FTPS (FTP over SSL) versus SFTP (SSH File Move Protocol) – What To Decide on


File transfer over the networking using FTP protocol (defined by RFC 959 and later it was additions) takes roots in the year 1980 when the initial RFC for the FTP method was published. FTP supplies functions to upload, obtain and delete files, make and delete directories, and learn directory contents. While ONLINE communication is very popular, it has certain cons that make it harder to use.

The fundamental drawbacks are the lack of typically a uniform format for directory website listing (this problem has been partially solved by bringing out MLST command, but difficult supported by some servers) and also the presence of the secondary relationship (DATA connection). Security inside FTP is provided by taking the help of SSL/TLS protocol for route encryption as defined inside RFC 2228. The secure version of FTP is named FTPS.

In UNIX devices another security standard is continuing to grow. It was the SSH family of practices. The primary function of SSH was to secure remote cover access to UNIX systems. Afterwards, SSH was extended together with file transfer protocol: first SCP (in SSH 1 . x), then SFTP (in SSH2). Version one of the SSH protocol is antique, insecure and generally not advised for use. Consequently, SCP is just not used anymore and SFTP gains popularity day by day.

“SFTP” abbreviation is often mistakenly accustomed to specify some kind of Secure FILE TRANSFER PROTOCOL, by which people most often suggest FTPS. Another (similar) miscalculation is that SFTP is perceived as some kind of FTP over SSL. In fact, SFTP is an abridgment of “SSH File Shift Protocol”. This is not FTP through SSL and not FTP through SSH (which is also technologically possible, but very rare).

SFTP is a binary project, the latest version of which is definitely standardized in RFC 4253. All commands (requests) usually are packed into binary emails and sent to the web server, which replies with binary reply packets. In the future versions, SFTP has been extended to provide not just file upload/download operations, but also some file-system operations, such as file shut, symbolic link creation and so forth

Both FTPS and SFTP use a combination of asymmetric roman numerals (RSA, DSA), symmetric roman numerals (DES/3DES, AES, Twofish and so forth ) and key-exchange roman numerals. For authentication FTPS (or, to be more precise, SSL/TLS protocol under FTP) functions X. 509 certificates, even though SFTP (SSH protocol) makes use of SSH keys.

X. 509 certificates include the public importance and certain information about the owner of the certificate. This information lets one other side verify the ethics of the certificate itself and also the authenticity of the certificate operator. Verification can be done both simply by computer and to some extent by humans. X. 509 qualification has an associated private major, which is usually stored as a stand-alone from the certificate for security and safety reasons.

The SSH key has only a public key (the associated private key is located separately). It doesn’t contain details about the owner of the major. Neither it contains information this lets one reliably verify the integrity and accuracy. Some SSH software implementations use X. 509 vouchers for authentication, but in actuality, they don’t validate the whole qualification chain – only anyone key is used (which tends to make such authentication incomplete and also similar to SSH key authentication).

Here’s the brief set of Pros and Cons of the two practices:



Widely known and also used
The communication may be read and understood by the human
Provides services regarding server-to-server file transfer
SSL/TLS has good authentication components (X. 509 certificate features)
FTP and SSL/TLS help is built into many net communication frameworks.


Does not have a uniform directory position format
Requires a secondary INFO channel, which makes it hard to make use of behind the firewalls
Won’t define a standard for data name character sets (encodings)
Not all FTP servers help support SSL/TLS
Doesn’t have a standard strategy to get and change data and directory attributes



Has good expectations background which strictly becomes most (if not all) aspects of operations
Has just one single connection (no need for RECORDS connection)
The connection is always tacked down
The directory listing is definitely uniform and machine-readable
Often the protocol includes operations to get permission and attribute may, file locking and more operation


The communication is definitely binary and can’t be logged “as is” for people reading
SSH keys are much harder to manage and validate
The criteria define certain things as optional or recommended, leading to certain compatibility difficulties between different software headings from different vendors.
Simply no server-to-server copy and recursive directory removal operations
Simply no built-in SSH/SFTP support in VCL and. NET frameworks

Things to choose

As usual, the response depends on what your goals and also requirements are. In general, SFTP is technologically superior to FTPS. Of course, it’s a good idea to put into action support for both practices, but they are different in principles, supported commands including many other things.

It’s a good idea to utilize FTPS when you have a storage space that needs to be accessed from particular devices (smartphones, PDAs and so forth ) or from many specific operating systems which have ONLINE COMMUNITY support but don’t have SSH / SFTP clients. When you are building a custom security alternative, SFTP is probably the better selection.

As for the client side, the prerequisites are defined by the server(s) that you plan to connect to. If connecting to Internet hosting space, SFTP is more popular mainly because it’s supported by Linux in addition to UNIX servers by default.

To get a private host-to-host transfer you can utilize both SFTP and FTPS. For FTPS you would search for a free FTPS clientele and server software or perhaps purchase a license for a business one. For SFTP give you support can install the OpenSSH package deal, which provides free client and also server software.

Developer equipment

If you are a software developer and wish to implement file exchange capability in your application, you will end up searching for the components to do the work.

In. NET you have built/in support for FTPS inside. NET Framework (see FtpWebRequest class). However, functionality in this class is severely minimal, especially in SSL/TLS control factor.

. NET Framework doesn’t contain any support for SSH or SFTP.

In VCL you have a selection of free parts and libraries which give FTP functionality. When you bring OpenSSL to them, you can get FTPS for free. If you don’t want to take care of OpenSSL DLLs, you can use the list of commercially available libraries for SSL and FTPS support. All over again, there are no freeware SFTP components available for VCL.

When you use a tool with which you have to work with ActiveX controls, you need to try to find commercial FTPS or SFTP controls. No free managers are available.

Read also: The Main Between Single And Multi-Point Electronic Door Closers