You have likely heard of FTP (File Transfer Protocol) and SFTP (Secure File Transfer Protocol), but did you know that there are some major differences between the two? Generally speaking, FTP in its basic form is not secure, whereas the SFTP protocol is used to ensure that file transmission will be secure.
FTP
File Transfer Protocol (FTP) is a very well-established protocol, developed in the 1970s, and was designed to allow two computers to transfer data over the internet. One computer is the Server and the other is the Client. The FTP protocol typically uses port 21 as its main means of communication. An FTP server will listen for client connections on port 21.
FTP clients will then connect to the FTP server on port 21 and initiate a conversation. This main connection is called the Control Connection or Command Connection. This conversation is performed in plain text, meaning that all communication between the two parties is sent unprotected, verbatim, over the internet. The FTP client will usually authenticate itself with the FTP server by sending over a username and a password, both in plain text. This alone makes FTP very unsecure as it would not be terribly difficult for a third party to steal the users’ credentials.
After the client has authenticated itself with the server, the client will usually begin to transfer files either to the server, or from the server. File Transfers in FTP are typically performed over a second, auxiliary, connection called a ‘data connection.’ The Client and Server will typically, through a series of synchronized commands, negotiate a new common ‘port’ which will be used to transfer the file. Once the new port is negotiated, the new data connection is made between the parties and the file is then transferred. During the file transfer, the original Control Connection will sit idle and wait until the file transfer has completed. Once the transfer has been completed, the control connection is then used to signal the success or failure of a file transfer.
The need for a data connection is one of the main concerns for internet usage recently. For security reasons, companies are limiting the number of ports, or openings, on their publicly facing firewalls. FTP traditionally requires a block of ports to remain open on either the Server firewall or the Client firewall to aid with the creation of data connections. Many companies are refusing to open these ports, causing them to look for a different solution.
Along with file transfers, the client will typically also request directory information from the server. The format of information such as a directory listing is a bit primitive based on today’s standards (as FTP was established in the 1970s), and as such, the FTP client is sometimes only able to retrieve a subset of the attributes which are available on the server.
While generic FTP is not secure, extensions have been added over the years to allow for the securing of FTP conversations using industry standard SSL. FTP/S, as its commonly known, allows for the encryption of both the Control and Data connections either concurrently or independently. This is important because the negotiation of the SSL connection is time consuming, and having to do it twice, once for the Data connection and once for the Control connection, can be expensive if a client plans to transfer a large number of small files.
FTP/S (or FTP over SSL) commonly runs on port 21 and sometimes on port 990. The primary difference between these two ports is that if a client connects to an FTP/S server on port 990, it’s implied that the Client intends to perform SSL and the SSL handshake takes place immediately. Because of this, FTP/S on port 990 is commonly referred to as Implicit FTP/S, since the port number implies security. FTP clients who connect on port 21 and intend to use SSL for security will need to explicitly state their intentions by sending an AUTH SSL or AUTH TLS command to the server. Once the server receives this command, the two parties perform an SSL handshake and enter a secure state. For this reason, FTP/S on port 21 is commonly referred to as Explicit FTP/S.
SFTP (Secure File Transfer Protocol)
SFTP (Secure File Transfer Protocol) is a relatively new protocol, developed in the 1990s, which allows for the transfer of files and other data over a connection that has previously been secured using the SSH protocol. While it’s similar to FTP/S in that both protocols communicate over a secure connection, that’s basically where the similarities end.
Unlike FTP, the SFTP protocol is “packet-based” instead of text-based. Where FTP might send a command such as “DELE file.txt,” SFTP would send a binary 0xBC and then “file.txt.” The key difference is that by sending less data, the SFTP protocol is faster over the long-term as less data is crossing the wire.
Another difference is that with SFTP, file transfers are performed in-line over the main Control Connection, thus eliminating the need to open a separate Data Connection for transfers. This has many benefits. First, by re-using the main Data Connection, there are fewer connections open between the client and the server, i.e., fewer connections through firewalls.
Since SFTP runs over SSH, it’s inherently secure and there is no non-secure version. This is a plus for system administrators who are trying to enforce corporate security policies.
Another difference is that most versions of SFTP are able to deliver a much richer and detailed set of data about the files. FTP is rather bland about the files’ properties, but SFTP allows the user to access the permissions, date, time, size, and other information not normally available to FTP.
These are the inherent differences between FTP and SFTP. WebDrive, which is often used as an FTP client, also supports SFTP. Titan FTP Server Enterprise Edition supports both FTP and SFTP.