Re: What is the difference between ftp encryption types SSL, TLS, SFTP and SSH ?

Marcus Mender wrote:
I have seen a couple of different encryption types for ftp connections:

TLS
SSL
SFTP
SSH

Ok, provided an ftp server offers all these types: which type should I choose
to setup the ftp server or to select from the ftp clients view ?

Is the security for all these types similar and the difference refers only different protocols?

What are the pros and cons ?

TLS is a variation on SSLv3. SSL and TLS are transport encryption
protocols layered on top of the base protocol. So just like https is
http over SSL/TLS, ftps is ftp over SSL/TLS.

SFTP is SCP with an ftp interface. SCP is the file copy program for ssh
(secure shell), so that's probably what you mean by SSH, as well.
SSH/SCP is an entirely different protocol designed specifically for
encrypted terminal sessions and file transfers.

ftp/ftps requires two connections, one for control and one for data.
SSL/TLS requires that you install a digital cert which your clients
trust, just like https for the web. Unlike https which uses a different
port from http (but like smtps which uses the same port for smtp), the
client first establishes a tcp connection to the regular port, then
sends a STARTTLS command, which the server may or may not recognize. If
the server recognizes the command, SSL/TLS is negotiated. ftps also
supports client-side certificates for authentication.

ftps has never been very popular. It's also not generally recommended
because of confusing implementations, lack of support, etc.

sftp/scp requires one connection. The server generates its own keys,
and the clients have to trust it the first time they connect.
Afterwards if the client sees the server key change, the client should
suspect foul play (or a stupid admin). It also supports public key
authentication, where the keys are created by the clients, but it's
harder to set up in an enterprise environment (1000's or 10000's or so
of users) because you have to authorize each key individually (and
individuals manage their own keys).

If you're going to implement sftp, you might as well implement scp,
instead. scp is the "real" protocol in both.

Lots more could be said. But I'll stop there.
.

Relevant Pages

  • Re: IIS 6.0 FTP
    ... if your ftp is working first. ... So, go to the remote machine (which allow to connect to your iis server), go ... The ftp server connection msgs you posted, doesn't look like IIS FTP to me. ... clients are using an order entry program created in Microsoft access. ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: IIS 6.0 FTP
    ... if your ftp is working first. ... So, go to the remote machine (which allow to connect to your iis server), go ... The ftp server connection msgs you posted, doesn't look like IIS FTP to me. ... clients are using an order entry program created in Microsoft access. ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: IIS 6.0 FTP
    ... Server port: 21. ... I doubt IIS FTP has such feature. ... next, general 530 error indicating login failed, that could due to ... clients are using an order entry program created in Microsoft access. ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: [Full-Disclosure] SSH vs. TLS
    ... > frowned upon by network ops and security. ... > - There must be a secure means by which all server keys are distributed to ... > appropriate ssh clients. ... > servers from using expired keys. ...
    (Full-Disclosure)
  • Re: SBS2000, ISA server, FTP does not work on clients
    ... I'm going to try disabling packet filtering on the ISA ... between the second NIC on the server and the broadband ... ftp of the clients working of course) as the 'firewall' ... >clients to use FTP services? ...
    (microsoft.public.backoffice.smallbiz2000)