Table of Contents [TOC]
Are you tired of worrying about the security of your file transfers? Have you ever wondered if there’s a safer way to move files across the internet? In this article, we provide you with a comprehensive overview of FTP and SFTP, highlighting their key features, differences, advantages, and authentication methods, while emphasizing the need for security and caution while transferring files containing sensitive information.
Let’s explore the world of FTP (File Transfer Protocol) and its secure counterpart, SFTP (Secure File Transfer Protocol). We will dive into the client-server model, the difference between active and passive FTP modes, and the importance of encryption. So, how can you make sure your file transfers are secure? Should you use FTP or SFTP? Let’s find out!
Let’s dive deep.
FUN FACT – Another full form of FTP is FUCKTHEPOPULATION
FUCKTHEPOPULATION (@ftp) • Instagram photos and videos – 639k Followers, 1 Following, 180 Posts – See Instagram photos and videos from FUCKTHEPOPULATION (@ftp)
What is FTP?
FTP (File Transfer Protocol) is a protocol used to transfer files between hosts on the Internet (or other TCP-based networks). It is a protocol based on the client-server model.
The FTP server contains the files and databases needed to provide the services requested by customers. More often than not, an FTP server is a very powerful device capable of handling multiple client requests at the same time. An FTP client is typically an end user’s personal computer or mobile device, which runs the necessary software capable of requesting and receiving files over the Internet from an FTP server.
You should be extra careful while transferring files with sensitive information. For example, with a WordPress site, you could be transferring the wp-config.php file, which includes your database credentials, along with other critical settings.
If a malicious actor got infected config.php file, they would have everything they need to take over your WordPress site.
FTP maintains separate connections between client and server to transfer control information and data. FTP client applications evolved from command-line applications to applications with graphical user interfaces during this period. SFTP (Secure File Transfer Protocol) is a protocol used to transfer files over a secure channel. It was developed as an extension of the SSH (Secure Shell) protocol by the IETF (Internet Engineering Task Force).
FTP modes
- Active: The initial connection is opened by the server, it opens the connection on its port 20 and connects to the client on a random port greater than 1024. This port will be specified by the FTP client itself. It is the least recommended option since it would imply having a fairly wide range of ports open on our own computer, with the security risks that this may entail.
- Passive: The initial connection is opened by the client and it is the server that tells it which port to open it on. It will always be done on a network port greater than 1024 on the server. In this way, it is not necessary to have ports open on our computer, since these will be the ones that will open the connection.
As we have mentioned at the beginning, FTP was created many years ago, before hackers existed, so it was not designed as a secure protocol and all the information that travels between our computer and the server is in plain text.
What is SFTP (Secure File Transfer Protocol)?
SFTP assumes that the channel used for communication is secure, that the client is authenticated by the server, and that client information is available for use by the protocol. SFTP (Secure File Transfer Protocol) is a protocol used to transfer files over a secure channel.
It was developed as an extension of the SSH (Secure Shell) protocol by the IETF (Internet Engineering Task Force). SFTP assumes that the channel used for communication is secure, that the client is authenticated by the server, and that client information is available for use by the protocol.
SFTP or SSH File Transfer Protocol is a protocol that “simulates” the behavior of the FTP protocol but that really has little or nothing to do with it, it is not an extension or an improvement such as SFTP, but rather it was developed from scratch.
Both control and transfer data are always transmitted encrypted and through a single channel, using port 22 for this, as well as the SSH (Secure SHell) protocol on which it is built.
Possibly for this reason many FTP servers implement the FTP AND FTPS protocols but not SFTP. Instead, we can see SFTP server implementations hand in hand with the SSH servers themselves, some examples are OpenSSH or LSH.
SFTP has been the latest protocol to arrive and it should be noted that its specification has never been more than a draft, that is, there is no RFC document.
SFTP (Secure File Transfer Protocol) is a protocol used to transfer files over a secure channel. It was developed as an extension of the SSH (Secure Shell) protocol by the IETF (Internet Engineering Task Force). SFTP assumes that the channel used for communication is secure, that the client is authenticated by the server, and that client information is available for use by the protocol.
What’s the Difference Between FTP vs SFTP, Then?
SFTP provides a secure mechanism for transferring files over the Internet. SFTP provides a mechanism for encryption of data and commands transferred between client and server, while information transferred between client and server via FTP is in plain text.
Additionally, files uploaded using SFTP protocol are associated with file attributes such as a timestamp, which is not possible with FTP.
Although SFTP offers similar (more secure) functionality than FTP, due to underlying differences in protocols, an FTP client cannot be used to communicate with an SFTP server nor can an SFTP client be used to communicate with an FTP server.
Encryption:
The big difference between FTP and SFTP is the ability to encrypt. SFTP is a much safer protocol than FTP because when a file is sent and received using FTP standards, they are not encrypted. This means that while the connection itself is secure, the transmission is not. Data in transit can therefore be intercepted by a third party with bad intentions.
Firewalls:
FTP simply uses one channel (port 21) to send instructions and receive acknowledgments. However, it must open a second channel on the other hand when a file is sent (port 20). SFTP is simpler and firewall-friendly since it requires only one open port (port 22) for sending controls and for sending or receiving data files.
Should I Use FTP or SFTP?
With SFTP (FTP over SSH), a connection can be authenticated using different techniques. For basic authentication, you (or your business partner) must require the user ID and password to connect to the SFTP server. It is important to know that any user ID or password provided through the SFTP connection will be encrypted, which is a great advantage over the standard FTP.
SSH keys can also be used to authenticate SFTP connections in addition to, or in place of, passwords. With key-based authentication, you’ll first need to generate an SSH private key and a public key. If you need to connect to a trading partner’s SFTP server, you will send them your SSH public key, which they will upload to their server and associate with your account.
When you connect to your SFTP server, your client software will transmit your public key to the server for authentication. If the keys match, along with any other provided username/password, then the authentication will be successful.
With SFTP (FTP over SSL), a connection is authenticated using the user ID, password, and certificate(s). As with SFTP, usernames and passwords for SFTP connections will also be encrypted.
When you connect to a trading partner’s SFTP server, your SFTP client will first check that the server’s certificate is trusted.
The certificate is considered trusted when the certificate was signed by a Certificate Authority (CA), such as Verisign, or if the certificate was self-signed (by your trading partner) and you have a copy of your public certificate in your keystore trustworthy
Your trading partner may also require you to provide a certificate when you connect to them. Your certificate may be signed by a CA or your business partner may allow you to self-sign your certificate, as long as you send them the public part of your certificate (the one they will upload to their trusted key store) in advance.
How does SFTP authentication work?
SFTP provides two methods to authenticate a connection. First, you can simply use a username and password. With SFTP, these credentials are encrypted which gives a major advantage over FTP. The other authentication method is to use SSH keys with SFTP.
This involves generating the SSH private key and the public key upstream. You can then send your public key to your partners and upload them to the servers by associating them with your account.
When an authorized person connects to the SFTP server, the client software passes your public key to the server for authentication. If the public key matches your private key, authentication will be successful.
Also Read – HTTP Status Codes: Full List of Error Codes + Guide [2022]
Advantages of using FTP and SFTP
Advantages of FTP
- The FTP protocol is based on a client/server model.
- One of the computers, the client, sends orders, while the other, the server, receives requests and initiates the requested actions.
- An FTP connection requires the opening of two channels. The control channel is governed by the Protocol Interpreter or PI, and is used to exchange commands and acknowledgements.
- The PI Client sends commands, to which the PI Server provides responses.
- The PI Server is also responsible for interpreting and responding to client requests through a second channel. This second channel or data channel is controlled by the Data Transfer Process or DTP.
Also Read – How To Setup WordPress Two-Factor Authentication (2FA)
Advantages of SFTP
- The SFTP protocol, for its part, uses a single channel for sending instructions and receiving responses on the one hand, and for exchanging data on the other.
- The FTP/SFTP protocol, therefore, makes it possible to exchange files other than by email, i.e. to download documents onto one’s computer (download) but also from one’s workstation to a server (upload), which then allows you to share it with other people.
- An FTP/SFTP server is actually software for transferring files between two computers. It is therefore at the heart of the principle of file synchronization.
Also Read –WordPress Passwordless Authentication Login Form – Plugins
Conclusion
Security is a shared responsibility and for FTP clients is one of the main premises. For this reason, we put at your disposal the tools to guarantee it.
When you connect to your hosting via FTP to upload or download information, remember to always do so via FTPS or SFTP. In this way, you are protecting your data by traveling encrypted over the Internet.
FTPS is a protocol that you can use in any of your hosting plans. If you also have advanced knowledge of Linux and your plan allows it, you will be able to exploit all the potential offered by SFTP and the command line interface.
Did you protect your FTP connections? It is in your hands to be able to do it and we hope that this post can help you.