The Fascinating World of Blogging
Faster! Curious how we did it?

FTP, SFTP, FTPS – what the heck is the difference?

Since we changed using cPanel logins and made them unable to be used as FTP, it has come to our attention that this is confusing the heck out of ya’all. So, let’s go over this in plain English and try to get ya’ll up to speed.


So, FTP is “File Transfer Protocol”. We have an FTP server running on Port 21 called Pure-FTP, and it handles file transfers and FTP logins. You can simply connect to it with an FTP login by naming your domain as the server, the server name as the server, an IP address on the server, your neighbor’s domain name as the server… In short, you can choose anything at all that resolves to the server as long as it points to the server so that your FTP client knows that it should go knock on the door that-a-way at the right end machine.


UNLESS you want to use FTP over SSL (FTPS aka “File Transfer Protocol - Secure” or “File Transfer Protocol - SSL”) – if you want to use FTP over SSL, you MUST use the server name because FTPS will use SSL encryption, and the certificate that is registered in the Pure-FTP server is the server’s name. If you choose your domain name, you’ll likely get an error and it won’t work. The above two options run on the FTP server and because you can use FTP logins with encryption or without encryption, you cannot use your cPanel Login to login in either of the above ways.


The FTP in SFTP still means “File Transfer Protocol”, and the S makes it "Secure File Transfer Protocol” (though originally it was “SSH File Transfer Protocol”) which you would think bears some relation to “File Transfer Protocol - Secure” or maybe is the same thing as “File Transfer Protocol - Secure” and different people just like to stick the S on different sides of the FTP for whatever reason. But you would be wrong. :) SFTP is not a part of Pure-FTP, doesn’t run though the FTP server software at all, and isn’t a part of FTP in any traditional FTP protocol sense. If you try and login via SFTP to the FTP port you won’t be able to do it because it ain’t there. While the name is similar, and it looks almost identical, it’s actually completely different and operates over an entirely different service.
Secure Shell or SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices.[1] Used primarily on GNU/Linux and Unix based systems to access shell accounts, SSH was designed as a replacement for Telnet and other insecure remote shells, which send information, notably passwords, in plaintext, rendering them susceptible topacket analysis.[2] The encryption used by SSH provides confidentiality and integrity of data over an insecure network, such as the Internet. (From Wikipedia)
On cPanel hosts that offer shell access, generally only your cPanel login is a true Unix user and therefore your cPanel login is the only login you have that has SFTP access. If you do not have a hosting account with shell access, you do not have SFTP access and have to transfer your files via FTP or FTPS, and you cannot use SFTP. If you have shell access on your hosting account, though, you have SFTP available to you and there are a multitude of reasons to use it. In general, SFTP is technologically superior to FTPS. An FTPS connection starts off in a non-encrypted state, whereas an SFTP connection begins encrypted and there is no going to an unencrypted session. One of the benefits nowadays with traffic shaping is that while ISP’s have caught on to throttling on FTP ports because large files are often sent there, they do not have the same attitude towards SFTP traffic and those people sending files from bandwidth throttling ISPs will likely find far superior performance using SFTP. SFTP is gaining steam as the most preferred method of secure file transfer, particularly in infrastructures that favor Unix, though SFTP is quickly gaining steam in Windows environments as well.

To Recap

FTP: You use it on Port 21, you only log in with a sub-account you created, and your entire session is unencrypted from your login to the files that you transfer. This is highly insecure and whenever you connect this way or when you store FTP passwords in plain text in popular programs, you’re waving a flag for the hackers to come get you or to take a spin around your site. Using packet sniffing a hacker can capture sensitive data such as username and password information which is generally transmitted in clear text, thus, compromising the security of your site. If you’re getting the idea this is like leaving your house wide open with your plasma TV in view while going to the movies after relying on the fact that you’ve never been robbed before to predict that your plasma TV will be home when you get home, you’re pretty much on target. If you have no running firewall/virus protection on all the time as you traverse the Internet, then add a “Please rob me!” sign on your front door. FTPS: Preferable to driving your files naked across the Internet while waving your password in the open like a flag, FTPS still begins the session unencrypted and so its still not great, but its better than where you were before. If you have multiple people that need access to multiple parts of your site, this is the most secure alternative, and is the encrypted way to connect FTP subaccounts. SFTP: It looks like FTP, works kinda like FTP, but it isn’t FTP – it’s an FTP like interface to the Unix shell account that will only work with a Unix shell enabled login, which is your cPanel login. SFTP is a bit more firewall friendly because it uses only one port and it’s also a bit more secure than FTPS because everything from beginning to end is encrypted. Its also generally a bit faster.


Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.