Please note that the website now has moved to https://www.thesecuritybuddy.com. Please visit the updated article here SFTP vs FTPS - The Security Buddy
FTP or File Transfer Protocol is a standard network protocol, which is used to transfer files from one host to another host over Internet.
Security concerns of FTP
FTP is normally widely used. But security is a big concern for it. FTP was not created to be a secure protocol. The traffic between two hosts are transferred unencrypted in FTP. Even the username and password transferred is also too unsecure to be sniffed by a third party. So, this protocol is very much vulnerable to sniffing or spoofing attack. So, use of FTP is deprecated in modern time for security concern.
FTP over SSH or SFTP is one way of making FTP protocol more secure. In this protocol, a normal FTP session is tunneled over a Secure Shell connection. As a result, data transferred between two hosts are encrypted making the protocol more secure. In SFTP, data transfer is packet based, instead of text-based. Also, data is transferred over the main control connection, instead of opening a seperate data connection. In fact, there is very little common to FTP and SFTP.
FTPS is an extension of FTP. It adds support for the SSL/TLS cryptographic protocols. In this protocol, normally a Transport Layer Security is established from the beginning of the connection. There are normally two types of FTPS – implicit and explicit.
In case of implicit FTPS, the client is expected to send TLS ClientHello message at the beginning of the connection and if it fails, the connection is dropped.
In explicit FTPS, the client is expected to explicitly ask for security. If it fails to ask, it is up to the server to continue in the unsecure more or drop the connection.
Once a TLS connection is established, the data transfers between the hosts in encrypted manner.
In terms of security, both SFTP and FTPS are good. But, compatibility is a big concern for SFTP.