FTPS And SFTP - Which Is More Secure?

 Both FTP and SFTP are widely used file transfer protocols today. The FTP protocol was invented in the 1970s but is still an essential means of data distribution and transfer for many businesses and organizations. SFTP was spawned by the well-known secure shell (SSH) protocol as its native file transfer framework. We now offer a deeper look at their backgrounds and underlying technologies and then make a conclusion on which is more secure. 

What is File Transfer Protocol (FTP)?

FTP, also known as File Transfer Protocol, can be defined as a network protocol for transferring files between two computer systems. The files are transferred over TCP/IP connections. FTP servers act as a hub where all the important data can be stored and accessed by different users of an organization to maintain time-efficient data management.

Types of Secure FTP

Implicit Secure FTP (FTPS)

Implicit FTPS, by default, provides service on port 990. SSL handshake takes place right upon connection is established. All messages and data exchanged between the connecting client and server are encrypted.

FTP Over Explicit SSL/TLS (FTPES)

This explicit approach to file transfer allows TLS support by boosting an FTP connection (with the PROT command) to an encrypted one. This is usually performed via the regular well-known FTP port 21.

What is SFTP?

SFTP, also known as SSH (Secure Shell) file transfer protocol, is crafted to handle file transfer and management over the network. The protocol doesn't have built-in security per se; rather, it depends on an underlying secure socket layer to function, usually SSH. (Yes, the same group of people invented them both.)

On a Unix or Linux system, SFTP is typically a subsystem that exchanges raw file data and instructions with the parent SSH process. The latter is responsible for encrypting and protecting the data when it goes on the wire.

The Secure Copy Protocol (SCP) is an alternative file transfer protocol that runs on top of the SSH layer. As the name implies, it was designed to replace the regular Unix cp command to enable file copying over the network in a secure way.

The primary functions of SCP are to build a connection between two systems, copy files from one system, and then close the link once the files have been copied into the other. Compared to SFTP, SCP is much simpler and doesn't allow file manipulation features like delete, rename, move, directory listing, etc. 

Differences between FTPS and SFTP

Plain FTP should be avoided to transfer unprotected plaintext data over the network. Now let's look at some of the key differences between secure FTP (FTPS) and Secure Shell (SSH) File Transfer Protocol (SFTP).

Encryption

In simple words, encryption is a way of obfuscating your actual data, for example, before sending it to the recipient. Encryption aims to make data restoration mathematically impossible without knowing the encryption key. Since the FTP protocol does not provide any layer of data protection, the SSL/TLS is employed to protect the plaintext FTP traffic.

SFTP, on the other hand, relies on the underlying SSH layer to protect data privacy. Similar to SSH, SFTP is also a packet-based network protocol. 

Firewall Traversal

File transfer protocol requires a control channel and a data channel to complete a session of the file transfer. There are two approaches to establishing a data connection: the active mode and the passive (PASV) mode. In active mode, the server needs to initiate a socket connection to the client, which is often not practical since most client devices are behind a NAT firewall. Passive FTP, on the contrary, requires the client to fire another connection to the server for data transfer. Again, this gives rise to the firewall problem on the server side if it is behind a NAT router. Since the FTP data port is chosen randomly for each FTP client, a range of ports must be opened for FTP on the firewall, which potentially increases the attack surface. SSH file transfer protocol, however, only needs one SSH port (e.g., 22) to send and receive commands and data. This makes the firewall configuration relatively simple and ensures minimal exposure.

Which is more secure?

We know that FTPS and FTPES are protected by SSL/TLS, and SFTP are protected by SSH (Secure Shell). They are as secure as their underlying encryption layers. SSL and SSH suffered various vulnerabilities and exploitations during their evolutions at the protocol or the implementation level. Below we highlight some of them.

SSH doesn't offer a digital certificate mechanism as SSL does. Verifying the authenticity of an SSH host relies on the fingerprint of the SSH host key. A valid SSL certificate, based on the sophisticated X.509 standard, ensures that you connect to a host that is what it claims to be by its domain name.

The Heartbleed Bug was found in the well-known SSL library OpenSSL, which allows attackers to access private information such as usernames and passwords.

POODLE attacks are a common threat to the SSL/TLS protocol. An attack targeted to cause connection failure can lead to protocol version negotiation. Once the SSL version downgrades to 3.0, the ciphers used in the protocol give way to a successful poodle attack. 

To summarize, both FTPS and SFTP offer solid security and protection as long as their underlying cryptographic socket layer is secure and vulnerability-free. SFTP based on SSH is more firewall-friendly. Secure FTP should be used with the most updated version of TLS for the best protection.