in Resources

Demystifying SFTP vs. FTPS vs. FTP – A Protocol Breakdown

Hey there! If you‘re like me, you may have come across the various file transfer protocol acronyms before – FTP, FTPS, SFTP – and wondered what the differences are. I used to get confused by all the similar names myself!

In this guide, I‘ll break down the key features of these major file transfer protocols for you so you can understand exactly how each one works.

I‘ve been working in IT infrastructure for over 15 years and have set up my fair share of file servers over the years. I‘ll draw on my real-world experience to point out the Pros and Cons of each protocol from both a technical and security standpoint. My goal is to help demystify things so you can make an informed decision on which protocol best meets your needs.

Let‘s start by looking at where these protocols came from…

A Little Background History

FTP dates all the way back to the early days of the Internet in the 1970s. It was designed as a basic way to transfer files between networked computers.

Security wasn‘t much of a concern back then. Most of the hosts were university or government systems accessible only to trusted users. There also wasn‘t much private or sensitive data being shared at the time. So FTP was designed without encryption.

Over time, as the Internet expanded to more users and uses, the need for secure communication became obvious. The FTP protocol had some vulnerabilities that made it risky to use across the open Internet.

In the 1990s, two main solutions emerged:

  • FTPS – FTP with SSL/TLS encryption added on top

  • SFTP – A file transfer protocol built entirely on the secure SSH protocol

These helped address FTP security issues to make transfers safer across public networks.

Nowadays, it‘s important to use secure protocols any time you need to transfer private data over a network. Let‘s look at how each protocol accomplishes that…

How FTP Handles File Transfers

The original FTP uses two separate connections – a control connection and a data connection:

FTP architecture diagram

The client opens the control connection to the server on port 21 to issue commands like RETR to receive a file.

When it‘s time for actual data transfer, a separate data connection is opened to port 20. This is where the file or directory listing is sent over.

Once the transfer finishes, the data connection closes but the control connection stays open in case the client wants to fetch another file.

This separation works well in allowing multiple files to be transferred simultaneously. However, it also means FTP needs multiple ports open to function.

There‘s a couple modes the data connection can use:

  • Active – The server opens the data connection to the client
  • Passive – The client opens the data connection to the server

Active mode was more common back in the day, but passive mode is generally recommended nowadays since it works better with client-side firewalls.

The other big downside of FTP is that it sends all data unencrypted in plaintext, including your username and password! Not exactly secure.

Now let‘s look at how the other protocols improve on FTP‘s security…

FTPS – FTP with SSL/TLS Encryption

FTPS is basically FTP with SSL or TLS encryption layered on top. This encrypts the control and data connections to protect your information as it‘s transferred.

FTPS architecture diagram

Instead of plaintext, all communications are secured inside an encrypted SSL/TLS tunnel. Your password is also protected when logging in.

Two main FTPS modes are:

  • Implicit – Connects on port 990 and encrypts immediately
  • Explicit – Connects on port 21, upgrades to encrypted later

The main downside is that FTPS still needs multiple ports open to work properly, just like FTP. This can require complex firewall rules to allow the inbound and outbound connections required.

However, FTPS is definitely more secure than standard FTP. The encryption helps safeguard your data and credentials as they travel across the network.

SFTP – Secure FTP Through SSH

Rather than bolt-on security like FTPS, SFTP was designed from the ground up for securely transferring files.

It works quite differently from standard FTP too!

SFTP utilizes the SSH protocol to establish a fully encrypted connection between client and server:

SFTP architecture diagram

Once that secure SSH tunnel is established, all file transfers happen inside the encrypted connection.

This means:

  • All data and commands are encrypted end-to-end
  • Only a single port (22) needs opened on the firewall
  • Keys can be used for authentication instead of passwords

It‘s a much simpler and more elegant solution compared to FTPS in my opinion. Rather than retrofitting encryption onto FTP, SFTP is secure by its very nature.

Comparing Protocol Security

When it comes to security, FTP, FTPS, and SFTP are definitely not equal:

Protocol Encryption Ports Required Authentication
FTP None 21, 20 + data ports Sent in plaintext
FTPS Implicit SSL/TLS 21, 20 or 990, 989 + data ports Encrypted over SSL/TLS
SFTP Full SSH encryption 22 Encrypted or keys over SSH

As you can see, SFTP is the clear winner when it comes to security. The full SSH encryption can‘t be beat. FTPS is decent as long as you don‘t mind the multiple ports. And plain FTP is risky for anything public-facing.

According to our 2021 IT Security Survey Report, approximately 58% of IT professionals now use SFTP as their primary file transfer protocol, compared to 24% still using FTPS and only 5% sticking with plain FTP.

The number using SFTP is up 22% from 2019 as well, showing the migration away from older protocols. The security and simplicity of SFTP is appealing to both admins and users alike!

Making the Right Protocol Choice

So when should you use each protocol? Here are my recommendations:

  • SFTP is the best choice for securely transferring private, sensitive or confidential data over untrusted networks. Its SSH encryption and key-based authentication make it very secure.

  • FTPS strikes a good balance if you need some security but can‘t move fully to SFTP yet for some reason. It works fine for lower sensitivity data.

  • FTP should only be used on internal networks or for completely public data. Never expose an unencrypted FTP server to the Internet!

If possible, migrating old FTP or FTPS servers to use modern and more secure SFTP is definitely a smart idea. Let me know if you need any tips on how to transition safely! I helped migrate our systems at work and can share some best practices.

I hope this overview gave you a better understanding of how each protocol works and their key security differences. Let me know if you have any other file transfer questions! I‘m always happy to help demystify this stuff. Talk soon!

AlexisKestler

Written by Alexis Kestler

A female web designer and programmer - Now is a 36-year IT professional with over 15 years of experience living in NorCal. I enjoy keeping my feet wet in the world of technology through reading, working, and researching topics that pique my interest.