First of all, it’s important to say that there is a lot of confusion when it comes to secure file transfer protocols: surprisingly most people think that SFTP and FTPS are “the same thing”. Many other people think that SFTP is “Secure FTP”, which is not, and FTPS is just “you meant SFTP, right?”. So, once and for all, let’s try to shed some clarity on what these protocols really are:
- SFTP: the acronym stands for SSH File Stransfer Protocol, and – as the name says itself – it is a subsystem of the SSH (Secure Shell) protocol
- FTPS: it is a “secured” version of the FTP protocol, encapsulated inside a SSL or TLS channel (just like HTTPS, SMTPS, IMAPS, POP3S, …)
So, which one is better? As always, it depends on many other factors. Each protocol was designed to perform at its best in certain particular scenarios, so depending on what exactly you have to accomplish, each one of them may be better or worse in the particular case. Let’s see some of the distinctive features of both protocols, so we can have enough information to make an educated choice in due time.
SFTP
| Pros | Cons |
|---|---|
| Firewall friendly: being a subsystem of the SSH protocol, SFTP only uses port 22 (inbound) on the server side, no other inbound nor outbound port must be opened on your firewall | Not human readable: SSH (and thus SFTP) is a binary protocol, not designed to be read/understood by a human, this makes protocol analysis a bit harder |
| Filesystem-like: the SFTP protocol is designed to work pretty much like a real file system | Slightly slower: control and synchronization packets are sent on the same channel as data packets, this may render SFTP slightly (but not significantly) slower than FTPS |
| Highly secure: wide array of configurable cipher suites, both with regards to the encryption and to the MAC (HMAC) algorithms | Many drafts: there are 7 drafts of the SFTP protocol, but none of them made it to become a standard. Yet, SFTPv3 and SFTPv6 are so widely adopted and supported that may be considered "standard de facto" |
| Compliant: SFTP is the recommended file transfer protocol in many important international regulations, such as (for example) PCI-DSS, and HIPAA | No trust-delegation: SSH host keys are issued by the server admin, and must be trusted by the client; there is no independent Certification Authority trusted by both parties that can issue SSH host keys |
FTPS
| Pros | Cons |
|---|---|
| Human readable: the protocol is elegant, and very easy to read and understand by a human, with standardized response codes and explanatory text | Firewall nightmare: active FTP(S) requires the client to be directly reachable over the network (99.9% of the times this is impossible) while passive FTP(S) requires to open many ports (21, 990, plus all passive ports) on the firewall |
| Blazingly fast: FTP(S) is designed for speed, with control channel and data channel running asynchronously in two distinct connections to achieve the maximum possible data transfer speed | Not intrinsically secure: FTPS is FTP inside SSL/TLS, but not all FTP servers support SSL/TLS encryption, and the protocol allows to "fallback" to plain (unencrypted) FTP |
| Highly secure: wide array of configurable cipher suites, as well as SSL/TLS operational modes and versions | No uniform directory listing format: an attempt was made in RFC 3659 to unify the directory listing format, but many FTP servers still don't support the MLSD protocol extension |
| Delegated trust: SSL/TLS encryption trust is based on X.509 certificates that can be issued by external Certification Authorities that are trusted by both parties | No standard for changing permissions: there is no clear standard way in the FTP(S) protocol to modify file and directory permissions, FTP(S) does not operate like a file system |
As you can see there is no such thing as a “winner” here. But based upon the specific scenario, and the particular needs that such scenario implies, one protocol may be more suitable than the other one.
