FTP vs SFTP vs FTPS vs SCP/SSH

FTP is the historically standard protocol for copying files from one computer to another over a network connection (TCP/IP, so any host on today's Internet, but it wasn't always the case). Many people including many developers learned how to use an FTP client on Windows in order to connect to a server and upload and download files.

Stop using FTP!

FTP is not secure for the same reason that HTTP is not secure and why there's a movement (Let's Encrypt) to move every website to use TLS, i.e. HTTPS instead of HTTP. The reason HTTP and FTP are not safe is that they are not encrypted. This means it's trivial for hackers to see what you're doing, including seeing your passwords. For websites, this means snoopers could steal your cookies and login to websites as you. This also means spies could passively monitor your web browsing history to find sensitive information to steal a competitive advantage.

When hackers intercept your unencryped FTP traffic they will see your login and password. For some of your accounts on websites this may not be so critical but often on FTP servers it can lead to hackers compromising websites. Once a hacker has the information to FTP to your server as you, and you have access to modify website code, then she can change code on your webserver, telling it to do anything - including stealing the credentials of anything the website has access to, such as databases. Now you're completely owned.

SCP to the rescue

Scp is a program for "s ecurely c o p ying" files between hosts. This is the basic reason for using FTP. When using an FTP client, you will connect, login, get directory listings, navigate a directory structure, upload/download files, etc. SCP is just a way to copy a file between your local machine and a remote machine. Scp is modeled after the out-dated "rcp" program (remote copy). Using scp requires you to know the local path and remote path and remote filename without having to find it from "cd" and "ls". Scp is secure because it only works on top of "ssh", a protocol for securely connecting to a remote machine, which after connecting will place the user in a shell (similar to the old "rsh" (remote shell) program), where the user can list files and change her path to other directories, just like in an ftp program. Scp itself isn't the command for navigating a directory tree.

What is the difference between SCP and SFTP?

SCP is the secure counterpart to RCP. Scp is what you should use. But there is also something called SFTP, which is a secure counterpart to FTP.

SFTP actually is a sibling of SCP. Both rely on SSH as the underlying secure channel. The SFTP protocol is similar to the FTP protocol when it comes to supporting commands to change directories, list files, as well as create new files or directories and even create symlinks. But again, you can do all those things in a shell after connecting with ssh, which is a prerequisite to using either scp or sftp.

So the difference between SCP and SFTP is that SFTP is a protocol with commands for exploring the remote server's directory structure, seeing file sizes and dates, etc. SCP only provides file transferring.

But if your file transfer client supports SFTP or SCP it will likely support both (the client just needs to support connecting by ssh, the rest is easy).

What about FTPS?

FTPS is not SFTP. FTPS is actually more accurately the HTTPS analog (i.e. it should be FTP:FTPS :: HTTP:HTTPS). The 'S' in both protocols means the connection will happen over TLS, an encrypted connection. Your SFTP/SCP client may have additional support for FTPS but not necessarily. So stick with SCP and SFTP, and stop using FTP (and thus you won't need an ftp server at all for supporting ftps).

Scp, sftp, and ftps on Mac OS X

On Mac OS X, like BSD or Linux, we have some modern tools and don't have to use rcp/rsh anymore. Ssh is built in. And fortunately this means scp is included for us. Remember, scp is the way to copy files over ssh and OS X Terminal can run scp without installing anything. And sftp too! Both are commands which you can just type and run in Terminal without installing any new software. If you want to use public/private keys for password-less login then you'll have to set it up in ssh's configu file first. Otherwise you can read the man pages for scp and sftp (man sftp) to see how they work. For sftp, you can login to the server with sftp [email protected] and then use SFTP protocol commands once you're logged in (e.g. ls, cd, get, exit).

OS X also supports ftps connections in Finder just like it allows you to connect to an ftp server. In Finder, go to the menu, Go -> Connect to Server. Type in your ftps server name with ftps:// before it and you should be prompted to connect. Once connected your Finder window will show files on the remote server which you can then drag and drop to local folders.

There are other apps for OS X that support scp/sftp, non-free apps. They are easier to use but none really satisfied me. There are also clients which run as extensions to browser, like FireFTP for Firefox. This is free and runs not only on OS X but any platform with Firefox.

Add new comment