FTP vs FTPS vs SFTP graphic: Feature image for the article about the difference between FTP, FTPS, and SFTP
SMB Cybersecurity

What Is the Difference Between FTP, FTPS, & SFTP?

By 9 Mins Read

Understanding the differences between these file-sharing protocols can be the difference between securely transferring files and having your data fall into the wrong hands

Secure file transfer has become increasingly important due to increasingly prevalent cyber threats and the need to comply with data privacy and security laws. But knowing which file-sharing methods to use can be challenging when you’re facing a bowl of alphabet soup: FTP vs FTPS vs SFTP.

Having a clear understanding of the difference between the FTP, FTPS, and SFTP protocols to make informed decisions about which to use. Each of these protocols has distinct characteristics and security features, which makes them suitable for different situations.

Protect Your Website with Affordable SSL Certificates

Secure your website and build trust with our SSL/TLS certificates, starting at just $5.45/year. Choose from DV, OV, EV, Wildcard, and Multi-Domain options.

Secure Your Site Now   

 

An Overview of the Key Differences Between FTP vs FTPS vs SFTP

In a nutshell, SFTP (i.e., the Secure File Transfer Protocol or SSH2 File Transfer Protocol) is the preferred method for secure file transfers. It has mostly replaced older protocols like the File Transfer Protocol (FTP) and File Transfer Protocol Secure (FTPS) because of its stronger security features. This shift emphasizes the need to protect data from potential breaches and unauthorized access.

 File Transfer Protocol (FTP)File Transfer Protocol Secure (FTPS)SSH File Transfer Protocol (SFTP)
What It IsOldest (and least secure) of the three protocols, which transmits files via a plaintext connectionAn enhanced version of FTP that adds a layer of security via TLS encryption and authentication using traditional credentials or digital certificatesAn unrelated file-sharing protocol that uses Secure Shell (SSH 2.0)
Use CasesUnsecure file transfers of non-sensitive data in controlled environmentsSecure file transfers leveraging existing FTP infrastructureSecure file transfers over insecure networks using SSH
SecurityInsecure — data sent in plain textSecure — data is sent via a TLS/SSL encrypted communication tunnelSecure — data encrypted using SSH keys before being transmitted
Authentication MethodUsername and password onlyUsername and password combination or the option of a certificate-based authenticationSSH keys from the server
Uses Which Port(s)Port 20 for data transfers, whereas port 21 is used to transmit FTP control commandsUses multiple ports: Port 21 for explicit connections (most common); Ports 989 (data transfer) and 990 (control command transmissions) for implicit connectionsTypically uses TCP port 22
CompatibilityWidely supported by legacy systems, largely deprecated by modern systems due to security concerns.Compatible with existing FTP infrastructure, firewall configuration can be complex due to multiple ports.Requires an SSH server setup, considered firewall-friendly due to single port.
Deprecation StatusWidely deprecated by most modern systems and browsersExplicit FTPS is still in use, and some say implicit FTPS is deprecated because it was never officially standardizedStill widely used, although not all clients support it
Overview protocol comparison graphic (FTP vs FTPS vs SFTP) that shows the difference between FTP, FTPS, and SFTP

Image caption: A basic illustration that demonstrates the difference between FTP, FTPS, and SFTP when it comes to how the different protocols do or don’t secure data and authenticate connections.

Here’s a detailed comparison to help you understand the difference between FTP, FTPS, and SFTP so you can easily decide which one best fits your needs:

1.    File Transfer Protocol (FTP)

Overview of FTP: File Transfer Protocol Basics

  • What It Is: The File Transfer Protocol is an insecure networking protocol that allows users to upload, download, and transfer files to and from servers and clients.
  • When it was created: The earliest iteration of the file transfer method (RFC 114) was proposed in April 1971. Its shift from NCP to TCP as the underlying protocol occurred in June 1980 in RFC 765, and it was updated again in October 1985 as RFC 959.
  • Purpose: FTP is a way to move files between a client and a server on a network quickly and easily without the encryption computational overhead.
  • Port: It typically uses port 21 for sending commands and port 20 for transferring data.
  • Deprecation status: This protocol has been deprecated by most modern software since 2022.

Use Cases For FTP: Only When Security Isn’t a Concern

Realistically, the best answer to the question of when it’s appropriate to use FTP is “never” for modern websites and systems. However, that’s not the reality; as we know, smaller companies often rely on legacy systems. This is why if you’re going to use FTP (which, again, we don’t recommend), it’s best to do it only in situations:

  • where security isn’t a concern, like when transmitting non-sensitive data or files.
  • when operating older systems and applications that need a simple method to transfer non-sensitive files.

FTP Security: Practically Non-Existent Since Data is Sent via Plain Text

  • Encryption: Traditional FTP doesn’t use encryption to secure data in transit. This means that everything, including your username and password, is sent as plaintext. As such, it’s easy for others to intercept and steal your data.
  • Authentication: Authentication is basic, just a plaintext username and password combination.

Here’s a quick look at how it works:

A basic graphic that illustrates how the file transfer protocol (FTP) works
Image caption: A basic illustration that shows how FTP’s insecure command and data connections work.

2.    File Transfer Protocol Secure (FTPS)

Overview of FTPS: Adding TLS/SSL for Enhanced Security

  • What It Is: The File Transfer Protocol Secure is a more secure version of FTP that uses transport layer security (TLS). It previously used SSL [i.e., the secure sockets layer]).
  • When it was created: The first application of SSL to FTP was in 1996 and was published as the proposed standard RFC 2228 in October 1997. However, it wasn’t standardized with TLS until October 2005 in RFC 4217.
  • Purpose: FTPS is a secure protocol that allows you to transmit files to and from your client and server(s) using secure, authenticated connections.
  • Port: FTPS uses multiple connections.
    • Implicit FTPS (which is rarely used and isn’t recommended) operates on port 990 for control connections and port 989 for data connections.
    • Explicit FTPS, which is the only one defined in the standard, starts unencrypted on port 21, where it negotiates security using TLS. Data transfer can occur over dynamically assigned ports or port 20 in active mode.
  • Deprecation status: You’ll still find FTPS in use across the internet. However, different clients and systems may choose to support implicit versus explicit FTPS. Some organizations have deprecated implicit FTPS because it wasn’t defined in RFC 4217 (only explicit FTPS was covered by the standard).  

FTPS Security: Encryption With TLS/SSL

  • Encryption: FTPS ensures everything sent is secure by encrypting both the control and data channels, which prevents data interception during transfer. This involves the use of an X.509 server certificate to enable a secure SSL/TLS protocol connection.
  • Authentication: It uses basic authentication methods like usernames and passwords but can also use certificate-based authentication to further enhance security by verifying the identity of the communicating parties.

Protect Your Website with Affordable SSL Certificates

Secure your website and build trust with our SSL/TLS certificates, starting at just $5.45/year. Choose from DV, OV, EV, Wildcard, and Multi-Domain options.

Secure Your Site Now   

 

Use Cases For FTPS: Secure Transfers Leveraging FTP Infrastructure

  • When you need to secure file transfers to protect data in transit but want to keep using your existing FTP setup.
  • For businesses that need to meet regulations requiring encrypted file transfers.

Here’s a quick overview illustration that shows how FTPS works:

A basic illustration that demonstrates how the file transfer protocol secure (FTPS) works
Image caption: A basic illustration that shows how FTPS uses two connections (control and data) to exchange data and establish a secure, encrypted connection.

3.    SSH File Transfer Protocol (SFTP)

Overview of SFTP: Secure Transfers Over SSH

  • What It Is: SFTP is a secure data transfer method that is built on the Secure Shell (SSH) 2.0 protocol. (This is why it’s sometimes called SSH2.) It’s a bit misleading, as it has “FTP” in the name, but it’s an entirely separate protocol for securely sharing files that works in a different way.
  • Purpose: SFTP is designed for secure file transfers over the SSH 2.0 protocol. It does this by encrypting both commands and data transmitted between a client and server via a single channel.
  • Port: It uses port 22 by default, the same port SSH uses. Unlike the other two protocols, it only allows you to use one connection by default.
  • Deprecation status: This protocol is still actively in use across the web.

Use Cases For SFTP: High-Security Data Transfers Over Unsecured Networks

  • In environments where high security is a must.
  • For transferring files over insecure open networks (i.e., the internet).
  • In places where SSH is already used for secure communications.
  • Works well when dealing with firewalls.

SFTP Security: Sending Data via SSH While Using Robust Encryption

  • Encryption: All data is encrypted, ensuring that files and credentials are safe during transmission.
  • Authentication: Supports the use of password-based and SSH public-private key pair-based authentication.

Here’s a quick overview illustration that shows how FTPS works:

FTP vs FTPS vs SFTP graphic: A basic illustration that shows how the SSH file transfer protocol (SFTP) works
Image caption: A basic illustration that shows how SFTP uses a single encrypted connection to exchange secure data.

Final Thoughts on Choosing FTP vs FTPS vs SFTP

Choosing between FTP, FTPS, and SFTP depends on what you need. Sure, FTP is the simplest option, but it’s also not secure (because it doesn’t use encryption) and has been deprecated by major browsers and systems. If you continue using this protocol, it means anything you transmit is in plaintext format and is at risk of being intercepted.

FTPS improves FTP security by using SSL/TLS encryption and adding an optional layer of security via certificate-based authentication. If you want better security than FTP without changing everything, FTPS (explicit) is a good choice. Just keep in mind it can be tricky to set up with firewalls because it uses multiple ports.

SFTP is a great option for secure file transfers. Since it uses SSH 2.0 for strong encryption, it works well over insecure networks and is often considered the go-to method for file transfers. Plus, it only needs one port, making it easier to set up with firewalls.

We hope this article helps you better understand the difference between FTP, FTPS, and SFTP. Think about your security needs, current setup, and network when choosing a protocol. Each has its strengths, but your decision should match what your business needs.

Author

Welcome to Savvy Security, a blog focused on providing practical cybersecurity advice for website owners and small businesses. Our team brings you the latest news, best practices and tips you can use to protect your business...without a multi-million dollar budget or 24/7 security teams.

Related Posts