Tuesday, November 17, 2015

SFTP vs FTPS



FTP or File Transfer Protocol is a standard network protocol, which is used to transfer files from one host to another host over internet.



Security concerns of FTP


FTP is normally widely used. But security is a big concern for it. FTP was not created to be a secure protocol. The traffic between two hosts are transferred unencrypted in FTP. Even the username and password transferred is also too unsecure to be sniffed by a third party. So, this protocol is very much vulnerable to sniffing or spoofing attack. So, use of FTP is deprecated in modern time for security concern.






SFTP vs FTPS


FTP over SSH or SFTP is one way of making FTP protocol more secure. In this protocol, a normal FTP session is tunneled over a Secure Shell connection. As a result, data transferred between two hosts are encrypted making the protocol more secure. In SFTP, data transfer is packet based, instead of text-based. Also, data is transferred over the main control connection, instead of opening a seperate data connection. In fact, there is very little common to FTP and SFTP.



FTPS is an extension of FTP. It adds support for the SSL/TLS cryptographic protocols. In this protocol, normally a Transport Layer Security is established from the beginning of the connection. There are normally two types of FTPS – implicit and explicit.

In case of implicit FTPS, the client is expected to send TLS ClientHello message at the beginning of the connection and if it fails, the connection is dropped.

In explicit FTPS, the client is expected to explicitly ask for security. If it fails to ask, it is up to the server to continue in the unsecure more or drop the connection.

Once a TLS connection is established, the data transfers between the hosts in encrypted manner.

In terms of security, both SFTP and FTPS are good. But, compatibility is a big concern for SFTP.


2 comments:

  1. Your blurb is convoluted at best, traditional pgp involves wrapping a file in a secure archive with two keys, public and private. Public key is sent to anyone wanting to converse with you, private is kept secret so information encrypted with public key can be decrypted with private key. What you have failed to convey is exactly how your new technology melds the two technologys together? One could guess how technology might work, but what is the valuadd using this new technology. Most of us admins already are already utilizing RSA Secure ID to gain access to the core prior to ever using ftp,telnet. Sdtp etc, what is the benefits of using your solution?

    NefariousOne

    ReplyDelete
  2. If I have understood it right, you wanted to ask, how is pgp better than using normal RSA? The immediate answer that can comes in mind is, PGP allows someone to effectively manage the keys like distributing one's public key with others effectively and validating others' keys through signing it etc which in turn is more effective in terms of security. But yes, internally, PGP uses RSA etc to create key-pairs.

    ReplyDelete