January 2, 2005

    Secure File Transfer Protocols: FTPS vs. SFTP vs. HTTPS

    The intent of this article is to explain how FTPS, SFTP and HTTPS protocols differ from one another, and the advantages and disadvantages of each method of encryption.


    FTPS (FTP using SSL) - Best for Secure and Automated Transfers

    Advantages:

    1. Uses 256-bit SSL encryption
      • Username and password are encrypted, as opposed to being sent over the Internet as clear text, as with standard FTP.
      • Data files are sent over an encrypted channel. [Note - This may be user-selectable on stand-alone client software]
      • No one can snoop or sniff out your login information or the contents of your data files on the public Internet.
    2. Third party FTPS client software compatible
      • Many standalone FTPS client software packages can automate and schedule unattended transfers... a BIG ADVANTAGE.
      • Some of your users may already have FTPS client software and prefer it to our web-based method (next).
    3. Users are jailed to their private FTP folders based upon username.
    4. Activity log keeps track of all user activity.

    Disadvantages:

    1. Your end users will have to license and install FTP client software ($0 to $50) with FTPS capabilities.
    2. FTPS is not always "firewall-friendly", therefore you and your clients with firewalls may have to arrange for certain TCP/IP ports to be open to your FTP Today FTP site's IP address. This is not a major hurdle and our support staff will guide you.

    FTP - over - HTTPS (SSL Tunnel) - Best for Secure Web-based Transfers

    Advantages:

    1. Uses up to 2048-bit SSL encryption
      • Username and password are encrypted, as opposed to being sent over the Internet as clear text, as with standard FTP.
      • Data files are sent over an encrypted channel. [Note - This may be user-selectable on stand-alone client software]
      • No one can snoop or sniff out your login information or the contents of your data files on the public Internet.
    2. Web browser based
      • Requires no software to be installed by the end user, except a Java Virtual Machine (plugin that is free and everyone usually already has).
      • Loads quickly and seamlessly in their web browser window, and is automatically unloaded when that window is closed.
    3. Users are jailed to their private FTP folders based upon username.
    4. Activity log keeps track of all user activity.
    5. HTTPS is firewall-friendly, therefore you should have no client-side issues to deal with.

    Disadvantages: [NONE]


    SFTP using SSH2 - Another choice for Secure and Automated Transfers

    Some standalone FTP client software offer "SFTP". SFTP is not a generic acronym for "Secure File Transfer Protocol"; The "S" stands for encryption using Secure SSH (Secure SHell). Like FTPS, this is another secure protocol.

    Advantages:

    1. Uses up to 256-bit SSH2 encryption
      • Username and password are encrypted, as opposed to being sent over the Internet as clear text, as with standard FTP.
      • Data files are sent over an encrypted channel.
      • No one can snoop or sniff out your login information or the contents of your data files on the public Internet.
    2. Third party SFTP client software compatible
      • Many standalone SFTP client software packages can automate and schedule unattended transfers... a BIG ADVANTAGE.
      • Some of your users may already have SFTP client software and prefer it.
      • Firewall friendly since all commands and files are transfered over a single port -- TCP port 22.

    Disadvantages:

    1. Your end users will have to license and install SFTP software on their computers.
    2. You may also have to support your end users in installing, configuring and using their SFTP software.
    3. Most SFTP server deployments use OpenSSH/SFTP on the server, which does not jail a user inside of a particular folder based on their username & password authentication. Because of this lack of privacy among multiple users, SFTP is best deployed in a single-usr environment. [see UPDATE below]
    4. SSH/SFTP keeps no log of user activity. There may therefore be no no audit trail whatsoever. [see UPDATE below]

    UPDATE - As of April 1, 2010, FTP Today is the only service we are aware of that does NOT have the limitations described above in items 3 & 4. Click here to Learn more...


    HTTPS (HTTP using SSL) - Not designed for File Transfer applications.

    Disadvantages:

    HTTPS is used in hosting websites with e-commerce applications. This is great for securing order forms while customers enter credit cards, but functions like user-authentication and folder privacy are not best handled by HTTP or HTTPS. The HTTPS protocol is not natively meant for transferring files. It is meant for displaying web content over a secure connection from a web browser to a web server.

    Tag(s): FTP

    Martin Horan

    Martin, Sharetru's Founder, brings deep expertise in secure file transfer and IT, driving market niche success through quality IT services.

    Other posts you might be interested in

    View All Posts