FTPS (FTP Over SSL): FTPS provides an extension to FTP via SSL/TLS channels. SSL/TLS provides channel encryption in compensating the security issue of FTP. When FTP and SSL/TLS are used together, it can achieve the objective of wide usage and secure data transmission (a.k.a. FTPS).
SFTP (SSH FTP): SFTP is commonly regarded as SSH File Transfer Protocol, which is levering SSH to transfer files. (Note: SFTP is not FTP over SSH)
Below is the compare table of Pros and Cons between FTPS (FTP Over SSL) and SFTP (SSH FTP)
| FTPS (FTP Over SSL) | SFTP (SSH FTP) | ||
| Mechanism in Brief | Leveraging SSL/TSL | Leveraging SSH File Transfer Protocol | |
| C-I-A Triad | Confidentiality (To protect the data from unauthorized access) |
Asymmetric
algorithm (RSA, DSA, etc.) |
|
| Integrity (To protect the data from unauthorized modifications) | Depending on software features: Hash functions (Standard Hash such as MD5, SHA1 / Non-Standard Hash functions) | ||
| Authentication (To Identify Who You Are) | X.509 Certificates (Support PKI) |
SSH Keys (Public keys) – Although some SSH software claims to support PKI but never validates the whole certificate chain |
|
| Key Management Efforts | Easier to manage the keys (PKI) – as long as the CA is reliable | Special attention should be given to managing of the SSH Keys | |
| General Adoption Trend | Widely used based on existing legacy FTP applications via SSL/TLS support (No need to adopt new technologies) | Increasing percentage of adopting SFTP due to easier firewall settings | |
| Implementation Difficulty | SSL/TLS is widely built-in supported in most OS | Need to ensure SSH service is installed / enabled | |
| Secondary Data Channel is required (More complex firewall settings) | Only One Channel is required (Easier firewall settings) | ||
| Major Features Supported | Supports very basic File / Data operation methods (i.e. Copy, Upload, Download, Delete, etc.) | Supports powerful File / Data operation methods (i.e. File attribute / permission settings, file lock, etc.) | |
| Loose Directory Standard | Rigid Directory Standard (Granular level of definition) | ||
| Server Side Settings (Brief) |
Allow inbound connections on
port (i.e. Port 21) |
Allow inbound connections on port 22 | |
| Client Side Settings (Brief) |
Allow outbound connections to port 21 Passive port range defined by server |
Allow outbound connections to port 22 | |
| Compatibility | Good compatibility due to simple architecture. | In SFTP standard, some features are marked optional or recommended. Different software / vendors may not strictly follow those standards and it may cause some compatibility issues. | |
| Firewall Settings (Brief) | Need to configure firewall to enable both two connections simultaneously | Just need to enable one connection on firewall (Ease of Firewall Management) | |