FTP, FTPS, and SFTP
FTP is one of the oldest file transfer protocols on the Internet. FTPS adds TLS; SFTP is a completely different subsystem layered on SSH. Knowing the difference matters for firewall rules and security reviews.
FTP basics
- Control connection — TCP port 21. Commands and replies.
- Data connection — separate TCP channel for directory listings and file bytes.
- Active vs passive — active mode has the server connect back to the client (often blocked by NAT). Passive mode has the client connect to a server-advertised ephemeral port (requires firewall holes for the passive port range).
FTPS
FTPS wraps FTP in TLS — either implicit TLS on port 990 or explicit TLS via AUTH TLS on port 21. Certificate validation is mandatory; otherwise you’re vulnerable to active MITM.
SFTP
Despite the name, SFTP is not “FTP over SSH.” It is the SSH File Transfer Protocol — a binary packet protocol multiplexed inside an SSH connection (typically port 22). It shares SSH’s host key authentication, user auth, and encryption model.
Choosing a protocol. For interactive admin file transfer, SFTP or SCP over SSH is usually simpler to secure than opening a passive FTP port range. For anonymous public downloads, HTTPS object storage or rsync-over-SSH often replaces classic FTP.