Introduction to Secure File Transfer Protocols
Are you curious about which protocols your FTP Server should support? With so many protocols available and so many opinions on the Internet, this can be a difficult decision to make. We have compiled an easy-to-understand guide on these protocols to help you decide which ones to support.
If you’re planning to install a secure file server to allow your clients or employees to share files securely, but you’re not sure which protocols to support, you have a lot of options:
- The venerable File Transfer Protocol (FTP)
- SSH2 File Transfer Protocol (SFTP)
- FTP over TLS (commonly referred to as FTPS or FTPES)
- The HyperText Transfer Protocol (HTTP)
- and HTTP over TLS (HTTPS)
But which protocols will be best for your environment?
The short answer is to use a file transfer server that supports all three secure versions of those protocols (SFTP, FTPS/FTPES and HTTPS). You want to avoid allowing plain, unencrypted FTP if security is a primary concern (and isn’t it always?), but SFTP, FTPS, and HTTPS are all considered secure file transfer protocols.
A good option for this is Cerberus FTP Server, which you can try free for 25 days.
Supporting the most common file transfer protocols allows your users to pick the option that works best for their environment. For example, some networks may lock down SSH SFTP access while leaving HTTPS available. Hosting a file transfer server that provides several secure file transfer protocol options helps ensure your users can securely exchange data.
We will go into each protocol in more detail in the following sections.
Overview of Secure File Transfer Protocols
File Transfer Protocol (FTP and FTPS)
FTP is the original File Transfer Protocol and enjoys wide support from various clients and devices. Unfortunately, FTP is by default an insecure protocol, transferring commands and data over an unencrypted connection. It also provides no way for a server to prove to a client that the server is who it claims to be. This can allow eavesdropping on passwords and data and connection hijacking by malicious servers. FTPS was introduced to solve these problems by adding secure TLS encryption and authentication to the FTP protocol.
While FTPS is a significant security improvement over FTP, both protocols have limitations. FTP and FTPS require multiple ports (one port to issue commands and a separate port for every directory listing or file transfer) to perform file transfer operations. This necessitates a large number of open ports for a file transfer system. The requirement to set up forwarding for these ports is a security concern in many environments and can make troubleshooting problems difficult.
However, FTP and FTPS have been around for a long time, and there are still many devices and clients that only support FTP or FTPS.
SSH2 File Transfer Protocol (SFTP)
Despite the name, SFTP is an entirely different protocol from traditional FTP. SFTP is a popular secure file transfer choice because of its robust security model and more straightforward setup than FTP and FTPS. Unlike traditional FTP, SFTP runs over an SSH channel that provides security and integrity by default. SFTP is also considerably more firewall-friendly than FTP because it only requires one port to establish a connection and carry out file operations.
SFTP also has a more robust set of file transfer capabilities than FTP. Well-defined and supported SFTP commands for file and directory access, file integrity checking, and file transfer resume capabilities exist. Many of these capabilities have been added to FTP over the years, but they aren’t all well-standardized or widely supported.
HyperText TransferProtocol (HTTP and HTTPS)
The HTTP protocol has existed since the beginning of the World Wide Web, and is one of the foundational technologies underpinning the modern Internet. Like its file transfer-focused cousin, FTP, the HTTP protocol is unencrypted and inherently unsafe as a secure file transfer protocol. However, it can be safely secured by tunneling over TLS – in much the same way as FTPS makes FTP secure by tunneling it over TLS. This is what HTTPS does. It runs the HTTP protocol over a secure TLS connection. We rely on HTTPS today to securely browse websites and safely make purchases online. We can leverage this same protocol to provide secure file transfer services to clients.
Web browsers that use the HTTP protocol are ubiquitous today, and we can take advantage of that fact to offer a secure file transfer system based around HTTPS. One of the challenges with FTPS and SFTP is that a customer has to have a file transfer client installed that supports those protocols, and the customer has to be trained on how to use that client.
Secure file transfer systems based on HTTPS overcome those two issues because nearly every system today has a web browser installed, and most users are familiar with the basics of using a web browser.
Comparing SFTP, FTPS, and HTTPS
Now that you understand the background of the different file transfer protocols, it’s helpful to discuss how they compare across a few criteria.
The original FTP protocol offers no security and transmits commands and data in an open, easily eavesdropped connection. It was developed over 40 years ago when the networks it was designed to run on were simpler – and safer. Despite the long-understood security vulnerabilities in running plain FTP, many implementations are still used today. Plain FTP is inherently insecure, and should be avoided in favor of FTPS, SFTP, or HTTPS.
Regarding security, the SFTP, FTPS, and HTTPS protocols are considered secure. The requirement to open up multiple ports with FTPS can be viewed as a security concern. Still, there is nothing inherently more secure about the SFTP protocol over the FTPS protocol. Either is appropriate when a secure connection is required, but SFTP tends to be easier to configure and more firewall-friendly.
The SSH protocol that secures SFTP also has a simpler security model than TLS (the protocol used to secure FTP connection). The TLS protocol relies on a complex public trust infrastructure revolving around Certificate Authorities (CA), signed x509 certificates, and trust verification and revocation mechanisms. TLS and its supporting security infrastructure have been instrumental in allowing the modern web and e-commerce to grow and thrive. Still, the additional complexity also increases the security protocol’s attack surface.
Still, this added complexity has added benefits for customers. With a TLS-based protocol like FTP and HTTPS, your customers can rely on your trusted TLS certificate to verify that you are who you say you are. This isn’t easily done with SFTP connections, which require some secure offline verification method for the client to verify that the server they are connecting to is who they say they are.
Raw file transfer performance is the one area where FTPS shines and would be the only real advantage I would give FTPS over SFTP. SFTP runs over a considerably more robust and generic protocol than FTPS, and that robustness imparts a significant performance impact. There’s simply a lot more overhead involved in SFTP file transfers.
The overhead in the SFTP protocol is because SFTP runs on top of the SSH2 protocol, and because SFTP implements its own handshaking mechanism. If you want the highest transfer speeds possible over a secure connection, you want FTPS.
HTTPS provides a similar file transfer performance to FTPS for downloads. There’s not a lot of overhead for an HTTPS download. File uploads are somewhat more complex and can be slower than FTPS.
Ease of Use
Security and performance are critical aspects of any secure file transfer system, but if the end-user doesn’t find the system intuitive and easy to use, they aren’t likely to use it.
The HTTPS web client has a clear advantage over the other protocols in this area. Nearly everyone has a web browser installed and understands the basics of navigating a web page. There’s no need to install separate file transfer client software; users are guaranteed a consistent experience no matter their device.
The only function that traditional FTPS and SFTP clients tend to excel at are large numbers of file downloads. It’s impossible to download large numbers of files simultaneously in the HTTPS web client due to how web browsers currently process file downloads. While you can select multiple files and directories and zip them on the server before downloading, this isn’t always ideal for some power users. A traditional file transfer client is sometimes the best option for these use cases.
There are good reasons to support FTPS, SFTP, and HTTPS for secure file operations and even FTP for legacy devices. Organizations rarely have the option of supporting only one file transfer protocol, and solutions that support all 3 are commonplace today.
In addition, some use cases lend themselves much more readily to one protocol over another. Having various options and methods available for your customers to securely transfer files gives you and your customers the most flexibility. In today’s interconnected, data-critical world, everyone in your organization must have easy and secure access to a reliable file transfer system.
We’re here to help. Contact the Cerberus support team if you have any questions.