What is the difference between ftp encryption types SSL, TLS, SFTP and SSH ? - Security

This is a discussion on What is the difference between ftp encryption types SSL, TLS, SFTP and SSH ? - Security ; I have seen a couple of different encryption types for ftp connections: TLS SSL SFTP SSH Ok, provided an ftp server offers all these types: which type should I choose to setup the ftp server or to select from the ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: What is the difference between ftp encryption types SSL, TLS, SFTP and SSH ?

  1. What is the difference between ftp encryption types SSL, TLS, SFTP and SSH ?

    I have seen a couple of different encryption types for ftp connections:

    TLS
    SSL
    SFTP
    SSH

    Ok, provided an ftp server offers all these types: which type should I choose
    to setup the ftp server or to select from the ftp clients view ?

    Is the security for all these types similar and the difference refers only different protocols?

    What are the pros and cons ?

    Marcus


  2. Re: What is the difference between ftp encryption types SSL, TLS, SFTP and SSH ?

    "Marcus Mender" wrote in message
    news:4585316a$0$27617$9b4e6d93@newsspool2.arcor-online.net...
    >I have seen a couple of different encryption types for ftp connections:
    >
    > TLS
    > SSL


    TLS and SSL are two versions of the same protocol (SSL comes in versions 2.0
    and 3.0, TLS comes in versions 1.0 and 1.1 - TLS 1.0 is SSL 3.1).

    FTP has been extended by a standard that describes the operation of FTP over
    SSL and TLS. This extension is commonly known as FTPS. It's a relatively
    obvious means of adding security to FTP.

    > SFTP
    > SSH


    These are nothing to do with FTP.

    SSH stands for "Secure SHell" - as such, it establishes a secured connection
    for a logon shell. Unless your FTP users are significantly trusted, you
    don't want them running commands on your system, so you won't want them
    connecting to SSH. Same for SFTP, which is simply a file transfer mechanism
    added on top of SSH (i.e. you need SSH in order to implement SFTP - so SFTP
    users are SSH users and can log on and issue commands)

    > Ok, provided an ftp server offers all these types: which type should I
    > choose
    > to setup the ftp server or to select from the ftp clients view ?
    >
    > Is the security for all these types similar and the difference refers only
    > different protocols?


    The encryption and authentication schemes will be similar - the security is
    not, because FTPS (FTP over TLS and SSL) allows only for usual FTP
    activities (generally, this is file transfer), whereas SFTP and SSH allow
    for the user to execute commands that will run on the server.

    > What are the pros and cons ?


    FTPS allows transfer of files; SFTP / SSH allow transfer of files and
    execution of commands through a protocol whose primary designed purpose is
    to execute commands on the server.

    If you're looking to allow your users to execute commands, go with SSH /
    SFTP; if you only want them to be able to transfer files, choose the
    protocol (FTPS) that is designed to allow just that.

    Alun.
    ~~~~



  3. Re: What is the difference between ftp encryption types SSL, TLS, SFTP and SSH ?

    >>>>> "AJ" == Alun Jones writes:

    AJ> SSH stands for "Secure SHell" - as such, it establishes a secured
    AJ> connection for a logon shell. Unless your FTP users are
    AJ> significantly trusted, you don't want them running commands on
    AJ> your system, so you won't want them connecting to SSH. Same for
    AJ> SFTP, which is simply a file transfer mechanism added on top of
    AJ> SSH (i.e. you need SSH in order to implement SFTP - so SFTP users
    AJ> are SSH users and can log on and issue commands)

    This is not necessarily true. sftp uses an SSH subsystem to start the
    sftp server. Some SSH servers allow you to specify that certain users may
    only initiate subsystems and not exec or shell channels. Even in those
    that don't, you can make the account shell something which will only run
    sftp-server.

    --
    Richard Silverman
    res@qoxp.net


  4. Re: What is the difference between ftp encryption types SSL, TLS, SFTP and SSH ?

    "Richard E. Silverman" wrote in message
    news:m2zm9iq7dy.fsf@darwin.oankali.net...
    >>>>>> "AJ" == Alun Jones writes:

    >
    > AJ> SSH stands for "Secure SHell" - as such, it establishes a secured
    > AJ> connection for a logon shell. Unless your FTP users are
    > AJ> significantly trusted, you don't want them running commands on
    > AJ> your system, so you won't want them connecting to SSH. Same for
    > AJ> SFTP, which is simply a file transfer mechanism added on top of
    > AJ> SSH (i.e. you need SSH in order to implement SFTP - so SFTP users
    > AJ> are SSH users and can log on and issue commands)
    >
    > This is not necessarily true. sftp uses an SSH subsystem to start the
    > sftp server. Some SSH servers allow you to specify that certain users may
    > only initiate subsystems and not exec or shell channels. Even in those
    > that don't, you can make the account shell something which will only run
    > sftp-server.


    Thanks for the correction.

    I'm still inclined to suggest that if you don't want to provide shell
    access, it's more secure to rely on software that doesn't have shell access
    as a feature, than to rely on one that can be configured not to provide it.

    Alun.
    ~~~~



  5. Re: What is the difference between ftp encryption types SSL, TLS,SFTP and SSH ?

    Oh well, sent that message three times to comp.ssh.security, without
    noticing it. And I was wondering all the time, why it won't show up
    here. Sorry. =)


    mmmm@buzz.com (Marcus Mender) (06-12-17 12:00:42):

    > I have seen a couple of different encryption types for ftp
    > connections:
    >
    > TLS
    > SSL
    > SFTP
    > SSH
    >
    > Ok, provided an ftp server offers all these types: which type should I
    > choose to setup the ftp server or to select from the ftp clients view?


    From the client's view, certainly TLS and SSL are more convenient, but
    for home user purposes, they probably are overkill. At the moment, SSL
    and TLS are essentially the same. TLS (v1) is just a container
    protocol, which currently encapsulates SSLv3. It might contain newer,
    more secure protocols in the future, so TLS is preferable over SSL.

    To make those two protocols as secure as possible, you need to deal with
    certificates. Server-side certificates are only half of the story.
    They only authenticate the server. So if you want to authenticate the
    client cryptographically, you will need client certificates. Not all
    client programs support that, and there are even some server programs,
    which don't.

    However, if you already have an SSH server with key-based authentication
    running, and you have got a client that supports SFTP (which is FTP over
    an SSH tunnel), then you're already set. You can continue to use your
    normal SSH keys for FTP authentication, which is of course preferable in
    this case.


    > Is the security for all these types similar and the difference refers
    > only different protocols?


    From the cryptological perspective, yes. There are minor
    cryptographical differences, but all in all, their security is
    equivalent.


    > What are the pros and cons ?


    One major reason to prefer SFTP is its simplicity. Setting up a proper
    certificate infrastructure for SSL and TLS may be overkill, and requires
    some cryptological skills. This is suitable for large networks with
    many users. There it would make sense to create an own certificate
    authority (CA), which you can use for more things than just FTP. Users
    could use the same certificate to securely authenticate to all services
    offered by the network.

    The downside of SFTP is that there is no trusted arbitrator (a CA in
    SSL/TLS terminology). This is good for small networks, but very bad for
    larger ones.

    In short: Prefer SFTP for home networks and small companies; prefer
    SSL/TLS for large enterprise networks.


    Regards,
    E.S.

+ Reply to Thread