You’ve probably heard about SFTP and FTP, but you may be wondering what the difference is between the two protocols and how SFTP works in general.
When transferring data from a computer to a server (think of the server as a data container) or vice-versa, there are many methods which you can use. One of the more popular methods is File Transfer Protocol (FTP), but it is safe to say that this method is outdated due to security issues.
Today’s more secure option uses Secure File Transfer Protocol (SFTP). If you are running a server, it is critical to utilize the SFTP method at all times, but you may not know exactly why. That’s what we’ll address today.
The client and the server – explaining how file transfers work
In the case of a server, the client’s data actually sits within the server, even if the server itself is in a different location. When the client wants to access their data, they will need to send a request.
For example, when a user clicks on a file, the request travels through the network and reaches the server. The server then sends the data to the computer which made the request. The user’s file opens and allows them to edit and make changes.
We take this behavior for granted because it is so common, but each time information travels between the server and a client, there is a risk that malicious actors may try to intercept your data. The good news is the SFTP protocol ensures that all files only travel in encrypted form.
Why do we use SFTP and not FTP?
The previously-popular FTP method is not secure enough to use in today’s heavily interconnected world. Transmissions using FTP are sent in plain text, which means anyone with the skills and wherewithal can snoop in on a network and read every single line of data that’s transmitted across it using FTP. This poses a huge risk even if you have a small, private internal network and server.
Some FTP servers offer enhanced methods called implicit and explicit SSL (Secure Sockets Layer), both of which have benefits and drawbacks.
Implicit SSL assumes that both the requesting client and server will communicate in a secure fashion from the beginning of each data request. While this sounds like good practice in general, many older devices and firewalls do not begin a data transmission in an implicit SSL-compatible format (this “conversation” between systems is called negotiation), which can create transmission failures. This negotiation issue is one of the reasons why Implicit SSL is considered to be deprecated at this time.
Challenges with Explicit SSL
Explicit SSL was designed to address Implicit SSL’s negotiation issue by having the client first request a secured connection, and then having the server upgrade the data transfer to an accepted encryption method. While some servers can force this initial conversation to be secured via SSL, others can’t, which presents a security risk when the client and server are searching for a shared encryption method. Additionally, encryption mechanisms can vary widely, and a client may have no way to verify if a server actually supports the security it may claim. Both of these issues introduce risk, particularly if a flaw in a particular security protocol is discovered.
Which is why, if you intend to send data securely, SFTP is the preferred option.
SFTP data transfers securely parcel everything sent between the network and server into an encrypted package (including the passwords you enter to access the server). This encryption means that if anyone did try to spy on your network, they would see unintelligible information rather than useful data they could steal.
Another issue that SFTP resolves is data loss. FTP file transfers usually do not preserve metadata, often rendering the information being shared unusable. The SFTP protocol has robust support for preserving metadata and all other information being transferred, which can provide additional security assurances.
The most up-to-date version of SFTP is SSH2. It was developed in 2006; improving upon all earlier versions of SFTP.
SFTP is essential when it comes to securely transferring data. At Cerberus, we are proud to responsibly secure the world’s data. If you would like more information regarding SFTP, please visit our FAQ.