IMHO, this is rather misguided.
sftp is a highly-secure protocol, it's always encrypted from end-to-end.
FTPS is also highly-secure, but it has the ability to turn encryption
on/off at different points in the conversation. In theory, FTPS _could_
be as secure as sftp. But in practice, it almost never is.
FTP is a very old protocol. The first standard for it was published in
1971, when the Internet was only a handful of computers, and they all
trusted each other. Some of the things that FTP does are, quite
frankly, a really bad idea in today's world.
It uses a different port for every file transfer, forcing firewalls to
have a whole range of ephemeral ports open. Not a good idea for security.
It calculates the IP address and port number during the conversation,
and sends them over the control channel. In order to make that work
with NAT, the NAT router has to read every packet, and change the data
in the packet. That can't work if the data is encrypted (the NAT router
can no longer read it -- duh, it's encrypted!)
So FTPS typically uses the encryption only for the userid/password, and
then drops back to plain-text mode. That's not nearly as secure as
sftp, which stays encrypted throughout the conversation.
Frankly, the problem with FTPS is they tried to "put lipstick on a pig".
They took a protocol that had some serious flaws already, and tried to
add cryptography to it... and it's just not as good as the totally
re-imagined sftp protocol (which was designed for security from the
To me (someone who has spent a lot of time studying the inner workings
of these protocols) the idea that FTPS is *more* secure than sftp is
If your problem is that SSH allows interactive logins as well as file
transfers, then you should change your SSH configuration to disallow the
interactive logins for those users.
On 9/2/2010 10:17 PM, jmmckee wrote:
Below is the rationale for dropping sFTP. Does this make sense? I
get the impression that the manager believes sFTP (and ssh) is not
secure. Or, that ssh (and sFTP) are not as good as FTP/S.
"The system supports FTPS, which is a tightening of security as it
prevents excessive SSH accounts that can make the server more vulnerable."
As an Amazon Associate we earn from qualifying purchases.