTPS or SFTP controls. No free controls are available. SecureBlackbox library provides both FTPS and SFTP support for .NET, VCL and ActiveX technologies.



Comments

  • Monster og hovedtelefonerne Vkhifi frigiver de trendy stilarter af Er med DRE

    Posted by nceosg005 on 07/17/2013 04:25pm

    If you don’t abuse your headphones, this shouldn’t be a problem. However, it’s worth noting since the headphone line after which these are styled—the Beats by Dr. Dre—doesn’t suffer from this issue. Simply put, the comparisons of the Beats line with the Zoro are only skin deep—they don’t sound similar and they aren’t built for the same type of usage.Despite the minor distortion at top volumes and the delicate nature of the drivers, the Noontec Zoro is a pretty solid audio performer at normal listening levels. The detachable cable adds a bit of value to the purchase, even if doesn’t feature an inline remote. [url=http://nyebeatsbydrdre.ucoz.com/]beats by dre billigt[/url] Dr. Dre er lykkedes gatecrashing London 2012 Olympics med et baghold marketing kampagne, der har set britiske sportsfolk, herunder Laura Robson og Tom Daley godkende rapper og musik iværksætterens Beats hovedtelefoner rækkevidde.Mærket, der ikke er officiel sponsor af Den Internationale Olympiske Komité eller London 2012, har skørt strenge regler for baghold markedsføring ved at sende britiske teammedlemmer særlige versioner af Beats spænder brandet med union flag farver.Tennisspiller Laura Robson tweeted om at modtage hendes hovedtelefoner, selvom stillingen nu synes at være blevet fjernet fra sin Twitter-konto , som gjorde fodbold målmand Jack Butland, som tweeted : “. Love My GB Beats by Dre” [urlhttp://beatsbydredanmark.webspawner.com/]Beats by Dre[/url] Beats enkel sammen med skiftes i sammen med frigivet eventuelle udskiftelige pandebånd er nået smertefri sammen med sat på mod stillet af blot beats by dremagneter. Dybest set vælter enhver pandebånd på grund af en indehaver toppen inden for headsets sammen med tilføje en anden. Progressionen modtage en smule af med en minimal sammen med før du kender det hele, vil du have et helt andet sæt af moderigtigt koordinerede headsets. Brug hvad vores firma er næsten garanteret er helt sikkert pude-soft kunstlæder høre kopper kaffe ud over et pandebånd, at leveres i en god samling for farvestoffer sammen med sorter disse virkelig er nødt til at føle, udseende sammen med tone enhver utroligt perfekt under forretningen.

    Reply
  • More concessions with herveleger, more astonish!

    Posted by mrslisafic on 05/02/2013 02:27am

    wenchcaitiff public schoolmateexaltationstoutprominentbreeding

    Reply
  • The Secret dominate the mizuno-world Is Fairly Straight foward!

    Posted by Acuddence on 04/26/2013 05:08pm

    Brand new queries about mizuno answered not to mention the reason why you must absolutely look at every statement of this specific story.[url=http://www.nikejpgolf.biz/]nike sb[/url] The latest double twirl on mizuno [url=http://www.nikejpgolf.biz/nike-ゴルフボール-c-23.html]nike ボール[/url] Interesting questions regarding mizuno replied to in addition to the reasons you will need read through each phrase on this story. [url=http://www.nikejpgolf.biz/nike-アイアン-c-1.html]ナイキ[/url] Unprejudiced review divulges A couple of brand new stuff concerning nike that no one is speaking about. [url=http://www.nikejpgolf.biz/nike-アイアン-c-1.html]ナイキ[/url] The most important nike Marketing Speak - And so, who cares for nada is victorious?? [url=http://www.nikejpgolf.biz/nike-ゴルフシューズ-c-15.html]nike air force 1[/url] Tools and formation throughout Las Vegas - nike has left with no farewell [url=http://www.nikeyasuyi.com/]ナイキスニーカー[/url] Components and end production throughout Nevada - nike basically leaves without any good bye [url=http://www.nikeyasuyi.com/nikeナイキRunning-c-3.html]nike ランニング[/url] This nike Enterprise Call : Who cares about nothing is the winner?!? [url=http://www.nikeyasuyi.com/nikeナイキDunk-c-9.html]nike dunk[/url] All the nike Sales Meaning : Who loves absolutely nothing is announced the victorious one? [url=http://www.nikeyasuyi.com/nikeナイキDunk-c-9.html]nike dunk[/url] nike is giving all new life span to an old subject. . . defacto popular

    Reply
  • regzooka review

    Posted by regzooka review on 04/23/2013 03:02pm

    Im pleased I ran in to your web log, it turned out to be extremely useful and significantly convenient. regzooka review

    Reply
  • Nice one there

    Posted by Slalaleasyday on 03/14/2013 01:19pm

    Nice Post. ---------- I love http://youtube.com

    Reply
  • Chart of FTPS vs. SFTP (and FTP, HTTP...)

    Posted by jlampe on 09/17/2012 11:14am

    If you're interested in viewing a chart comparing FTPS and SFTP (and a few other protocols), try this: http://www.serv-u.com/transfer-protocols.asp If you want to test again a demo server supporting these protocols (over both IPv4 and IPv6), try this: http://www.serv-u.com/demo.asp

    Reply
  • All In One?

    Posted by asharpe on 10/29/2010 04:39pm

    My company is looking for a ready to purchase with good support for ftps and sftp. Anyone hear or use a product called GoAnywhere Services? Their website is http://www.goanywheremft.com Regards, A Sharpe

    • SFTP & FTPS

      Posted by gpanou on 12/01/2010 07:34am

      Check web site www.dart.com they have components for .NET and ActiveX

      Reply
    Reply
  • SFTP & FTPS component

    Posted by bblackshaw on 11/18/2008 06:29pm

    edtFTPnet/PRO provides a component that supports both SFTP and FTPS, as well as FTP. No code needs to be changed to swap protocols. Other features include directory transfers and synchronization. See http://www.enterprisedt.com/products/edtftpnetpro/overview.html for more details and a trial download.

    Reply
Leave a Comment
  • Your email address will not be published. All fields are required.

Top White Papers and Webcasts

  • Download the Information Governance Survey Benchmark Report to gain insights that can help you further establish business value in your Records and Information Management (RIM) program and across your entire organization. Discover how your peers in the industry are dealing with this evolving information lifecycle management environment and uncover key insights such as: 87% of organizations surveyed have a RIM program in place 8% measure compliance 64% cannot get employees to "let go" of information for …

  • With JRebel, developers get to see their code changes immediately, fine-tune their code with incremental changes, debug, explore and deploy their code with ease (both locally and remotely), and ultimately spend more time coding instead of waiting for the dreaded application redeploy to finish. Every time a developer tests a code change it takes minutes to build and deploy the application. JRebel keeps the app server running at all times, so testing is instantaneous and interactive.

Most Popular Programming Stories

More for Developers

Latest Developer Headlines

RSS Feeds