Any company that transfers files across networks uses FTP to some extent. FTP allows users to upload, download, and delete files. You can also create, delete, and read the contents of directories.
There are some problems with using FTP, though. Anybody that knows how to sniff the packets of information you send using FTP can read passwords, commands and file contents in regular text. They won’t have to unencrypt the data, making it vulnerable and easy to use. Pretty much anyone with a little tech know-how can steal your information and do what they please with it.
If you don’t think that this is a major concern, consider that companies have lost trillions of dollars due to information theft. It’s not only companies that face repercussions. Individuals have had their personal information stolen as well.
Earlier this year, Australian authorities arrested a man for stealing thousands of Netflix passwords and selling them online. This isn’t the most serious of crimes, but it can lead to inconveniences for users (imagine binge-watching your favorite television show and getting logged off every five minutes) and often leads to more serious crimes.
Social media passwords are another frequent target. With your accounts, criminals can either shut down your accounts or find out personal information about you, which helps them steal your identity.
How can you protect yourself? If you want a secure way to send files and control directories, you’ll need to consider FTPS or SFTP. Which one of these options is better for you?
Here’s our guide to FTPS vs. SFTP.
FTPS is FTP but with SSL for security. It opens new connections using a control channel for data transfer and requires a certificate (SSL). Since FTPS uses SSL for security, it also improves your website’s SEO score. Google now lowers rankings for websites without SSL security to protect its users from unscrupulous websites. It opens new connections using a control channel for data transfer and also requires a certificate (since it uses SSL).
SFTP is an extension of SSH and is a binary protocol. It provides the capability to transfer files, usually using only the SSH port for data and control. Every command gets sent to the server packed to binary messages with binary reply packets. Later versions allow you to transfer files but also include file lock, symbolic link, and other file-system operations.
Both of these use a combination of an asymmetric, symmetric, and key-exchange algorithm. The difference lies in what they use for authentication. FTPS relies on X. 509 certificates, but SFTP uses SSH keys. The one that you’ll need to choose depends on what your needs.
There are some important pros and cons of using each. Let’s look at FTPS first.
One of the main things that FTPS has going for it is that it’s already widely used. If you’re a business that’s trying to decide between the two and you want to make your decision based on prudence alone, FTPS is the clear winner.
It’s also already built into most internet communication frameworks. You won’t have to change anything to use FTPS in most situations. Humans can also read the communication, making it easier for your workers to get the information they need quickly.
The pros make it seem like FTPS is the clear winner between the two, but there are some cons that turn many people away. To start with, FTPS doesn’t have a uniform directory listing format and requires a secondary DATA channel. This makes it hard to use FTPS behind a firewall. Since firewalls are a standard method of protection that almost every computer uses, this can become problematic.
Not all FTP servers support SSL/TLS, so you might have to make dramatic changes to use FTPS. This is rare, but it does happen and is something that you’ll need to consider. FTPS also doesn’t have a standard way to get and change file and directory attributes.
Consider as well one of the Pros listed above. Humans can read the communication without having to decipher it. If you can read it easily, so can anyone else that manages to get into your system. If you’re going to share a lot of private or high-risk information, FTPS might not be for you.
Two of the best features of SFTP is that it only has one connection so that you don’t need DATA connection. The connection is also always secured. It’s not “hacker proof” per se, but remember that most thieves look for easy targets. Think of your information like a house, and a hacker as a burglar. Using SFTP is similar to locking your front door. Could the thief pick the lock or break out a window? Of course. Most of them won’t do that, however; they’d rather look for a softer target.
Another popular benefit is that SFTP has a good standards background that defines most aspects of operations. The directory listing is uniform and machine-readable, making it accessible when you need it.
One of the common complaints about SFTP is that communication isn’t logged ‘as is’ for humans because it’s binary. FTPS allows for instant human reading, whereas with SFTP you’ll need to decipher the information first.
SSH keys are much harder to manage and validate, but this is a double-edged sword. It can be a pain for the user, but it’s also more secure that FTPS. You’ll need to decide whether ease of access is more or less important than security for your situation. There’s also no built-in SFTP support in VCL and .NET frameworks.
Now that we’ve covered some of the basics pros and cons of SFTP and FTPS, let’s look at which one is the better option for you.
This is a difficult question to answer, but there are some things to consider. If you’re in an organization that’s already using one of these two in other areas, it’s best to stick with what you know and keep consistency across your business. There are ways around each of the cons that we mentioned. Unless you’re experiencing a problem that demands a change, making a change could end up being more trouble than it’s worth.
It’s a good idea to implement support for both SFTP and FTPS. When a personal device needs to access a server, you’ll want to use FTPS even though SFTP is superior in a number of ways. Some companies don’t allow personal devices to access their servers. These devices have FTP support but don’t have SSH clients. If you’re in one of those companies, look at project requirements. You might get away with only having support for SFTP, although we’d argue it’s better to be safe than sorry.
With all things being equal, we believe that SFTP is the better option between two. Here are a few of the reasons why.
Directory listings and file transfers happen on a new network connection that’s separate to the control channel. Firewalls won’t allow these connections in FTPS. You’ll have to configure the firewall and server for a certain range of ports, which gets complicated. Since almost every device on the market uses firewalls, SFTP makes this easy.
Server identification is how a client verifies that it connects to the right server. These certificates, however, should get issued by a certificate authority. It can be an expensive and time-consuming venture to get one of these certificates.
SFTP serves are identified through their public key. As long as the client has the public key, they are able to confirm the server is correct. You or your organization can generate the public key without having to go through a certificate authority, which can get expensive. Using SFTP, you’ll save time and money.
With that said, you can get an SSL certificate for only €139.99 a year that includes unlimited subdomains and re-issuances through us. You can have the best of both worlds: SFTP with SSL certification for security and ease of use.
Do you want to run a website and services for only a few dollars a month? Do you need help with your VPS services or want to know how to get the most out of Ubuntu and similar software?
We have all the information you need to successfully run a secure and easy to use website. Check out our blog today for the help you need today.