6 April 2021

The File Transfer Protocol dates back to the early 1970s. At the time, the protocol was concerned purely with transferring files between a client and server. As with other tools, such as telnet, security wasn’t a concern.

Security is a major concern nowadays: sending your FTP username and password to a server in plain text is a really bad idea. Although plain FTP is still in use, most people nowadays use FTPES.

FTPS: implicit security

The first attempt to make FTP secure was FTPS. FTPS uses port 990 instead of port 21 to connect securely to a server. FTPS never became a hit, mainly because the FTP protocol doesn’t define the implicit negotiation used by FTPS. That is, FTP clients are supposed to negotiate the level of security with the server, but FTPS doesn’t do that: it implies the use of TLS. Like plain FTP, FTPS has fallen out of favour.

FTPES: explicit security

The method widely in use nowadays is FTPES. With FTPES (explicit FTPS) the client and server use port 21 to negotiate the level of security to be used. The client can ask the server to switch to an encrypted channel via the AUTH SSL or AUTH TLS command, and after the server has established a secure channel the client can securely send the user credentials.

Confusing lingo

The reason many people are confused about different FTP methods is that it is reasonable to assume that FTPS means secure FTP, in the same way that HTTPS is secure HTTP and IMAPS is secure IMAP. However, when people talk about FTPS they usually talk about FTPES. Here is a quick recap of the differences:

FTP21Plain text communication between client and server.
FTPS990TLS implied (no negotiation between client and server)
FTPES21Level of security is negotiated between client and server

What about SFTP?

SFTP is another protocol for transferring files. Other than that SFTP has nothing in common with FTP, FTPS and FTPES. SFTP is short for SSH File Transfer Protocol and is an extension of the SSH protocol. This implies that the client needs to have shell access in order to use SFTP. By default, it uses the SSH port (22).