FTP, SFTP, FTPS: what is the difference?

Network protocol is a set of rules that allows to connect and exchange the data between several network enabled devices. Nowadays there are many popular network protocols, but this article is devoted to FTP and its safe releases, SFTP and FTPS.

FTP (or File Transfer Protocol) is data transfer protocol that uses a special file server that allows users to exchange text and binary files with any networked computer. After connection is set the user can upload files to the remote machine and download data to his/her local computer.

Created in 1971, FTP is one of the oldest application protocols that appeared long before HTTP. Until the early 90s FTP handled about a half of Internet traffic. Today, it is widely used for software distribution.

Avoid using FTP! This protocol suffers from a grave shortcoming: it is not encrypted and sends authentication information (username and password) in plain text thus. If the attacker is in the same network segment as the FTP user, he/she can intercept the username and password, or get all files without authorization through packet sniffer. The general solution of this pressing problem is to use SFTP (SSH FTP) or FTPS (FTP over SSL) protocols, which allow to encrypt information sent over insecure connection.

But is there any difference between SFTP and FTPS? Both of them support a wide range of functionality and lots of file management commands. Thus, the most noticeable differences between SFTP and FTPS are:

  • encryption protocols (obviously);
  • authorization: SSH keys and X.509 Certificates used instead of password, respectively;
  • encryption algorithms: except of common RSA, DSA, and AES, SFTP uses HMAC-SHA1/HMAC-MD5 to check data transfer integrity and LempelZiv algorithm to compress the encrypted data;
  • facilities: SFTP can transfer audio and video stream over an encrypted channel, provides a common directory listing format, includes file locking and attributes/permissions change function; FTPS provides remote access to databases, and server-server data communication;

As you can see, both protocols have some shortcomings: SFTP has no server-server data communication, and its commands are binary (decoding is required); FTPS do not provide common directory listing format, and requires a secondary data channel (so it is difficult to use with firewalls).

Still, both protocols provide a high protection level due to strong data encryption technologies.