Home Support Blog SFTP, SCP, FTP, FTP/SSL - FTPS & Secure FTP comparison

SFTP, SCP, FTP, FTP/SSL - FTPS & Secure FTP comparison

The difference Between FTP and SFTP Protocols

File transferring over the internet has been an industry that is valued by both programmers and users as everybody needs their data secured of those who would steal their data or information. This is why transferring data over the internet has had a lot of improvements so that it would satisfy the needs of different internet users and webmasters. We are going to discuss 2 of them and how they are different. The FTP protocol stands for File transferring Protocol, and the SFTP stands for SSH File Transferring Protocol, or it could also be of Secure File Transferring Protocol.

Introduction to FTP (File Transferring Protocol):

The first one we are going to discuss is the FTP protocol as this protocol is considered the first reliable protocol to transferring data over the World Wide Web without problems. It was first presented over 40 years ago in the RFC 114 and then evolved to the standard RFC 959. To discuss how this protocol works we must first know that it works through two channels and not one. The first channel is the command channel and the second is the data channel. This is done to ensure some kind of security to data transfer over the internet. The main thing however is that the command channel uses the server port 21, this channel's mission is to authorize and connections that are coming from any source and especially from the FTP client. This FTP client could be any software or interface that is designed to call the command channel and ask for permission to transfer data through the data channel. There are some commands to assure the authenticity of the connections made like the command USER and the command PASS. There is also a note that the command channel is kept open all the time until it receives the command QUIT. When this happens all connection requests become invalid. This could also happen due to the time of inactivity disconnect set by the server.

Moving to the other channel which is the data channel, we could notice that this channel is a bit lighter on the resources until it starts the data transfer. This is because it is only opened when it receives an authorized command to transfer a certain file or a group of files from a location that is local to another on the server. This means that it remains in the idle state till it is actually given an order. Regarding the ports used to transfer data through the data channel, it is different as it uses different ports that it creates temporarily every time. This means that it would not interfere with any other software that might be using the same port for the mean time. There are commands to get the server listing (LIST), upload (STOR), or even download (RETR). These commands are sent through the command channel and received by this channel.

What about security?

Regarding this protocol (FTP) security issues, it actually is not secured in any other way as it does not use any type of data interception and thus, could be hacked easily. Another point is that although having 2 different channels and the command channel is used to authorize connection. It still cannot distinguish the connections coming from one source or another when having the same variables. There is however, a way you block connections that are coming to the command channel through port 21 by defining the allowed and blocked port ranges and thus you could be temporarily secured on the inbound connections that are coming to the server. However, the outbound connections cannot be set and are defined by the server. And this is why it gives a necessity to innovate another solution that would be of better use to everybody.

These connections however, could be controlled through what is called FTP proxy, which is a server that would enable the webmaster from monitoring the variables' lengths on the client to avoid buffer overflow attacks. It also enables the client to limit or prevent uploading certain types of files.

This made this protocol have a proposal to have a security feature of SSL, this was then took the standard of, RFC 2228

Introduction to FTPS (File Transferring Protocol Secured):

This is considered a fork of the FTP protocol that uses SSL encryption, and this is divided into FTPS Implicit SSL and Explicit SSL.

FTPS Implicit SSL

In the implicit SSL mode, the connection between the FTP client and the server is secured with SSL before transferring the files. This way you could ensure that all data transfers are secured, and also prevent any connections that are not.

FTPS Explicit SSL

In the explicit SSL mode, the connection could be established using the command channel of the FTP client. The commands: AUTH TLS and AUTH SSL, authorize the initiation of SSL encryption and thus, could be applied to normal FTP servers that did not implement SSL before in the implicit mode.

So How is SFTP (Secured File Transferring Protocol) Different?

After how the FTP protocol is elaborated, the idea of its lack of security is clear. Now to discuss one of the protocols that were designed to overcome the FTP protocol's weaknesses by filling the problems. And we are going to discuss the SFTP (Secured File Transferring protocol). Not to be confused with FTPS protocol, it encrypts data through the SSH encryption while the FTPS encrypts data through the SSL encryption. This means that the FTPS uses a shell to control all connections whether they were inbound or outbound. The SFTP is superior to the other file transferring protocols for using the Secure Shell protocol. This protocol is the best at what it does of authenticating and blocking different connections and data encryption over public networks. This is the main benefit that one could benefit from using SFTP. However there are still other benefits.

The other benefit that is very important is that SFTP, unlike FTP and even FTPS, uses the same port for data transfer and commands. This might sound not so good to some people, but they would not stay unpleased when they figure that the SFTP protocol itself changes the format of the packets and thus would not have a problem in going through the same port along with the commands of the transfer operation.

Security factors of SFTP (Secured File Transferring Protocol)

Regarding the security issue with file transferring protocols, SFTP is the one with the least problems as using the secured shell along with using an encryption cipher prevents any problems or attempts to monitor or intercept the data transferred over this protocol. Another thing to be aware of, is that the firewall allows the SFTP protocol to initiate both inbound and outbound connections through the server port 22. So there should not be a problem using it for any type of data transfer.

FTP firewall is the firewall that prevents or allows some types of connections and keeps the some types of inbound or outbound connections according to allowed ranges of passive ports.

Transfer files in .NET Applications

ComponentPro's Ultimate FTP and Ultimate SFTP libraries for .NET, Xamarin iOS, Xamarin Android, and .NET CF platforms have many advanced features including Auto-reconnect, auto-resume, unified file system, batch file operations, multi-thread transfer can help you add FTP and SFTP capabilities to your applications easily.

Conclusion

This was a brief introduction about the differences that we would get from using the SFTP protocol and the FTP protocol so that we should take caution when we are transferring crucial data as the more the internet becomes more spread, the more the necessity data security becomes. We should simply understand that the FTP is not encrypted and the SFTP is encrypted with the SSH encryption which is known to be the best in the industry today.

Updated on Jan 5th, 2015 by Robert Barksdale - ComponentPro Staff

by ComponentPro Software

Wednesday, April 21, 2010

Tags //  comparison  ftp  sftp