Understanding Differences Between FTP and SFTP


Before you begin using the FTP suite of tools that are available in iWay Service Manager (iSM), it is recommended that you have a good understanding of File Transfer Protocol (FTP), and which specific type of FTP you plan on supporting.

What Is FTP?


File Transfer Protocol (FTP) is a standard network protocol used to transfer files from one host to another host over TCP-based networks, such as the Internet.

FTP is built on a client-server architecture model and uses separate control and data connections between the client and the server. FTP users can authenticate themselves using a clear text sign-in protocol, normally in the form of a user name and password, but can also connect anonymously if the server is configured to allow this. To implement secure transmission that hides (encrypts) the user name and password, and encrypts the content, FTP is often secured with SSL/TLS (known as FTPS).

Implementing Security

FTP was not originally designed to be a secure protocol and has many security weaknesses. In May 1999, the authors of RFC 2577 listed a vulnerability to the following problems:

  • Brute force attacks
  • Bounce attacks
  • Packet capture (sniffing)
  • Port stealing
  • Spoof attacks
  • User name protection

FTP is not able to encrypt its traffic. All transmissions are in clear text. In addition, user names, passwords, commands, and data can be easily read by anyone who is able to perform packet capture (sniffing) on the network. This problem is common to many of the Internet Protocol specifications (such as SMTP, Telnet, POP, and IMAP) that were designed prior to the creation of encryption mechanisms such as Transport Layer Security (TLS) or Secure Sockets Layer (SSL). A common solution to this problem is to use the secure, TLS-protected versions of the insecure protocols (for example, FTPS for FTP, TelnetS for Telnet, and so on) or a different, more secure protocol that can handle the job, such as the SFTP/SCP tools included with most implementations of the Secure Shell protocol.

Secure FTP

There are several methods available for transferring files securely that have been called Secure FTP at one point or another:

  • FTPS
  • SFTP
  • FTP Over SSH (Not SFTP)


Explicit FTPS is an extension to the FTP standard that allows clients to request that the FTP session be encrypted. This is done by sending the AUTH TLS command. The server has the option of allowing or denying connections that do not request TLS. This protocol extension is defined in the proposed standard (RFC 4217). Implicit FTPS is a deprecated standard for FTP that required the use of a SSL or TLS connection. It was specified to use different ports other than plain FTP.


SFTP, the SSH File Transfer Protocol, is not related to FTP except that it also transfers files and has a similar command set for users. SFTP, or secure FTP, is a program that uses Secure Shell (SSH) to transfer files. Unlike standard FTP, SFTP encrypts commands and data, which prevents passwords and sensitive information from being transmitted openly across a network. SFTP is functionally similar to FTP, but because it uses a different protocol, standard FTP clients cannot be used to talk to an SFTP server, nor can one connect to an FTP server with a client that supports only SFTP.

For more information about SFTP, see What is SFTP?.


FTP over SSH (not SFTP) refers to the practice of tunneling a normal FTP session over an SSH connection. Because FTP uses multiple TCP connections (unusual for a TCP/IP protocol that is still in use), it is particularly difficult to tunnel over SSH. With many SSH clients, attempting to set up a tunnel for the control channel (the initial client-to-server connection on port 21) will protect only that channel. When data is transferred, the FTP software at either end will set up new TCP connections (data channels), which bypass the SSH connection and thus have no confidentiality or integrity protection, and so on.

Otherwise, it is necessary for the SSH client software to have specific knowledge of the FTP protocol, to monitor and rewrite FTP control channel messages and autonomously open new packet forwarding for FTP data channels. Software packages that support this mode include, but are not limited to:

  • Tectia ConnectSecure (Windows/Linux/Unix) of the SSH Communications Security software suite
  • Tectia Server for IBM z/OS of the SSH Communications Security software suite
  • FONC (the GPL licensed)
  • Co:Z FTPSSH Proxy

FTP over SSH is sometimes referred to as secure FTP. This should not be confused with other methods of securing FTP, such as SSL/TLS (FTPS). Other methods of transferring files using SSH that are not related to FTP include SFTP and SCP. In each of these, the entire conversation (credentials and data) is always protected by the SSH protocol.

What Is SFTP?


SSH File Transfer Protocol (sometimes referred to as Secure File Transfer Protocol, or SFTP) is a network protocol that provides file access, file transfer, and file management functionalities over any reliable data stream. It was designed as an extension of the Secure Shell protocol (SSH) version 2.0 to provide secure file transfer capability, but is also intended to be used with other protocols.

This protocol assumes the following:

  • It is being run over a secure channel, such as SSH.
  • The server has already authenticated the client.
  • The identity of the client user is available to the protocol.

Capabilities of SFTP

Compared to the earlier version of SCP protocol, which allowed only file transfers, the SFTP protocol allows for a range of operations on remote files, similar to a remote file system protocol. The extra capabilities of an SFTP client, compared to an SCP client, include resuming interrupted transfers, directory listings, and remote file removal.

SFTP attempts to be more platform-independent than SCP. For example, with SCP, the expansion of wildcards specified by the client depends with the server, whereas the design of SFTP avoids this problem. While SCP is most frequently implemented on UNIX platforms, SFTP servers are commonly available on most platforms.

SFTP is not FTP run over SSH, but rather a new protocol uniquely designed by the IETF SECSH working group. It is sometimes confused with Simple File Transfer Protocol.

Note that the protocol itself does not provide authentication and security. It expects the underlying protocol to secure this. SFTP is most often used as a subsystem of SSH protocol version 2 implementations, having been designed by the same working group. However, it is possible to run it over SSH-1 (and some implementations support this) or other data streams. Running SFTP server over SSH-1 is not platform independent, as SSH-1 does not support the concept of subsystems. An SFTP client willing to connect to an SSH-1 server must know the path to the SFTP server binary on the server side.

For uploads, the transferred files may be associated with their basic attributes, such as timestamps. This is a unique feature over the common FTP protocol, which does not have the provision for uploads to include the original date and timestamp attribute.