FTPS vs SFTP: What is the Difference?
What is the difference between FTPS and SFTP? Let us first look at the technology behind each protocol, and then look at its advantages and limitations.
What is FTPS?
So what does FTPS stand for? The file transfer protocol is secure. FTP first appeared-but it was not initially secured. FTPS uses Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols to provide connection security through encryption. This is provided by the public key certificate of the FTPS server in x.509 formats. The certificate can be trusted (provided by a trusted certification authority) or self-signed. Using a self-signed certificate does not mean that the encryption level will be lower, but you must ensure that the host is who they say it is. Implicitly or explicitly make FTPS connections secure. FTPS servers usually listen for implicit connections on port 990 and explicit connections on port 21-although the server administrator can of course choose to use other ports as needed.
How Does FTPS Work?
The implicit connection starts when the client sends a TLS "client hello" message. This message indicates that the connection should be secure. If the server does not receive the connection, the connection will be disconnected immediately. However, if the server does receive a "client hello" message, it sends the server certificate to the client, and the client will authenticate it and use it to encrypt the session key, and then send it back to the server for the conversation encryption.
For explicit FTPS, the client explicitly requests security by sending the "AUTH TLS" (or AUTH SSL) command immediately after establishing the connection. If the AUTH command is not sent, the FTPS server will treat the client connection as a "regular" non-secure FTP session.
Interestingly, implicit connections are not listed in RFC 2228 (FTPS document), only explicit connections.
In either case, once the session starts, the client will need to authenticate to the FTPS server-usually, this will be authenticated by a user ID and password, but can also include a client certificate if needed. All FTP commands are naturally passed along the control channel (usually 21 for explicit and 990 for implicit), but FTPS then requires a separate channel for data communication (actually sending file or directory listings). By default, the data channel is port 20 for explicit FTPS and port 989 for implicit FTPS. The data channel is opened as needed and then immediately closed again (the control channel remains open during the session).
What is the Difference Between FTPS and SFTP?
First of all, SFTP is not a form of FTP. In fact, FTPS and SFTP are completely unrelated and only have similarities in the structure of many commands. SFTP is not an FTP connected via SSH, but an independent protocol in itself, which uses the basic SSH protocol to provide connection security and identity verification. Because it uses the underlying SSH protocol, it is normal to use the SSH port (usually port 22).
With SFTP, we no longer use certificates for encryption but instead use public/private key pairs that are not signed by a trusted authority. Just like the FTPS self-signed certificate, the only thing that can be doubted is who the SFTP server should be—once you are sure that you are connected to the correct server, you just need to accept the server key and continue the encrypted session.