0

After reading through this tutorial I still have a persistent question.

In the beggining of the article the writer says:

Warning: FTP is inherently insecure! Consider using SFTP instead of FTP.

I am assuming that he might mean FTPS (as I think that is what his article explains but I am not sure).

However, at the bottom of the article, which is all about how to use vsftpd over SSL/TLS he shows an image that looks like this:

ftp login

Where you can quite clearly see that the Enctryption is to "Require expliticity FTP over TLS". So, is this any different than using FTPS and if it is, what is the difference?

Startec
  • 1,839
  • 4
  • 24
  • 27

2 Answers2

4

SFTP and FTP are, in fact, different protocols. SFTP is actually built on top of SSH, the Secure SHell protocol, while FTP-over-SSL (aka FTPS) is simply vanilla FTP over an encrypted transport-layer connection, the same as HTTPS IS HTTP over an encrypted connection.

If I'm not mistaken, it would be possible for a plain-FTP client to connect through a ssl proxy to an FTPS-enabled server, or for an FTPS client to connect to a plain FTP server hiding behind a ssl proxy server. The same does not hold for SFTP; it must be implemented at both endpoints.

The relative merits I leave for others to discuss, but (as I understand it) SSH/SFTP's handling of credentials is much simpler on small networks.

Darwin von Corax
  • 277
  • 1
  • 3
  • 12
1

There are two ways in which an FTPS session can be established: explicit (also called FTPES) and implicit.
They both acomplish the same thing (FTP over SSL), but vary on how the connection is initiated.

Explicit: Client connects to the standard FTP port (21) with a regular FTP connection, and then a command is sent by the client requesting to upgrade the connection to SSL, allowing the connection to fallback to a regular FTP session if requested by the client.

Implicit: Client connects to the default port 990, and an SSL session is established as soon as the client connects to the server.
The entire session is encrypted and only SSL sessions are allowed.

Edit:
The diagram below (from: globalscape.com) nicely illustrates the differences: Explicit vs Implicit

As for which to choose, well this depends on your requirments.
See the two below excerpts:

Both Implicit and Explicit FTPS offer comparable levels of encryption (assuming that with Explicit FTPS you choose the option to encrypt both the data and control channels).

From a practical standpoint, Explicit FTPS offers some advantages that make it a superior choice. For example:

It is the standard, supported version of FTPS and is more likely to be widely supported well into the future It uses the same ports as plain FTP, so requires no additional firewall configuration (assuming your firewall is already configured for plain FTP).

(Source: Robo-FTP web page:)

Implicit FTPS consumes a lot of network bandwidth and computational resources because encryption happens in both the command and data channels. In a scenario where a user wants to upload non-confidential files to the FTPS server, an explicit FTPS connection would be used instead of an implicit FTPS connection.

In Explicit FTPS, the client directly requests security from the FTPS server. This is an optional request. If a client does not request security, the FTPS server can either allow the client to continue in unsecure mode or refuse or limit the connection.

Explicit FTPS can be used in scenarios where the requirement is to secure only the command channel (which carries the commands and user authentication,) and not the data channel (which carries non-confidential FTP data). Port 21 is the default port used by the FTP server to communicate with the client. This allows both unsecure FTP and secure FTPS clients to connect to the FTPS server.

For organizations adhering to federal regulatory compliance standards, implicit FTPS is recommended.

(Source: Serv-U web page)