Tag Archives: sftp

Is SFTP better than FTPS?

Published by:

First of all, it’s important to say that there is a lot of confusion when it comes to secure file transfer protocols: surprisingly most people think that SFTP and FTPS are “the same thing”. Many other people think that SFTP is “Secure FTP”, which is not, and FTPS is just “you meant SFTP, right?”. So, once and for all, let’s try to shed some clarity on what these protocols really are:

  • SFTP: the acronym stands for SSH File Stransfer Protocol, and – as the name says itself – it is a subsystem of the SSH (Secure Shell) protocol
  • FTPS: it is a “secured” version of the FTP protocol, encapsulated inside a SSL or TLS channel (just like HTTPS, SMTPS, IMAPS, POP3S, …)

So, which one is better? As always, it depends on many other factors. Each protocol was designed to perform at its best in certain particular scenarios, so depending on what exactly you have to accomplish, each one of them may be better or worse in the particular case. Let’s see some of the distinctive features of both protocols, so we can have enough information to make an educated choice in due time. Continue reading

How to run a HIPAA compliant SFTP server

Published by:

Some people believe that simply switching from FTP to SFTP will make their file transfers compliant to the HIPAA regulation. Well, that’s actually not enough. Whether you’re compliant or not strongly depends on how you configure your SFTP server’s security settings.

First of all it is important to understand that SFTP is not a stand-alone protocol, it is actually a subsystem of the SSH protocol, and therefore securing your SFTP file transfers means making sure that the SSH channel that’s around them is secure.

SSH is a very fine-grained protocol when it comes to security, in fact it features a very effective “security scheme negotiation” upon connection establishment. During such phase, the client and the server negotiate a range of supported encryption (protection) and MAC (verification) algorithms. If the server offers some weak algorithms during such phase, and if the client elects to use one of them, then the security level drops tremendously, and HIPAA compliance is gone. Continue reading