FTP, SFTP, FTPS – what the heck is the difference?

FTP Since we changed using cPanel logins and made them unable to be used as FTP, it has come to our attention that this is confusing the heck out of ya’all.

So, let’s go over this in plain English and try to get ya’ll up to speed.

FTP

So, FTP is “File Transfer Protocol”. We have an FTP server running on Port 21 called Pure-FTP, and it handles file transfers and FTP logins.

You can simply connect to it with an FTP login by naming your domain as the server, the server name as the server, an IP address on the server, your neighbor’s domain name as the server… In short, you can choose anything at all that resolves to the server as long as it points to the server so that your FTP client knows that it should go knock on the door that-a-way at the right end machine.

FTPS

UNLESS you want to use FTP over SSL (FTPS aka “File Transfer Protocol – Secure” or “File Transfer Protocol – SSL”) – if you want to use FTP over SSL, you MUST use the server name because FTPS will use SSL encryption, and the certificate that is registered in the Pure-FTP server is the server’s name. If you choose your domain name, you’ll likely get an error and it won’t work.

The above two options run on the FTP server and because you can use FTP logins with encryption or without encryption, you cannot use your cPanel Login to login in either of the above ways.

SFTP

The FTP in SFTP still means “File Transfer Protocol”, and the S makes it “Secure File Transfer Protocol” (though originally it was “SSH File Transfer Protocol”) which you would think bears some relation to “File Transfer Protocol – Secure” or maybe is the same thing as “File Transfer Protocol – Secure” and different people just like to stick the S on different sides of the FTP for whatever reason.

But you would be wrong. :)

SFTP is not a part of Pure-FTP, doesn’t run though the FTP server software at all, and isn’t a part of FTP in any traditional FTP protocol sense. If you try and login via SFTP to the FTP port you won’t be able to do it because it ain’t there. While the name is similar, and it looks almost identical, it’s actually completely different and operates over an entirely different service.

Secure Shell or SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices.[1] Used primarily on GNU/Linux and Unix based systems to access shell accounts, SSH was designed as a replacement for Telnet and other insecure remote shells, which send information, notably passwords, in plaintext, rendering them susceptible topacket analysis.[2] The encryption used by SSH provides confidentiality and integrity of data over an insecure network, such as the Internet. (From Wikipedia)

On cPanel hosts that offer shell access, generally only your cPanel login is a true Unix user and therefore your cPanel login is the only login you have that has SFTP access. If you do not have a hosting account with shell access, you do not have SFTP access and have to transfer your files via FTP or FTPS, and you cannot use SFTP. If you have shell access on your hosting account, though, you have SFTP available to you and there are a multitude of reasons to use it.

In general, SFTP is technologically superior to FTPS. An FTPS connection starts off in a non-encrypted state, whereas an SFTP connection begins encrypted and there is no going to an unencrypted session. One of the benefits nowadays with traffic shaping is that while ISP’s have caught on to throttling on FTP ports because large files are often sent there, they do not have the same attitude towards SFTP traffic and those people sending files from bandwidth throttling ISPs will likely find far superior performance using SFTP.

SFTP is gaining steam as the most preferred method of secure file transfer, particularly in infrastructures that favor Unix, though SFTP is quickly gaining steam in Windows environments as well.

To Recap

FTP: You use it on Port 21, you only log in with a sub-account you created, and your entire session is unencrypted from your login to the files that you transfer. This is highly insecure and whenever you connect this way or when you store FTP passwords in plain text in popular programs, you’re waving a flag for the hackers to come get you or to take a spin around your site. Using packet sniffing a hacker can capture sensitive data such as username and password information which is generally transmitted in clear text, thus, compromising the security of your site.

If you’re getting the idea this is like leaving your house wide open with your plasma TV in view while going to the movies after relying on the fact that you’ve never been robbed before to predict that your plasma TV will be home when you get home, you’re pretty much on target. If you have no running firewall/virus protection on all the time as you traverse the Internet, then add a “Please rob me!” sign on your front door.

FTPS: Preferable to driving your files naked across the Internet while waving your password in the open like a flag, FTPS still begins the session unencrypted and so its still not great, but its better than where you were before. If you have multiple people that need access to multiple parts of your site, this is the most secure alternative, and is the encrypted way to connect FTP subaccounts.

SFTP: It looks like FTP, works kinda like FTP, but it isn’t FTP – it’s an FTP like interface to the Unix shell account that will only work with a Unix shell enabled login, which is your cPanel login. SFTP is a bit more firewall friendly because it uses only one port and it’s also a bit more secure than FTPS because everything from beginning to end is encrypted. Its also generally a bit faster.

5 Responses to FTP, SFTP, FTPS – what the heck is the difference?

  1. mythicwd says:
    March 22, 2010 at 3:44 pm.

    Let's make this a little bit more plain English, because if I weren't a professional web developer, I don't think I would understand the significance of what was posted above.

    If, like me, you're wondering why you suddenly can't login to FTP, it's because you now need to login to your CPanel and manually create an FTP login first. The FTP login CAN NOT be the same as your CPanel login. Once you do this, and update your FTP program with the new login info, everything will be right as rain.

  2. Jen Lepp says:
    March 22, 2010 at 4:00 pm.

    Actually, we did that blog post already here: http://www.asmallorange.com

    This was just a follow up because we noticed a lot of folks were having trouble understanding the difference between SFTP and FTPS. :)

  3. Jen Lepp says:
    March 22, 2010 at 4:21 pm.

    I tend to forget that not everyone reads EVERY single blog post – I put a link up to the original post, so thanks for pointing that out. ;)

  4. mythicwd says:
    March 22, 2010 at 4:19 pm.

    … Oops. Guess I missed that one.

    Glad to see you're on the ball!


    Corey Caswick
    Mythic Web Design
    Making the Web Affordable for Small Business

    corey@mythicwebdesign.com
    http://www.mythicwebdesign.com
    608-554-0447

  5. Shawn_09 says:
    March 22, 2010 at 11:45 pm.

    Thanks! very good post.

    Regarding Firewalls and FTPS:

    Brief:
    Unless your only firewall is personal-firewall-software running on your computer, you may have trouble with FTPS.
    Also: when set to use FTPS, Filezilla FTP client (perhaps others) by default attempted to connect on port 990, which is for Implicit Mode FTPS (SSL mandated). You may need to manually select port 21 for FTPS (Explicit Mode, SSL is requested).

    Detail:
    A file transfer using FTP opens at least two channels of communication between client and server.
    The first 'control' channel, using port 21, is for login and commands. In order to transfer a file, a second 'data' connection is established. The port number to be used for the data connection is decided on the fly and communicated between client and server over the control connection.
    The only reason normal FTP makes it through most firewalls is that the firewall is able to snoop on the control channel. By snooping on the control channel, the firewall knows what port was chosen for data and temporarily allows the data connection to be established. Once we encrypt the control channel, the firewall can no longer determine which ports on which to dynamically permit data connections.

    This page is old, but still relevant, and explains the previous paragraph in detail with the aid of some graphics:
    http://www.isaserver.org/articles/How_the_FTP_p

    or punyURL: http://2myv.sl.pt

    If you have control of your firewall, there are some ways to make it work. Search FTPS and FIREWALL.
    If you move around a lot and expect to update your site using other peoples broadband, best you upgrade to a package that supports SSH.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>