IMHO, this is rather misguided.

sftp is a highly-secure protocol, it's always encrypted from end-to-end.

FTPS is also highly-secure, but it has the ability to turn encryption on/off at different points in the conversation. In theory, FTPS _could_ be as secure as sftp. But in practice, it almost never is.

FTP is a very old protocol. The first standard for it was published in 1971, when the Internet was only a handful of computers, and they all trusted each other. Some of the things that FTP does are, quite frankly, a really bad idea in today's world.

It uses a different port for every file transfer, forcing firewalls to have a whole range of ephemeral ports open. Not a good idea for security.

It calculates the IP address and port number during the conversation, and sends them over the control channel. In order to make that work with NAT, the NAT router has to read every packet, and change the data in the packet. That can't work if the data is encrypted (the NAT router can no longer read it -- duh, it's encrypted!)

So FTPS typically uses the encryption only for the userid/password, and then drops back to plain-text mode. That's not nearly as secure as sftp, which stays encrypted throughout the conversation.

Frankly, the problem with FTPS is they tried to "put lipstick on a pig". They took a protocol that had some serious flaws already, and tried to add cryptography to it... and it's just not as good as the totally re-imagined sftp protocol (which was designed for security from the ground up.)

To me (someone who has spent a lot of time studying the inner workings of these protocols) the idea that FTPS is *more* secure than sftp is absolutely ludicrous.

If your problem is that SSH allows interactive logins as well as file transfers, then you should change your SSH configuration to disallow the interactive logins for those users.


On 9/2/2010 10:17 PM, jmmckee wrote:
Below is the rationale for dropping sFTP. Does this make sense? I
get the impression that the manager believes sFTP (and ssh) is not
secure. Or, that ssh (and sFTP) are not as good as FTP/S.

"The system supports FTPS, which is a tightening of security as it
prevents excessive SSH accounts that can make the server more vulnerable."


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2021 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.