What type of transfer would be more secure: FTP over SSL or SCP?
Like HTTP, SMTP and other common Internet protocols, FTP was created before the introduction of SSL (Secure Sockets Layer), making FTP inherently insecure. Because File Transfer Protocol prevents data encryption during transit, usernames, passwords, FTP commands and transmitted files can all be captured using a packet sniffer. To overcome this problem, many people started using FTP over SSH (Secure Shell|), which employs SSH's port-forwarding capabilities to dispatch standard FTP transactions over an encrypted tunnel. With this method, the actual file transfer process is handled by the FTP server. However, because FTP uses multiple TCP connections, it is difficult to ensure that all FTP channels run over an SSH connection. And, while FTP over SSH is often referred to as secure FTP, this is misleading; there are other methods of securing FTP, including FTP over SSL (FTPS), Secure Copy (SCP), and SSH File Transfer Protocol (SFTP). Let's look at the pros and cons of each in turn.
FTPS is just an extension of FTP, and therefore is supported by most servers. Since it uses the same ports as FTP, too, there is no need to open any additional ports in your firewall. FTPS uses an SSL/TLS layer below the standard FTP protocol to encrypt control and/or data channels. While FTPS can be employed in a variety of ways, the most preferred method is called Explicit FTPS, which uses TLS security. When operating in Explicit FTPS mode, the FTP client connects to the server's port 21 and starts an unencrypted FTP session as it normally would. The client then requests TLS security and performs the appropriate handshake before sending any sensitive data. Data can be encrypted in the command channel, the data channel, or ideally, both.
Secure Copy, or SCP, does not use FTP or SSL to transfer files, rather Secure Copy handles the file transfer and relies on the SSH protocol to provide authentication and security for both credentials and data. Unfortunately, SCP doesn't have file management capabilities -- certainly a cause of concern. When an SCP client sends a request to download files or directories, the server feeds the client with its subdirectories and files, causing a server-driven download. This makes the protocol a security risk if the server is malicious or has been compromised. You will find that SCP is being replaced by the more comprehensive and platform-independent SFTP protocol, which is also based on SSH.
Unlike SCP, which basically tunnels RCP (remote copy) over SSH, SFTP is a new protocol that uses SSH to provide a secure service, allowing the server to encrypt the data and handle the file transfer. SFTP includes many file management capabilities such as deletion, renaming, interrupted transfer resumption and directory listings. This means, though, that it is very important to set the correct permissions on your SFTP server to ensure least-privilege access.
One big difference between SSH and SSL is that SSH, much like PGP, uses keys. SSL requires the use of digital certificates. This makes SSH less centralized than SSL. SFTP clients must install keys on the SFTP server, while FTPS's use of certificates establishes trust without having to directly exchange security information. FTPS, too, is easier to configure and doesn't require any changes to your firewall. On this basis alone, I prefer FTPS over SCP. However, your final choice for a secure file transfer client will also need to take into account the types of systems you need to connect to and whether file management capabilities are necessary.
Dig Deeper on SSL and TLS VPN Security
Related Q&A from Michael Cobb
Is cookie encryption enough to protect sensitive information? Expert Michael Cobb explains how salted hashes can prevent attacks, and the secure way ...continue reading
A vulnerability was found in the Blackphone's Icera modem. Expert Michael Cobb explains how attackers could hijack the device, and if this would ...continue reading
Oracle is killing off the Java browser plug-in due to security risks. Expert Michael Cobb explains the next steps for enterprises with Java-based ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.