Which Internet protocol is more secure: FTPS or SCP?

BROWSE BY TAG Application Security,   SSL and TLS VPN Security,   Secure VPN Setup and Configuration,   Enterprise Network Security,   VIEW ALL TAGS

RELATED CONTENT Application Security How to secure a .pdf file How do hackers bypass a code signing procedure to inject malware Do Facebook URL security concerns justify blocking social networks? How to prevent ActiveX security risks Should security tests be part of a software quality assurance program? What are Google Chrome's security features? Is there a way to block iPhone widgets that bypass Web filters? Should enterprises be concerned with Twitter in the workplace? Are there still Google Desktop security problems? Can an IP spoofing tool be used to spam SPF servers? SSL and TLS VPN Security US CERT warns of clientless SSL VPN vulnerability Expert calls SSL protocol vulnerability a non issue How SSL-encrypted Web connections are intercepted Best Remote Access Products How to set up a split-tunnel VPN in Windows Vista Securing the intranet with remote access VPN security A short enterprise VPN deployment guide Creating an SSL connection between servers Can S/MIME, XML and IPsec operate in one protocol layer? Can secure USB devices prevent man-in-the middle attacks

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Secure Shell  (SearchSecurity.com) Secure Sockets Layer  (SearchSecurity.com) server accelerator card  (SearchSecurity.com) SSL VPN  (SearchSecurity.com) Transport Layer Security  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

EXPERT RESPONSE FROM: Michael Cobb, featured expert Pose a Question Other Security Categories Meet all Security Experts Become an Expert for this site

ANSWERED October 2006:
Like HTTP, SMTP and other common Internet protocols, FTP was created before the introduction of SSL (Secure Sockets Layer), making FTP inherently insecure. Because File Transfer Protocol prevents data encryption during transit, usernames, passwords, FTP commands and transmitted files can all be captured using a packet sniffer. To overcome this problem, many people started using FTP over SSH (Secure Shell|), which employs SSH's port-forwarding capabilities to dispatch standard FTP transactions over an encrypted tunnel. With this method, the actual file transfer process is handled by the FTP server. However, because FTP uses multiple TCP connections, it is difficult to ensure that all FTP channels run over an SSH connection. And, while FTP over SSH is often referred to as secure FTP, this is misleading; there are other methods of securing FTP, including FTP over SSL (FTPS), Secure Copy (SCP), and SSH File Transfer Protocol (SFTP). Let's look at the pros and cons of each in turn.

FTPS:
FTPS is just an extension of FTP, and therefore is supported by most servers. Since it uses the same ports as FTP, too, there is no need to open any additional ports in your firewall. FTPS uses an SSL/TLS layer below the standard FTP protocol to encrypt control and/or data channels. While FTPS can be employed in a variety of ways, the most preferred method is called Explicit FTPS, which uses TLS security. When operating in Explicit FTPS mode, the FTP client connects to the server's port 21 and starts an unencrypted FTP session as it normally would. The client then requests TLS security and performs the appropriate handshake before sending any sensitive data. Data can be encrypted in the command channel, the data channel, or ideally, both.

SCP:
Secure Copy, or SCP, does not use FTP or SSL to transfer files, rather Secure Copy handles the file transfer and relies on the SSH protocol to provide authentication and security for both credentials and data. Unfortunately, SCP doesn't have file management capabilities -- certainly a cause of concern. When an SCP client sends a request to download files or directories, the server feeds the client with its subdirectories and files, causing a server-driven download. This makes the protocol a security risk if the server is malicious or has been compromised. You will find that SCP is being replaced by the more comprehensive and platform-independent SFTP protocol, which is also based on SSH.

SFTP:
Unlike SCP, which basically tunnels RCP (remote copy) over SSH, SFTP is a new protocol that uses SSH to provide a secure service, allowing the server to encrypt the data and handle the file transfer. SFTP includes many file management capabilities such as deletion, renaming, interrupted transfer resumption and directory listings. This means, though, that it is very important to set the correct permissions on your SFTP server to ensure least-privilege access.

One big difference between SSH and SSL is that SSH, much like PGP, uses keys. SSL requires the use of digital certificates. This makes SSH less centralized than SSL. SFTP clients must install keys on the SFTP server, while FTPS's use of certificates establishes trust without having to directly exchange security information. FTPS, too, is easier to configure and doesn't require any changes to your firewall. On this basis alone, I prefer FTPS over SCP. However, your final choice for a secure file transfer client will also need to take into account the types of systems you need to connect to and whether file management capabilities are necessary.

More information::