x Close

Take a Tour
Secure File Transfer Protocols: FTPS vs. SFTP vs. HTTPS
Martin Horan

By: Martin Horan on January 2nd, 2005

Print/Save as PDF

Secure File Transfer Protocols: FTPS vs. SFTP vs. HTTPS

FTP Solutions

The intent of this article is to explain how FTPS, SFTP and HTTPS protocols differ from one another, and the advantages and disadvantages of each method of encryption.


FTPS (FTP using SSL) - Best for Secure and Automated Transfers

Advantages:

  1. Uses 256-bit SSL encryption
    • Username and password are encrypted, as opposed to being sent over the Internet as clear text, as with standard FTP.
    • Data files are sent over an encrypted channel. [Note - This may be user-selectable on stand-alone client software]
    • No one can snoop or sniff out your login information or the contents of your data files on the public Internet.
  2. Third party FTPS client software compatible
    • Many standalone FTPS client software packages can automate and schedule unattended transfers... a BIG ADVANTAGE.
    • Some of your users may already have FTPS client software and prefer it to our web-based method (next).
  3. Users are jailed to their private FTP folders based upon username.
  4. Activity log keeps track of all user activity.

Disadvantages:

  1. Your end users will have to license and install FTP client software ($0 to $50) with FTPS capabilities.
  2. FTPS is not always "firewall-friendly", therefore you and your clients with firewalls may have to arrange for certain TCP/IP ports to be open to your FTP Today FTP site's IP address. This is not a major hurdle and our support staff will guide you.

FTP - over - HTTPS (SSL Tunnel) - Best for Secure Web-based Transfers

Advantages:

  1. Uses up to 2048-bit SSL encryption
    • Username and password are encrypted, as opposed to being sent over the Internet as clear text, as with standard FTP.
    • Data files are sent over an encrypted channel. [Note - This may be user-selectable on stand-alone client software]
    • No one can snoop or sniff out your login information or the contents of your data files on the public Internet.
  2. Web browser based
    • Requires no software to be installed by the end user, except a Java Virtual Machine (plugin that is free and everyone usually already has).
    • Loads quickly and seamlessly in their web browser window, and is automatically unloaded when that window is closed.
  3. Users are jailed to their private FTP folders based upon username.
  4. Activity log keeps track of all user activity.
  5. HTTPS is firewall-friendly, therefore you should have no client-side issues to deal with.

Disadvantages: [NONE]


SFTP using SSH2 - Another choice for Secure and Automated Transfers

Some standalone FTP client software offer "SFTP". SFTP is not a generic acronym for "Secure File Transfer Protocol"; The "S" stands for encryption using Secure SSH (Secure SHell). Like FTPS, this is another secure protocol.

Advantages:

  1. Uses up to 256-bit SSH2 encryption
    • Username and password are encrypted, as opposed to being sent over the Internet as clear text, as with standard FTP.
    • Data files are sent over an encrypted channel.
    • No one can snoop or sniff out your login information or the contents of your data files on the public Internet.
  2. Third party SFTP client software compatible
    • Many standalone SFTP client software packages can automate and schedule unattended transfers... a BIG ADVANTAGE.
    • Some of your users may already have SFTP client software and prefer it.
    • Firewall friendly since all commands and files are transfered over a single port -- TCP port 22.

Disadvantages:

  1. Your end users will have to license and install SFTP software on their computers.
  2. You may also have to support your end users in installing, configuring and using their SFTP software.
  3. Most SFTP server deployments use OpenSSH/SFTP on the server, which does not jail a user inside of a particular folder based on their username & password authentication. Because of this lack of privacy among multiple users, SFTP is best deployed in a single-usr environment. [see UPDATE below]
  4. SSH/SFTP keeps no log of user activity. There may therefore be no no audit trail whatsoever. [see UPDATE below]

UPDATE - As of April 1, 2010, FTP Today is the only service we are aware of that does NOT have the limitations described above in items 3 & 4. Click here to Learn more...


HTTPS (HTTP using SSL) - Not designed for File Transfer applications.

Disadvantages:

HTTPS is used in hosting websites with e-commerce applications. This is great for securing order forms while customers enter credit cards, but functions like user-authentication and folder privacy are not best handled by HTTP or HTTPS. The HTTPS protocol is not natively meant for transferring files. It is meant for displaying web content over a secure connection from a web browser to a web server.

About Martin Horan

Founder of FTP Today and an expert in secure file transfer and Internet protocols. A software and IT geek since a young age, Martin has successfully led his companies through the digital age by spotting market niches and filling them with quality IT services.

Related Articles

data-security-it-compliance-policy-template-cover

Before you leave...

Is your business properly securing your data?

If your organization doesn't have a proper data security and IT compliance policy, you could be at risk. Download this free template to strengthen your data security.