Introduction to Secure File Transfer
If you’re planning to install a secure file server to allow your clients or employees to securely share files, but you’re not sure which protocols to support, you have a lot of options:
- The venerable File Transfer Protocol (FTP)
- SSH2 File Transfer Protocol (SFTP)
- FTP over TLS (commonly referred to as FTPS or FTPES)
- The HyperText Transfer Protocol (HTTP)
- and HTTP over TLS (HTTPS)
But which protocols will be best for your environment?
The short answer is to use a file transfer server that supports all three of the secure versions of those protocols. You want to avoid allowing plain, unencrypted FTP if security is a primary concern (and isn’t it always?) but SFTP, FTPS, and HTTPS are all considered secure file transfer protocols.
Supporting the most common file transfer protocols provides your users with the ability to pick the option that works best for their environment. For example, some networks may lock down SSH SFTP access, while leaving HTTPS available. Hosting a file transfer server that provides several secure file transfer protocols options helps ensure your users will be able to securely exchange data.
We will go into each protocol in more detail in the following sections.
Overview of Secure File Transfer Protocols
File Transfer Protocol (FTP and FTPS)
FTP is the original File Transfer Protocol and enjoys wide support from a variety of clients and devices. Unfortunately, FTP is by default an insecure protocol, transferring commands and data over an unencrypted connection. It also provides no way for a server to prove to a client that the server is who it claims to be. This can allow eavesdropping on passwords and data, as well as connection hijacking by malicious servers. FTPS was introduced to solve these problems by adding secure TLS encryption and authentication to the FTP protocol.
While FTPS is a significant security improvement over FTP, both protocols have limitations. Both FTP and FTPS require multiple ports (one port to issue commands and a separate port for each and every directory listing or file transfer) to perform file transfer operation. This necessitates a large number of open ports for a file transfer system. The requirement to set up forwarding for these ports is a security concern in many environments and can make troubleshooting problems difficult.
However, FTP and FTPS have been around for a long time, and there are still many devices and clients that only support FTP or FTPS.
SSH2 File Transfer Protocol (SFTP)
Despite the name, SFTP is a completely different protocol from traditional FTP. SFTP is a popular secure file transfer choice these days because of its robust security model and easier setup than FTP and FTPS. Unlike traditional FTP, SFTP runs over an SSH channel that provides security and integrity by default. SFTP is also considerably more firewall friendly than FTP because it only requires one port to establish a connection and carry out file operations.
SFTP also has a more robust set of file transfer capabilities than FTP. There are well-defined and supported SFTP commands for file and directory access, file integrity checking, and file transfer resume capabilities. Many of these capabilities have been added on to FTP over the years, but they aren’t all well standardized, or widely supported.
HyperText TransferProtocol (HTTP and HTTPS)
The HTTP protocol has been around since the beginning of the World Wide Web, and is one of the foundational technologies underpinning the modern Internet. Like its file transfer-focused cousin, FTP, the HTTP protocol is unencrypted and inherently unsafe as a secure file transfer protocol. However, it can be safely secured by tunneling over TLS – in much the same way as FTPS makes FTP secure by tunneling it over TLS. This is what HTTPS does. It runs the HTTP protocol over a secure TLS connection. We rely on HTTPS today to securely browse websites and safely make purchases online. We can leverage this same protocol to provide secure file transfer services to clients.
Web browsers that use the HTTP protocol are ubiquitous today, and we can take advantage of that fact to offer a secure file transfer system based around HTTPS. One of the challenges with FTPS and SFTP is that a customer has to have a file transfer client installed that supports those protocols, and the customer has to be trained on how to use that client.
Secure file transfer systems based on HTTPS overcome those two issues because nearly every system today has a web browser installed, and most users are familiar with the basics of using a web browser.
Comparing SFTP, FTPS, and HTTPS
Now that you understand the background of the different file transfer protocols, it’s helpful to discuss how they compare across a few criteria.
The original FTP protocol offers no security and transmits commands and data in an open, easily eavesdropped connection. It was developed over 40 years ago when the networks it was designed to run on were simpler – and safer. Despite the long understood security vulnerabilities in running plain FTP, there are many implementation still in use today. Plain FTP is inherently insecure, and should be avoided in favor of FTPS, SFTP, or HTTPS.
In terms of security, the SFTP, FTPS, and HTTPS protocols are considered secure. The requirement to open up multiple ports with FTPS can be viewed as a security concern but there is nothing inherently more secure about the SFTP protocol over the FTPS protocol. Either is appropriate when a secure connection is required, but SFTP tends to be easier to configure and more firewall friendly.
The SSH protocol that secures SFTP also has a simpler security model than TLS (the protocol used to secure FTP connection). The TLS protocol relies on a complex public trust infrastructure, revolving around Certificate Authorities (CA), signed x509 certificates, and trust verification and revocation mechanisms. TLS and its supporting security infrastructure has been instrumental in allowing the modern web and ecommerce to grow and thrive, but the additional complexity also increases the security protocol’s attack surface.
Still, this added complexity has added benefits for customers. With a TLS-based protocol like FTP and HTTPS, your customers can rely on your trusted TLS certificate to verify that you are who you say you are. This isn’t easily done with SFTP connections, which require some secure method of offline verification for the client to verify that the server they are connecting to is who they say they are.
Raw file transfer performance is the one area where FTPS really shines, and would be the only real advantage I would give FTPS over SFTP. SFTP runs over a considerably more robust and generic protocol than FTPS, and that robustness imparts a significant performance impact. There’s simply a lot more overhead involved in SFTP file transfers.
The overhead in the SFTP protocol is because SFTP runs on top of the SSH2 protocol, and because SFTP implements its own handshaking mechanism. If you want the highest transfer speeds possible over a secure connection then you want FTPS.
HTTPS provides similar file transfer performance to FTPS for downloads. There’s just not a lot of overhead for an HTTPS download. File uploads are somewhat more complex, and can be a bit slower than FTPS.
Ease of Use
Security and performance are critical aspects of any secure file transfer system, but if the end user doesn’t find the system intuitive and easy to use then they aren’t likely to use it.
The HTTPS web client has a clear advantage over the other protocols in this area. Nearly everyone has a web browser installed and understands the basics of how to navigate a web page. There’s no need to install separate file transfer client software, and users are guaranteed a consistent experience no matter what device they are on.
The only function that traditional FTPS and SFTP clients tend to excel at are large numbers of file downloads. It’s not possible to download large numbers of files at the same time in the HTTPS web client due to the way web browsers currently process file downloads. While you can select multiple files and directories and zip them on the server before downloading, this isn’t always ideal for some power users. For these use cases, a traditional file transfer client is sometimes the best option.
There are good reasons to support FTPS, SFTP, and HTTPS for secure file operations, and even FTP for legacy devices. Organizations rarely have the option of supporting only one file transfer protocol, and solutions that support all 3 are commonplace today.
In addition, there are simply some use cases that lend themselves much more readily to one protocol over another. Having a variety of options and methods available for your customers to securely transfer files gives you and your customers the most flexibility. In today’s interconnected, data critical world, it’s important that everyone in your organization has easy and secure access to a reliable file transfer system.