What type of transfer would be more secure: FTP over SSL or SCP?
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Like HTTP, SMTP and other common Internet protocols, FTP was created before the introduction of SSL (Secure Sockets Layer), making FTP inherently insecure. Because File Transfer Protocol prevents data encryption during transit, usernames, passwords, FTP commands and transmitted files can all be captured using a packet sniffer. To overcome this problem, many people started using FTP over SSH (Secure Shell|), which employs SSH's port-forwarding capabilities to dispatch standard FTP transactions over an encrypted tunnel. With this method, the actual file transfer process is handled by the FTP server. However, because FTP uses multiple TCP connections, it is difficult to ensure that all FTP channels run over an SSH connection. And, while FTP over SSH is often referred to as secure FTP, this is misleading; there are other methods of securing FTP, including FTP over SSL (FTPS), Secure Copy (SCP), and SSH File Transfer Protocol (SFTP). Let's look at the pros and cons of each in turn.
FTPS is just an extension of FTP, and therefore is supported by most servers. Since it uses the same ports as FTP, too, there is no need to open any additional ports in your firewall. FTPS uses an SSL/TLS layer below the standard FTP protocol to encrypt control and/or data channels. While FTPS can be employed in a variety of ways, the most preferred method is called Explicit FTPS, which uses TLS security. When operating in Explicit FTPS mode, the FTP client connects to the server's port 21 and starts an unencrypted FTP session as it normally would. The client then requests TLS security and performs the appropriate handshake before sending any sensitive data. Data can be encrypted in the command channel, the data channel, or ideally, both.
Secure Copy, or SCP, does not use FTP or SSL to transfer files, rather Secure Copy handles the file transfer and relies on the SSH protocol to provide authentication and security for both credentials and data. Unfortunately, SCP doesn't have file management capabilities -- certainly a cause of concern. When an SCP client sends a request to download files or directories, the server feeds the client with its subdirectories and files, causing a server-driven download. This makes the protocol a security risk if the server is malicious or has been compromised. You will find that SCP is being replaced by the more comprehensive and platform-independent SFTP protocol, which is also based on SSH.
Unlike SCP, which basically tunnels RCP (remote copy) over SSH, SFTP is a new protocol that uses SSH to provide a secure service, allowing the server to encrypt the data and handle the file transfer. SFTP includes many file management capabilities such as deletion, renaming, interrupted transfer resumption and directory listings. This means, though, that it is very important to set the correct permissions on your SFTP server to ensure least-privilege access.
One big difference between SSH and SSL is that SSH, much like PGP, uses keys. SSL requires the use of digital certificates. This makes SSH less centralized than SSL. SFTP clients must install keys on the SFTP server, while FTPS's use of certificates establishes trust without having to directly exchange security information. FTPS, too, is easier to configure and doesn't require any changes to your firewall. On this basis alone, I prefer FTPS over SCP. However, your final choice for a secure file transfer client will also need to take into account the types of systems you need to connect to and whether file management capabilities are necessary.
Dig Deeper on SSL and TLS VPN Security
Related Q&A from Michael Cobb
Google has added Linux kernel memory protection and other security measures to the Android OS. Expert Michael Cobb explains how these features work ...continue reading
The HummingBad malware has infected 10 million mobile devices worldwide. Expert Michael Cobb explains how this exploit enables click fraud and other ...continue reading
A full account access OAuth token was mistakenly issued to the Pokémon GO mobile game by Google. Expert Michael Cobb explains the security risks and ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.