Transferring Files – FTP, SFTP and FTPS
There are numerous ways to transfer files these days, the oldest and still very widely used method is FTP. FTP stands for File Transfer Protocol and was defined as early as 1971 in the very early days of the experimental Internet.
It has endured and morphed as the Internet has grown. FTP in its original form is still a handy file transfer option and its two main variants SFTP and FTPS are commonly used as a secure method of transferring files also.
However SFTP and FTPS use two very different technology implementations and your hosting provider may not support all options.
This variant of FTP uses Transport Layer Security (SSL/TLS) to secure data. Take note though that SSL is very broken in terms of security and has now been disabled by most hosting providers (see our article on the Poodle Exploit https://www.conetix.com.au/blog/ssl-new-exploits-takes-bite for more information). There are two modes to the FTPS protocol, one is called “explicit” the other “implicit”.
In “explicit” mode, the client (you) can either initiate secured or un-secured transfers, providing the sever is configured to support this.
In “Implicit” mode your FTP client must negotiate a secure transfer or fail the connection.
There is one other “gotcha” with FTPS and that is the “Well Known Ports” used by the client. A standard FTP client communicates control with the server on port 21, FTPS normally uses port 990 and the data comes back on port 989, however FTPS can be implemented to use port 20 and 21 for both FTP and FTPS sessions. Generally Implicit mode is considered a deprecated method of negotiating TLS/SSL for FTP.
Because FTPS uses TLS as its underlying security it does require a valid TLS security certificate issued and signed by a Certificate Authority to be accepted without any error.
This method of file transfer uses SSH to transfer encrypted data. SSH stands for “Secure Shell” and is a cryptographic protocol for securing data communications. It is responsible for establishing a secure channel over an insecure network between the client (you) and the server. SSH used a public-key cryptography protocol like TLS does but very different in overall implementation.
SFTP is not FTP with SSH security, its a different protocol all together designed from the ground up by the Internet Engineering Task Force (IETF) allowing a range of operations on remote files. It uses Port 22 which can often be blocked by web hosting companies as SSH can be compromised by brute forced given enough time (just as any protocol can). But as SSH is used to grant access to a terminal session the risk of compromise is far higher than some other protocols.
From a setup and firewall point of view SFTP only requires a single Port to be opened, the SSH port on 22.
What is the right FTP for me?
Generally if you are at home using a home ADSL link to your provider, a plain FTP session will be highly unlikely to be subject to any interception by third parties, however the authentication details are passed in clear text and for this I would suggest to err on the side of caution and not use plain FTP. If you are not sure of the route your Internet connectivity travels then definitely secure your connection, use SFTP at a minimum from any home ADSL connection or Home Wifi router.
If you are travelling and using mobile WiFi hotspots then SFTP will be very safe but make sure you test it from home first by connecting to all the servers you need to access prior to travel. By doing this you download a copy of the certificate of the target server and its permanently stored in your FTP client, if a “Man in the middle” attack is attempted while you are travelling then the SSH certificate from the server will be different and your FTP client will display a Warning message. In that case do not accept the new certificate and abandon the connection attempt. Just as a side note. if you are travelling and checking email, use a web interface not your email client as most email authentication data is also in clear text.
FTPS can also be used but its not always implemented by hosting providers so you need to check this before you need it while travelling. FTPS is generally easier to setup on mobile devices and tablets but it does require more network ports to be opened and so is less versatile than SFTP. FTPS can be subjected to man-in-the-middle attacks.
As a general rule I use SFTP and SSH for secure access requirements.