Over the past decade, as Internet security has become a chief concern of IT professionals, one of the most common questions administrators and users ask is, "Which is more secure, SFTP or FTPS?"
In short, both protocols offer a high level of security and both are suitable for meeting the requirements imposed on most organizations by internal policies and state and federal regulations, including the Health Insurance Portability And Accountability Act (HIPAA), the Sarbanes-Oxley Act (SOX), the Gramm-Leach-Bliley Act (GLBA), etc.
For those looking for a deeper understanding of the differences between these two file transfer protocols, this article reviews what we mean by "security" and then examines how these protocols work and what mechanisms they use to ensure the security of a transmission.
When evaluating the security of a particular method of moving data between systems, most users are concerned with meeting three conditions:
1. Confidentiality -- Ensuring that nobody but the intended recipient can see the data being sent.
2. Integrity -- Ensuring that the data cannot be modified by an unauthorized party before reaching the intended recipient.
3. Authenticity -- Ensuring that both the sender and recipient are who they say they are.
Now that we know what kind of security we need, we can next examine how the FTPS and SFTP protocols work and how they achieve these security goals.
FTPS is a combination of two technologies: FTP and SSL. FTP is a network file transfer protocol that was first described in RFC 959 in 1980 and has gone through numerous changes and additions since that time. By itself, FTP offers no meaningful security. Connections are password-protected, but all data (including passwords) is sent in plain text over the network. An FTP connection can be secured by using the SSL/TLS protocol, as described in RFC 2228. This combination of using FTP with SSL/TLS has come to be known as FTPS, and most client and servers support it without requiring significant expertise on behalf of the user.
SFTP is a totally different protocol from FTP, although it is used much the same way. SFTP was first described in RFC 4253. Where FTPS uses SSL to secure the connection, SFTP uses the SSH protocol.
SSL and SSH, the security protocols used by FTPS and SFTP, respectively, both utilize essentially the same techniques to secure a connection. The primary difference is in how they handle authentication (#3 in our list of security conditions). SSL uses X.509 certificates where SSH instead uses SSH keys.
This is where many consider SSL to have a slight edge over SSH. An X.509 certificate (more commonly known as an SSL certificate) is a package that contains a key (like the keys used by SSH) but also includes additional information about the owner of the certificate. A certificate is typically issued by a Certificate Authority (also known as a CA), which is some trusted source that has taken steps to verify the authenticity of the company or person to whom they have issued the certificate.
SSH requires that when you accept a key from a trading partner you have your own method of verifying the authenticity of the key, where SSL allows you to delegate that job to the Certificate Authority that issued the SSL certificate.
This difference in approach to authentication is not necessarily a slam dunk in favor of SSL. For example, who is to say that Certificate Authorities are beyond reproach? It is certainly conceivable that an extremely clever malicious user could find a way to get a CA to issue a certificate to the wrong person. Likewise, the informal techniques often used to verify the authenticity of an SSH key (such as verbally confirming a key's fingerprint by phone) are considered by many to be very reliable. Still, in practice, SSL (and FTPS) is more widely used.
So, as it appears that FTPS and SFTP offer similar levels of security, are there other reasons to choose one over the other? Assuming you have a choice, as many users need to interface with systems where this decision has already been made, there are a few criteria worth considering when choosing between SFTP and FTPS.
FTPS is more popular, so it is more likely that others with whom you wish to exchange data will be able to support it. Advantage: FTPS.
SFTP is easier to administer from a network perspective (firewalls, etc.). SFTP uses only a single TCP port where FTPS requires two. Advantage: SFTP.
FTPS is more flexible and, under the right circumstances, uses less computing resources than SFTP, which can lead to faster performance. Advantage FTPS.
SFTP is a newer protocol with standards that are more clearly defined. For example, SFTP uses a standardized directory listing format, where FTPS does not. Newer additions to FTP offer a standardized way of retrieving a directory listing, although it is not universally supported. It is not uncommon to uncover interoperability issues when connecting FTPs implementations from different vendors, where SFTP encounters such issues less often (although they do happen from time to time). Advantage: SFTP.
As both
file transfer protocols have their advantages, it is likely they will continue to co-exist for the foreseeable future. Fortunately, vendors have recognized this trend and many products support both protocols equally well, making the choice between SFTP and FTPS largely academic.
To summarize, SFTP and FTPS offer similar levels of security and both are well-suited to meet the requirements of most organizations, including those bound by state and federal regulations like the Health Insurance Portability And Accountability Act (HIPAA), the Sarbanes-Oxley Act (SOX), the Gramm-Leach-Bliley Act (GLBA), etc.