FTPS - Obsolescent Secure FTP

The File Transfer Protocol (FTP) has been hampered by its inherent lack of security as well as network connectivity issues particularly in environments that make use of the common network address translation (NAT) technologies. NAT is a common feature of corporate firewalls, which has resulted in frequent FTP connectivity problems in corporate and protected networks.

FTPS - Combining FTP and SSL

FTPS (FTP with Security) was born out of the realization that the usefulness of the FTP protocol was being hampered by its lack of communications security.

This evident security problem was addressed by combining the plaintext, unencrypted FTP with Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols. A resulting combination would then carry the file transfer functionality inside an encrypted SSL/TLS tunnel that provides end-to-end encryption and transport security.

The FTPS extension to FTP was published by the IETF as RFC 2228.

The security of FTPS connections can be set up in two distinct ways, both of which have their strengths and shortcomings. The security methods are called “implicit” and “explicit”.

In the implicit security method the entire connection is protected by the SSL/TLS session. This method, however, breaks the compatibility with “normal” FTP servers, as the client will initiate the connection with SSL/TLS, and the server needs to be aware of this.

In the alternative explicit security method the encryption is turned on by a special command after the initial plaintext FTP connection is set up. The drawback of the “explicit” method with its added command is that it requires a separate step with user/client action to complete, and thus changes the protocol flow and user workflow.

SSH and SFTP

The SSH protocol is deployed in practically every corporate network across the globe. It offers a secure file transfer capability based on SFTP (also known as SSH File Transfer Protocol). This is a standard part of the SSH protocol suite. It offers a selection of strong authentication methods, user-friendly secure file transfer functionality, and works well over NATs and firewalls without the issues that hamper FTP (or FTPS) implementations.

SFTP has pretty much replaced old FTP and FTPS on internal networks and in any security-critical applications. Some anonymous FTP usage remains for public access, and some legacy equipment still uses FTP. FTPS has remained a curiosity, supported by some commercial file transfer tools, but less and less used. Given the prevalence of SFTP, there is no good application for FTPS.

SFTP Implementations (Recommended)

We strongly recommend using the SSH protocol and SFTP instead of FTPS. SFTP is supported by practically all commercial file transfer tools, and it ships standard with Unix, Linux, and Mac operating systems as part of the OpenSSH package.

For business-critical applications we recommend using the Tectia SSH Server and Client. It comes with commercial 24x7 support services, full support for smartcards and certificate-based authentication (including CAC and PIV cards). It is also available for z/OS mainframes.

FTPS Implementations (Obsolescent)

Some popular file transfer clients (such as FileZilla and WinSCP) support also the secure version of FTP. The SSL/TLS security option is also available in many server implementations, but extra configuration may be required.