FTP vs SFTP: The Differences and Which One You Should Use
Most users don’t think twice about how they connect to the internet, although if you’re a site owner, you’ll likely use a File Transfer Protocol (FTP). It’s a typical and standard way to access your site’s server, although you’ll also see the mention of Secure File Transfer Protocol (SFTP) too. As such, FTP vs SFTP warrants further discussion.
The good news is that you can often select the protocol you want from within your dedicated client. FileZilla, Cyberduck, Transmit, and others all let you choose how you connect. You may even begin to use Secure Shell (SSH) too, which is closer to SFTP than FTP.
For this tutorial, we’re going to talk about FTP vs SFTP, and break down the differences of each. We’re also going to take a quick detour and talk about where SSH fits in too. Spoiler alert: You should use SFTP or SSH by default, but you’ll find out why throughout the post.
Table of contents
A Primer On Transfer Protocols
In a nutshell, a transfer protocol facilitates the connection and file transfer between two computers across the web. For example, the Hypertext Transfer Protocol (HTTP) is a core protocol for serving websites.
An every day scenario where you’ll use a transfer protocol is a file download. Your computer will connect to the distant server, establish that connection, and move the file across to your machine. A transfer protocol is the underlying code and technology that makes this happen.
These transfer protocols also ensure the success of the file transfer. However, as the web evolves, more of these protocols appear in order to match the needs of the modern web. While we’ll talk about FTP vs SFTP in this post, you’ll see various mentions of other protocols too.
FTP vs SFTP: Introducing Both Protocols
Given that FTP and SFTP facilitates data transfers, you’ll find a number of similarities between them. This can add to the confusion, because these similar pieces of functionality don’t tell the full story. For example:
- Both protocols let you use a dedicated client, such as FileZilla or Cyberduck, to connect to the server using a familiar interface.
- You’re able to connect to a server and browse the file directory.
- You can work with files without restriction. For example, you can download, upload, edit, and myriad other actions.
For an end-user, FTP vs SFTP is negligible, because the protocols work the same way at a core level. However, there are key and vital differences to understand. We’ll break this down next.
FTP is the elder statesperson of data transfer. It predates the internet, and is the first networking protocol that allows for standardized data transfers.
While we’ll get onto the differences between FTP vs SFTP in more depth later, the short versions is that FTP lacks security:
- The protocol uses two channels – the command and data channels – to pass information between the client and server. However, neither offer encryption from outside ‘eavesdropping.’
- As such, it uses a direct method between the client and server to transfer files using a Transmission Control Protocol/Internet Protocol (TCP/IP) service.
- FTP uses port 21 to connect to a server, which doesn’t offer any security provisions.
Once you get into the details of each protocol, you’ll find that the apparent similarities are just that. In fact, SFTP is a different type of protocol altogether. Let’s discuss this next.
It’s true that SFTP offers a similar experience and base feature set to FTP. However, that’s where the similarities end. You can also call SFTP “SSH File Transfer Protocol,” which should give you a clue as to how it differs.
The Internet Engineering Task Force (IETF) was responsible for developing SFTP around 2001, and based it on SSH. We’ll talk more about this shortly. However, you’ll note that both FTP and SFTP are like chalk and cheese when it comes to functionality:
- For starters, SFTP offers security and encryption as standard using the SSH architecture, rather than the client-server model.
- You’ll only use one channel with SFTP transfers, and SFTP will encrypt the data before sending.
- Rather than a direct transfer method, SFTP uses ‘tunneling.’ This obfuscates the connection between client and server, to provide better security.
- SFTP will use port 22 for transfers, which (in a nutshell) offers built-in security.
The short way to sum up what SFTP offers is “security.” However, it’s worth talking about SSH too, as this is central to SFTP (and other similar protocols).
How SSH Slots Into the Mix
SSH is a cryptographic protocol that provides encryption over an unsecured network. It’s a mid-90s tool that still stands up today because of its architecture. Its initial success came to the attention of the IETF, who provided standardization of the protocol, then developed SFTP on top of it.
However, between the advent of FTP and the release of SFTP, users still had a need for encrypted data online. As such, you’ll also find another protocol – File Transfer Protocol Secure (FTPS). Let’s clear up the confusion.
Don’t Confuse SFTP and FTPS
Mixed into the history of FTP and SFTP, we also have FTPS. You can also call this FTP-SSL, and it’s closer to FTP than other protocols.
In short, this uses a Transport Layer Security (TLS) or Secure Sockets Layer (SSL) connection to encrypt data. It offers the same kind of benefits as using SSL, such as the need for certification, and built-in support from many internet communication frameworks.
For most applications, you won’t want to use FTPS, because SFTP is just as straightforward to use and offers greater encryption.
How SFTP Differs (In More Depth)
There are three central ways that SFTP can provide a better experience (specifically relating to security) than other protocols, especially FTP.
- Encryption. As well as the security you get from encrypted data, you also need this to comply with general data privacy directives. For example, the Health Insurance Portability and Accountability Act (HIPAA) in the US could mean you need to use SFTP as standard.
- Vulnerabilities. FTP presents a few ways that data could fall into the wrong hands that SFTP minimizes. For example, human error, data interception, and the verification you get through using SSH host keys all contribute to a better ‘culture of security’ when you use SFTP.
- Firewall security. In some situations, you may find that firewalls block FTP transfers due to the number of connections you need to make. However, due to the one-channel approach of SFTP, you have a less complex configuration to get through your computer’s security.
However, although SFTP offers more security with fewer drawbacks, FTP still has its merits. In the next section, we’ll look at the positives and negatives of both in more detail.
FTP vs SFTP: The Pros and Cons
Because of its simplicity, FTP does represent a straightforward way to transfer files across the web. What’s more, because it’s more open with regards to encryption, you have a little more flexibility in how you transfer files:
- For example, you can suspend, resume, and schedule data transfers from within your client.
- You have no size limitations for larger files.
- You’re able to use scripting within an FTP client to boost efficiency.
However, we already know the disadvantages of using FTP, in that it’s not secure, compliance can be a sticking point, and these connections can play havoc with your firewall.
In contrast, SFTP offers a good array of benefits too:
- You’re also able to transfer larger files, and in some cases, you may prefer using SFTP to other types of file transfer system.
- Everything you do within an SFTP-based setup is secure and encrypted. Of course, plain text such as passwords or file data also has encryption through SFTP.
- You have the option to communicate with clients and other SFTP servers, for greater accessibility.
- In general, you have lower risks with SFTP because you are ‘locking up’ the data.
Even so, SFTP does have some negatives. For example, SSH keys are difficult to maintain, especially for new users. It’s a double-edged sword because you can inadvertently keep a user out of the system, at the same time you do so with malicious ones.
Whether You Should Use FTP vs SFTP to Connect to Your Site
The quick answer is that you should almost always use SFTP to connect to your site’s server. This is because its level and implementation of security and encryption is a base standard for modern web usage.
In contrast, FTP is not secure. Its design doesn’t take any type of security into account, because at the time it arrived, there was no need for it. You can make a kind of analogy with WordPress here.
Of course, the platform is secure without question. However, FTP vs SFTP is akin to a vanilla WordPress installation. Whereas themes and plugins boost the functionality of the platform, SFTP takes the good parts of FTP, and re-imagines it to provide a robust way to transfer files across the web.
On the whole, FTP vs SFTP is a comparison of two different protocols, albeit with similar names and top-level features.
Transfer protocols standardize the way we connect to the internet in lots of situations. However, the technology evolves much like any other. Because of this, we have a few different protocols to use, and not all of them offer top notch security.
The key difference between FTP vs SFTP is in the name. The latter is more secure, and is the one we recommend as default. If you currently use FTP only (and you can check this within FileZilla, Cyberduck, or your chosen client), you’ll want to make a switch and encrypt your data.
Do you have any questions about FTP vs SFTP? If so, let us know in the comments section below!