SFTP vs. FTPS: Understanding the 8 Key Differences

essidsolutions

Secure shell file transfer protocol (SSH FTP or SFTP) and file transfer protocol secure (FTP over TLS/SSL or FTPS) enable secure file transfer using two distinct communication mechanisms. This article discusses the two concepts in detail and explains eight ways they differ from each other. 

What Is Secure Shell File Transfer Protocol (SFTP)? 

Secure shell file transfer protocol, also known as SSH FTP or SFTP, is a network protocol that enables file secure file transfer using two distinct communication mechanisms. It also includes access, and management over a reliable data stream, building on version 2.0 of the secure shell protocol (SSH). 

SFTP Uses a Single Connection and is Inherently Encrypted

SSH version 1 was developed in the 1990s to overcome security gaps in network infrastructures. It uses a public key cryptography technique to authenticate remote connections and drive secure user access to data. SSH is a vital pillar of the global internet and is operated through both open source and proprietary software. In 2006, SSH version 2 replaced SSH 1 as the global standard in secure connectivity, as it promised greater safety and more features. 

SFTP is an improvement upon SSH version 2. The Internet Engineering Task Force (IETF) that came up with SSH-2 also wanted to extend its functionalities to file transfers. Before the development of SFTP, file transfer protocol (FTP) was the most commonly used method for sending and receiving files via remote connections. However, FTP was simple, convenient, and affordable without any guardrails for security. 

The IETF worked on SFTP for several years and came out with the updated SFTP version 4 in 2013. Several stakeholders have worked on SFTP development between the 1990s and the late 2010s, but the later work by IETF formed the foundation of SFTP as we know it today. 

Some of the critical features of SFTP include: 

  • Needs only one connection to send and receive data 
  • Communication is binary without inherent human readability 
  • Suitable for Linux and Unix-based network servers 
  • Supports server-to-server file transfers with control over file permissions 
  • It is a relatively modern network protocol and builds on the highly flexible SSH communication mechanism. 

See More: What Is Network Traffic Analysis? Definition, Importance, Implementation, and Best Practices

What Is File Transfer Protocol Secure (FTPS)? 

File transfer protocol secure, or FTPS for short, adds a layer of security to the legacy network communication protocol and file transfer protocol (FTP), through additional support for the Transport Layer Security (TLS).

FTPS Uses Two Links and the Encryption Tunnel or Layer is Separate, nor Inherent

FTP is one of the oldest network communication protocols available today, and it predates the global internet. The first version of FTP was drafted in the 1970s for scientific and research use within the U.S. government’s ARPANET. Back then, there was no conception of a widespread, easily accessible information system hosted on networks or the security risks it would introduce. Therefore, FTP enabled a simple server-to-server file transfer mechanism without any means to authenticate or encrypt the connection. 

Despite its convenience, the lack of security makes FTP unviable for the modern world. Multiple stakeholders have tried to add an element of security without reconfiguring the protocol’s inherent architecture through FTPS. In the 1990s, web browser company Netscape released a solution called the Secure Sockets layer (SSL), enabling secure network communication via a cryptographic protocol. SSL was applied to FTP in 1996, giving birth to the first version of FTPS. 

Over the years, SSL was deprecated for transport layer security (TLS), commonly used in internet applications like email, instant messaging, and voice over internet protocol (VoIP). With the evolution of SSL, FTPS also matured to become more secure and reliable. However, the inherent challenges of a pre-internet network communication protocol remained, including incompatibility with several firewall solutions. 

The key features of FTPS include: 

  • Needs a secondary data connection in addition to the primary connection 
  • Supports formats that can be read and understood by humans, simplifying the logging 
  • Suitable for Windows environments that are designed for FTP servers 
  • Compatible with custom commands to servers through a command-line interface (CLI)

Now that we know what FTPS and SFTP is, let us discuss the differences between the two protocols in detail. 

See More: Top 10 Network Traffic Analysis Tools in 2022

SFTP vs. FTPS: Understanding the 8 Key Differences

Secure shell file transfer protocol (SSH FTP or SFTP) is distinct from file transfer protocol secure (FTPS) due to the following reasons: 

Secure shell file transfer protocol (SFTP) File transfer protocol secure (FTPS)
Network communication approach  SFTP builds on secure shell protocol (SSH) and adds on file transfer capabilities.  FTPS builds on file transfer protocol (FTP) and adds on a security and encryption layer. 
Firewall support  It uses a single connection through only one port, making it easier to install firewall solutions.  It needs a secondary data connection, and its use of multiple ports makes it difficult for firewalls to work. 
Transfer speeds  It involves a high resource overhead and slows down file delivery.   It is simple, straightforward, and lean, making it several times faster. 
Binary and ASCII  It supports only binary transmission, and users cannot choose between different modes.  It supports both binary and ASCII transmissions, making it easier to maintain logs. 
.NET compatibility  Developers cannot build .NET programs with SFTP functionalities, as compatibility is missing.  .NET includes a number of commands to support file uploads in FTPS modes. 
Authentication mechanism  It uses out-of-band authentication and does not need signed certificates, as the data is inherently encrypted.  The FTP server must mandatorily provide a public-key certificate to sign off on the authentication. 
Usage commands  It supports a long list of commands with granular controls, such as defining file permissions.  It supports a relatively limited list of commands, with less control over remote files and directories. 
Adoption  It is widely adopted, and most servers and cloud storage solutions support SFTP.  It is built on FTP, which is gradually being phased out for HTTPS and other protocols. 

1.  SFTP adds on file transfers to security, while FTPS is the other way around

SFTP was initially designed as the secure shell protocol for network communication. Its main purpose is to enable remote login and execute command-line actions without causing security risks. 

Since it was developed in the 90s, users were more aware of emerging security risks due to the internet and the need to reimagine network communication, particularly for commercial use. SSH uses public-key cryptography for authentication, which means that every connection is verified through a pair of a public and a private key based on cryptographic algorithms. This principle applies whether SSH is leveraged for file transfers or any other use case. 

In contrast, FTPS was designed to enable file transfers across networked computers through the file transfer protocol. FTP is a connectionless, message-oriented protocol where a simple user ID and password combination is used to authenticate network communications. It does not need a pre-established, verified connection between the server and the client. All of the information – including the user ID, password, and message text – is sent in an unencrypted form. Since the information is available in plaintext, bad actors can easily break into the connection. 

FTPS adds a superficial layer of security to the foundational FTP mechanism. It uses the security mechanisms of SSL or TLS at the application level to superimpose guard rails for safe communication. Encryption is optional, and the fundamental approach to security is different in FTPS compared to SFTP. 

2. SFTP is preferred for usage alongside firewalls compared to FTPS 

As mentioned, SFTP uses a single connection between the client and the server. One does not need to open multiple ports, and it has a dedicated port used for connecting to a remote computer. Importantly, fewer ports also mean that fewer vulnerable points are available for bad actors to exploit. Single port SFTP setups are ideal for use alongside a robust firewall for organizations. It establishes one consolidated connection between the client and the server. The firewall can simply sit in between this connection to check for anomalies, suspicious signs, and other threat indicators. 

However, FTPS relies on a second data connection in addition to the primary link. For every data transfer, it opens a new port, and multiple ports may be open simultaneously. Now the problem is that FTPS is not inherently encrypted because it relies on the pre-internet FTP protocol. The encryption is tacked on superficially using TLS or SSL techniques. As a result of this external encryption, firewall solutions cannot detect which port is being used and why. The connection will automatically fail when one tries to use FTPS alongside a firewall. 

It is possible to find a workaround to this issue by manually configuring a limited range of ports that the FTP server is allowed to open – but it is time-consuming and not an inherent characteristic of the protocol itself, unlike SFTP. 

3. SFTP file transfer speeds are usually slower than FTPS 

A SFTP connection is almost always notably slower than an FTP connection – by many orders of magnitude. The primary reason for this difference may be that the SSH-2 protocol (which powers SFTP) generates significant additional overhead inherent in packet delivery, encryption, and handshaking. In contrast, FTP does not have to consider them. 

SFTP utilizes transmission control protocol (TCP) architecture at the core. TCP is a resource-intensive protocol that checks header fields, acknowledges and synchronizes message delivery, and runs several error-checking mechanisms to ensure reliability. 

In comparison with other protocols, FTP is a lean and straightforward protocol with minimal extra overhead, and it was specifically designed for quick file transfers. The encryption will slow down FTP that FTPS introduces, but not to the same extent as SFTP.

As an SFTP push-based protocol, SFTP is executed over SSH-2. Consequently, it is susceptible to client and server machine restrictions and network latency. This increased susceptibility is due to the handshake process associated with every packet sent between the client and server and the added complexity of decoding an SSH-2 packet. The purpose of SSH2 is to replace insecure remote shells, not to support high-speed communications. Numerous data types are securely packaged and transferred over SSH-2, which also adds to the protocol’s complexity and overhead. 

4. SFTP only supports binary data transmission, while FTPS supports ASCII as well 

This is one of the primary reasons why some organizations continue to prefer FTPS over SFTP for internal use. File transfer protocol allows users to transfer data either in binary mode or in American Standard Code for Information Interchange (ASCII) mode. 

ASCII converts binary combinations that comprise ones and zeroes into a human-readable format. ASCII is not identical to a natural language like English but has abbreviations like STX or SYN that a human user can understand with training. Since FTPS builds on the original FTP, it also supports ASCII transmissions. This is extremely helpful for logging purposes, as IT administrators can easily understand network protocol processes that are taking place and thereby identify bottlenecks. 

In contrast, SFTP does not have an ASCII mode. All data is sent in binary mode, ensuring that the server receives the same information as sent by the client (or vice versa). There is no ASCII mode to convert strings from the sender’s operating system to the receiver’s operating system. This makes SFTP logging extremely complex. Creating and maintaining logs is near impossible for default SFTP configurations, and organizations typically use a managed file transfer (MFT) tool to overcome this challenge. 

Reliance on binary also means that SFTP is more suitable for Linux and Unix environments. It cannot convert strings from one environment to another in an understandable format for human users. 

See More: How To Make Networks Ready for Cloud-First Era With SD-WAN

5. FTPS is compatible with .NET frameworks while SFTP is not 

.NET is a proprietary software framework by Microsoft that allows developers to build programs to run on the Windows operating system. It is known for its ease of use and cross-platform interoperability, and the framework is available on GitHub as a fully open-source codebase. It is also well supported by Microsoft, with new versions launched every one or two years until 2019, when the pandemic disrupted release cycles. 

.NET does not support SFTP protocols inherently. Developers relying on .NET cannot use the protocol for file transfer or management. In contrast, the framework has several commands to upload files in FTPS mode. 

6. FTPS relies on a signed certificate for authorization, whereas SFTP uses out-of-band authentication 

Here, there is a slight similarity between FTPS and SFTP. Both leverage a public-key mechanism, in which there is a pair of two keys – a private key and a public one. The method is also known as asymmetric cryptography, where the recipient must have both keys to decrypt and make sense of the conveyed message. Asymmetric cryptography is lean and resource-efficient, so it is commonly used across various network communication protocols. 

However, FTPS and SFTP have two different ways to verify the public-key mechanism. The FTPS protocol uses an FTP server, and the server must mandatorily provide a public-key certificate. Organizations can purchase servers containing a digital certificate to support the public-key mechanism to use the FTPS gateway seamlessly. It is also possible to manually generate a certificate signing request in an FTP client and sign the certificate by entering the server address, organization name, physical address, country code, etc. 

In contrast, the SFTP protocol does not present any signed certificates for verification. To begin with, all information is pre-encrypted through SSH-2, and no data is available in plaintext. Second, it relies on out-of-band authentication of the keys. In this scenario, the ID and password are conveyed across one channel, similar to FTP and FTPS. However, a separate secondary channel is used to authenticate user identity further. 

Today, the different multi-factor authentication (MFA) methods count as out-of-band authentication when executed through a different communication channel. 

7. SFTP commands offer greater control than FTPS commands 

Both SFTP and FTPS can be used through a CLI interface, and most major operating systems ship with a CLI program by default. This means that both the communication protocols are democratic and can be accessed from a wide variety of systems. However, the CLI commands available for SFTP processes versus FTPS are greater in number and more granular in terms of control. 

Some of the key SFTP commands organizations can use include: 

  • chown: Alter the ownership information of files on the remote host.
  • chmod: Modify file permissions on a remote host.
  • mkdir: Create a new directory on the remote host.
  • rename: Change the name of a file on the remote host.
  • ln or symlink: Create a link to a remote file, which acts almost as a file shortcut.

In contrast, FTPS commands are much simpler and limited in their functionality. Users can only access and retrieve files hosted on a remote connection without making material changes to the file or the directory. For instance, there is no way to change or configure file ownership permissions using FTPS commands. 

Some of the key FTPS commands organizations can use include: 

  • cd: Change the working directory on the FTP host server (identical to an FTPS server).
  • open/close: Start or terminate an FTPS connection.
  • ls: Request a list of file names available for download.
  • abor: Cancel a file transfer that is currently in progress.
  • size: Fetch the size of a remote file as a decimal number.

Since the foundational protocol systems for SFTP and FTPS are different (i.e., SSH for SFTP and FTP for FTPS), they follow two distinct lexicons with their own command terminology. 

8. SFTP enjoys greater compatibility and adoption 

Over the years, FTP and, in association, FTPS have become deprecated and have fallen out of use. Some organizations, MFT solutions, and independent web developers still use FTPS as a simple file transfer mechanism when the data is of a public and non-sensitive nature. However, it is an old and legacy protocol dating back to the 1970s, out of sync with the modern internet. 

Some servers may not support FTP over TLS or SSL, which means users who see this message will be forced to use plaintext FTP. Browsers like Chrome and Firefox are phasing out FTP support, which will also impact FTPS adoptions. 

SFTP is newer than FTPS, and the latest version (version 6, draft 13) was developed in 2006. All major browsers support SFTP, and there is a wide variety of enterprise-grade SFTP solutions from leading vendors. For instance, one can configure IBM servers and Microsoft Azure cloud buckets to operate per SFTP file transfer protocols. 

See More: Intent-Based Networking: What Is It and Will It Usher an Era of Agile Networks?

SFTP vs. FTPS: Which one is right for you? 

SFTP and FTPS are popular protocols for transferring files over public and private networks. They both have their pros and cons. Organizations should keep the following in mind before selecting a protocol for their requirements: 

  • SFTP is inherently secure and fully encrypted, while FTPS adds a layer of encryption using SSL or TLS. 
  • SFTP works seamlessly with firewalls, but its binary data transmissions are not suitable for logging.
  • FTPS file transmissions are several times faster than SFTP. 
  • SFTP will not work with .NET frameworks but enjoys greater compatibility and adoption overall. 
  • The authentication methods and list of commands are different for both protocols. 

As a result, most organizations use a combination of the two to benefit from the advantages while addressing their shortcomings. Sophisticated MFT solutions combine SFTP and FTPS capabilities and other protocols like hypertext transfer protocol secure (HTTPS) and secure copy protocol (SCP) to provide a holistic solution. 

Did this article help you understand the key differences between SFTP and FTPS? Let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

MORE ON NETWORKING

Contact ESSID Solutions

    By clicking Send Message, you agree to our Terms of Use and Privacy Policy.

    Reach out to us for a free consultation on big data consultancy and development services.

    Contact

    Rua Alexandre de Sa Pinto 143
    1300-034 Lisbon
    Portugal

    [email protected] +351927159955
    Privacy Policy Terms of Service Refund and Returns Policy

    © 2024 ESSID SOLUTIONS LDA