What’s the difference between FTPS and SFTP and which is better for my application?
FTP-Stream is a cloud managed file transfer service offering customers a number of access methods (protocols) including the three encrypted protocols: FTPS, SFTP and HTTPS.
HTTPS is of course secure web access (HTTP over SSL), familiar as the method providing security when accessing e-commerce websites for example.
SFTP and FTPS are both secure file transfer protocols supported by most FTP client software such as Filezilla or CuteFTP on the PC and Cyberduck or Transmit on the Mac.
The first thing you need to know is that security / encryption strength is not an issue as they use similar encryption algorithms. So what are the differences?
FTPS is FTP over SSL – much like a secure website is HTTP over SSL. The client initiates the connection to the server to setup the encrypted SSL session. On the server side the X.509 certificate includes the public key and verifiable information about the certificate owner, more on this below…
Next the client opens a standard FTP session over the encrypted SSL session. FTP uses two channels on ports 21 (the control channel) and a randomly negotiated port for the data channel and this is where FTPS can run into firewall problems. Since the session is encrypted the firewall does not understand the conversation and therefore does not open the randomly selected port for the data channel.
SFTP stands for SSH File Transfer Protocol – a set of FTP-like commands for file transfer as an extension of the SSH (secure shell) protocol.
SFTP runs on a single port (22) and that means that firewall problems are rare. SFTP is a secure encrypted protocol but has no mechanism for public authentication of the server identity.
Keys and Certificates
Under normal interactive operation there is no need to manually generate key pairs for SFTP or FTPS, the client software and the server handle this automatically.
However Maytech is able to install an SSL certificate for identity assurance under FTPS. So just like a secure website the user can be assured of the identity of the server using the public key infrastructure with certificates signed by a certificate authority such as Verisign. This means that users can connect to a host such as ftp.mydomain.com and be assured of its identity.
Automated File Transfer
Both protocols are widely used for secure machine to machine file transfer. There are SFTP and FTPS components in many common programming languages.
FTP-Stream users can optionally generate an SFTP key pair and upload the public key to the server and that’s a common scenario for automated file transfer as it makes the scripting easier.
Which is the best protocol for my application
Generally we recommend SFTP as you are less likely to encounter firewall problems. But choose FTPS where you wish to rely on the public key infrastructure to assure identity.
If you are setting up automated machine to machine file transfer you’ll need to consider availability of software components, for example there’s built-in support for FTPS in .NET but you’ll have to rely on third party components if you wish to use SFTP.
If you have an questions about secure file transfer you can mail me antony@maytech.net, we’d love to hear from you.
