What’s the difference between FTPS and SFTP?
FTPS (formerly known as FTP over TLS/SSL) and SFTP (technically named the SSH2 File Transfer Protocol) are considered secure file transfer protocols. Despite their similar names, however, these protocols operate in very different ways, making each one better suited for different use cases and environments.
In this post, we’ll take a deep dive into the differences between FTPS and SFTP to help you understand which secure file sharing protocol is best for your situation.
The Main Differences Between FTPS and SFTP
Below, we’ve summarized the primary differences between FTPS and SFTP:
|Connection Security||via SSL/TLS||via SSH channel|
|Security||Server authentication is verified using a public key infrastructure. Client authentication can also be performed using usernames and passwords or client certificate verification.||Server authentication is typically achieved by securely distributing the server’s public key to clients beforehand. Clients can be authenticated using usernames and passwords or public key authentication.|
|Adoption||Most commonly used, primarily due to its ubiquitous legacy||More common in more recent devices and software|
|Connections Required||At least 2: one port to issue commands and a separate data port for each directory listing or file transfer||Only 1 is required (commands and data use the same connection)|
|File and Directory Listings and Operations||More rudimentary and not uniform. For example, there is no universal way to get/change file or directory attributes.||Operates via uniform directory listing and documented standards|
|Algorithms||Asymmetric, symmetric, and key exchange.||Asymmetric, symmetric, and key exchange.|
|Authentication||Performed via x.509 certificates |
(which contains a public key and some ownership information along with a private key)
|Performed via SSH keys (which only provide a public key and do not typically confirm ownership information)|
|Server Requirements||Requires a server X.509 certificate and private key.||Most SSH server installations will include SFTP support (or Open SSH can be used)|
FTPS vs. SFTP: Use Case Comparison
When deciding between FTPS and SFTP, the factors below may help you decide.
|Network Security||FTPS’s requirements for at least two ports (and possibly many more depending on the volume of file transfer activity) can make troubleshooting difficult and expose novel attack vectors that become possible thanks to the constantly changing data connection between the client and server. Special attention to the network configuration and server security options can help mitigate these risks.||Ideal Protocol |
SFTP uses a single connection port for all client and server communication. This tends to greatly simplify interoperability concerns and reduces the attack surface compared to FTPS.
Due to FTPS’s length of time in the market, more devices and systems are compatible with FTPS. However, the lack of standardization for many functions can sometimes lead to client and server interoperability issues.
SFTP will generally be accepted by more modern devices and systems (Linux and Unix) but is not ideal for communicating in legacy situations. (for example, VCL and .NET frameworks do not offer built-in support)
|Configuration||It can cause firewall/transmission issues due to more complex configurations required.||Ideal Protocol |
Primarily due to its streamlined connections that reduce firewall issues.
|Performance||Ideal Protocol |
Offers the highest possible secure transfer speeds.
|SFTP transfers carry a lot more overhead due to the robustness and flexibility of the protocol.|
|File/Directory Manipulation||FTPS’s available commands are limited and not standardized, which can require additional administrative configuration.||Ideal Protocol |
Offers several standardized controls and commands for activities such as file directory manipulation, permissions locking, etc.
|Server to Server Communications||Ideal Protocol |
Due to limitations in SFTP
|Server-to-server communications are not well-supported|
|Internet File Transfer||Ideal Protocol |
Due to SSL/TLS support built into many internet communications frameworks
|Can be configured but will require extra steps.|
|Authentication||Ideal Protocol |
Certificate visibility offers high degree of trust
|SSH keys can be harder to validate because they usually require the server administrator to securely distribute the server’s public key to clients ahead of initial connection|
Need to know more about FTPS or SFTP?
- SSH and SFTP Features Supported by Cerberus FTP Server
- FTPS Features Supported by Cerberus FTP Server
FTPS vs. SFTP Comparison Graphics
Need to understand the differences in these file transfer protocols at a glance? The graphics below may help.
Bonus! The History of FTPS and SFTP
As the first networking protocol that allowed file transfer from one machine to another, FTP predates the internet and was developed before security concerns about unauthorized users eavesdropping on data traffic needed to be considered.
As more and more people began using the web in the 1990s, the security and privacy of data transmission became legitimate concerns. This situation led to the development of an early cryptographic protocol called the Secure Sockets Layer (SSL) that encrypts commands and data exchanged between a client and a server. When FTP transfers began using this layer in 1996, “FTPS” was born.
SFTP evolved from a separate open-source file transfer protocol developed to transfer data with solid security by default. Known as the Secure Shell (SSH) cryptographic network protocol, SSH was originally released in 1995 as freeware by a Swedish researcher attempting to secure his school’s network. After seeing SSH’s popularity and potential, the Internet Engineering Task Force soon began working to standardize the SSH protocol. These efforts extended into secure file transfer, and the first non-proprietary release of the SSH File Transfer Protocol came in 2001.
Various iterations and improvements led to SSH version 2’s release in 2006, and SFTP has since become a widespread data transfer standard.