FTP vs SFTP: Which Should You Choose? - WatchTowerHQ
01 March 2021

FTP vs SFTP: Which Should You Choose?

Have you ever wondered the real difference between FTP and SFTP? Unsure of which one is right for your use case? Let’s break down the benefits and disadvantages of each; FTP vs SFTP.

File Transfer Protocol (FTP) was developed in the 1970s to allow the transfer of electronic files between a client and a server over a computer network. More precisely, it was worked on by Abhay Bhushan in 1971. The current standard for FTP is RFC 959. 

SSH or Secure File Transfer Protocol (SFTP) came along in 1997, developed by Tatu Ylonen with help from Sami Lehtinen, to allow for secure file transfers using the Secure Shell (SSH) protocol since file transfers over an unencrypted network is a security risk.

Both protocols use an FTP client to connect to your website’s servers. FileZilla is a popular FTP client, but WinSCP is recommended for SFTP. End-users experience no difference between protocols. 

Regardless of FTP vs SFTP, both protocols allow you to:

  • Connect to your server.
  • Browse all the files on the server, including hidden files.
  • Upload files from a local computer to the server.
  • Download files from the server back to your local computer.

A file transfer is simply the exchange, upload, or download of electronic files to or from a computer or server over the internet. The protocols are used to connect and exchange files between remote machines.

Without FTP, you could not build a website or put information on your server. You couldn’t transfer files between remote devices. Without SFTP, your files are vulnerable to malicious actors seeking to access, steal, or change sensitive information about your website.

Take a deep dive into FTP vs STFP — and learn which protocol is best for your needs.

What Is FTP?

FTP is an acronym for File Transfer Protocol, as noted above. It’s a commonly used protocol for exchanging computer files over the internet, using a client-server model. 

Using FTP, you can perform a direct file transfer between your selected client and web server using two separate channels to transfer the information — the Command channel and the Data channel.

The Command channel is responsible for accepting the client connection and executing simple commands. Once the connection is made, the channel remains open but idle until the file transfer is complete. It then reports if the transfer failed or was successful. 

Command channel commands include:

  • USER and PASS, which authenticates the FTP user.
  • QUIT, which disconnects the channel.

The Command channel can also forcibly close due to inactivity or other reasons. 

Data channel commands include LIST, STOR, and RETR — all used for a directory listing, uploading, or downloading a file between the client and server. The Data channel becomes active after client authentication. The client and server negotiate a new common server port for the file transfer over the data channel. Once the exchange is complete, the data channel closes. 

If you need to send multiple files concurrently, the system must use a range of data channel ports, and both channels are unencrypted by default. Hackers could potentially access any file you transfer using FTP. 

Features of FTP

FTP uses TCP/IP protocols to enable the data transfer and uses TCP port 21 to establish the connection. FTP can be secured using SSL/TLS and client-server architecture. FTP promotes reliable file sharing via remote machines and provides efficient data transfer.

The data channel uses on-demand temporary ports either passively on the server or actively on the client. Data exchange is via server directory listings and file transfers.

When dealing with a server-side firewall, you allow inbound connections on port 21. Use passive port range for file transfers and directory listings — for example, 2000–2500. You enable inbound connections on the passive port range. Your server documentation should tell you how to set the passive port range. 

If you work with a client-side firewall, you need to allow outbound connections to port 21 using the passive port range defined by the server you connect with.

Advantages of FTP

It’s been around forever, and everyone is familiar with it. There are lots of tools you can use while working with FTP. You don’t need a user ID or password if they aren’t required by an overlying protocol. You have two separate channels for data control.

FTP is best for:

  • Uploading and downloading extremely large files and backing up large amounts of data. There is no size limit on single transfers.
  • Everyone, because it’s user-friendly and very fast.
  • Common use by web developers and businesses. The directory listing is uniform and machine-readable.
  • Poor internet connections. If you lose the connection during a file transfer, it’s easy to resume once you reconnect.
  • Created scripts to automate your file transfers and can easily schedule transfers.

Most FTP clients allow you to synchronize your files so they will always be up to date regardless of their location. FTP also allows files to take ownership and access restrictions and will enable you to transfer multiple files and directories.

Downsides of FTP

The primary drawback is the lack of security. It’s too easy for hackers to access usernames, passwords, and files that are all sent in plain text.

Other problems you might run into:

  • It’s challenging to script jobs using FTP, and regulatory compliance is problematic.
  • You need to keep a block of ports open to create a data channel, but many businesses limit the number of server ports that are publicly accessible. FTP is harder to use in these instances.
  • FTP doesn’t allow a server-to-server copy or recursive directory removal.
  • Servers can be spoofed into sending data to random ports on an unauthorized computer.

What Is SFTP?

To understand FTP vs STFP, you’ll need to understand both. We’ve learned about FTP above, so let’s focus on STFP right now.

Known as either Secure or SSH File Transfer Protocol, SFTP offers the same functionality as FTP but uses tunneling via a secure shell instead of client-server architecture. Also, SFTP uses a single channel for both command and data. 

SSH is a cryptographic tool that provides secure access to your server over unsecured networks. The information is communicated via packets. The data is divided into small packets before it is sent on through the network.

Before sharing information between two machines, SFTP verifies the identity of the client. Once it establishes a secure connection, SFTP sends the data via a predefined encryption cipher. By doing so, you can authenticate your client using a username-password or SSH cryptographic key. 

Features of SFTP

SFTP is a secure method of providing access to all shell accounts on your remote server. The protocol runs on TCP port 22. Encrypted authentication credentials and data are sent along a single channel.

SFTP allows you to use usernames paired with passwords for security. You can also choose to use SSH to provide public key authentication. 

Public key authentication uses a computer-generated, cryptographically secure key to act as a replacement for a password. Because the key is generated by a computer, it is much longer than a typical password and, consequently, much more difficult for a hacker to replicate. In fact, the use of public authentication keys is your best defense against a brute force attack.

The public key is generated as a public-private key pair by your computer. You link your public key to your account on the SFTP server. Once connected to the server, your client produces a signature with your private key that the server confirms with the stored public key. If the public and private keys match, the system authenticates the connection.

If you need everything to be uber-secure, you can require both user ID and password plus public key authentication.

Advantages of SFTP

SFTP supports the full security and authentication functionality of the SSH protocol, including SSH keys. It can be used to transmit sensitive data that requires encryption. SFTP is encrypted by default. There is no non-secure version of SFTP.

Other things to remember:

  • SFTP is popular for UNIX/LINUX use. 
  • It delivers detailed metadata with the files, such as date, time, file size, and other characteristics, which is helpful for analysis and logging.
  • TCP port 22 is not open for shared hosting, so only the server owner uses SFTP.
  • Since it uses a single server connection for data transfer, no other server ports need to be open for file exchange to occur. SFTP increases security and firewall-friendliness.

If you have uninformed TCP/IP ports, SFTP lets you redirect them through the encrypted channel in both directions. 

Downsides of SFTP

You might have difficulty managing SSH keys. The private key must be stored on the device from which you transfer files. It must be protected from theft or loss. 

SSH keys are more work-intensive for admins to set up for employees. And while everyone is familiar with the use of usernames and passwords, fewer individuals understand how SSH keys work. You will require some educational steps when implementing SFTP.

Communication is binary and can’t be logged. Also, the standards define particular items as optional or recommended, and it can lead to compatibility issues between different software from different vendors.

FTPS: An Alternative to FTP & SFTP

If your FTP client doesn’t support SFTP, you can use FTPS.

The latter is the FTP protocol run through a Secure Socket Layer (SSL) for increased security. FTPS provides encryption for both the command and data channels and authenticates the connection with a user IS and password or a certificate. However, it still requires a block of ports to remain open while the data channel is in use. Some company firewalls disallow this.

FTPS has two modes, implicit SSL and explicit SSL. Implicit SSL means SSL is definitely in use, and any connection attempt without using SSL will fail. In explicit SSL mode, the client and server negotiate for the level of security used. A server can support both unencrypted FTP and encrypted 

FTPS sessions on a single port in this mode.

FTPS is not the same as SFTP.

FTP vs SFTP — Which Is Better?

What is the difference between FTP and SFTP? When it comes to FTP vs STFP, the primary difference is security.

Overall, when weighing FTP vs SFTP, SFTP is generally the winner. SFTP provides secure file transfer over unsecured networks without the need for a security protocol overlay. The connection is always protected, and the data is encrypted by default.

Hackers and other malicious actors find it extremely difficult, if not impossible, to intervene and intercept your data like your wp-config.php file. Then they could take over your website for their own nefarious purposes.

With FTP, you must authenticate with a username and password when you initially connect, and any data you pass between the web server and FTP client is not encrypted. If you transmit sensitive data or files of private information such as database credentials or other critical settings, you open your organization up to hackers.

Some regulations require SFTP to comply with standards such as Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), and other standards for data protection. 

SFTP is the most secure way to transfer electronic files, and it can be used as a default protocol to ensure your employees comply with company security requirements. Also, SFTP makes the connection secure even if your employees create easy-to-guess passwords like PASSWORD. Email uses SFTP to maintain security and privacy. 


Let’s recap FTP vs SFTP.

FTP is easier to set up, it’s true, and is helpful for quickly, efficiently transferring files, even huge ones, that don’t require such security measures. FTP works well in cases where you are exchanging files without asking for a user ID or password.

SFTP, which is popular with UNIX/LINUX users, offers secure encrypted file transference that protects your organization from bad actors.

When you must transfer or receive sensitive data, use SFTP. It supports SSH protocol including keys, encrypts data by default, and delivers valuable metadata along with the files. If your users employ a user ID and password, SFTP provides tighter security by maintaining security even in the face of easily guessed passwords. Finally, it reduces the number of open ports to one, making it easier to interact with businesses that typically constrain open ports. 

SFTP might take more resources and effort to set up, but that won’t compare to the expense of a data breach that costs millions of dollars.

Book a Demo

Take a deep dive into WatchTowerHQ with a member of our Customer Success Team.

Sign up here