Using A Secure File Transfer Client A discussion of FTP, FTPS, SCP, and SFTP

[WindAndWater 0]

Using a Secure File Transfer Client

 

Almost everyone who creates a web site is faced with the problem of getting their files from their local computer to their web server. There are a few different protocols (methods) through which to accomplish this, and some have definite advantages over others. Here are the major ones, listed loosely in order of increasing security.

Note: All of the programs recommended in this tutorial are for Windows only. Command line alternatives are accessible via the terminal for both Linux and OS X.

 

FTP

First a note on using the built in FTP clients found in some web browsers (Internet Explorer, Firefox, etc). Never transfer files through a web browser if at all possible; most will not check the integrity of your files after they upload, will drop packets, and can generally corrupt your files on their way to the server.

FTP is the usual, ubiquitous means of transferring a file from a local computer to a server. It supports commands to view and navigate directories, change file permissions, and add, remove, and move files. However, everything communicated over ftp is completely unencrypted. This has two important consequences. 1) Because passwords are transmitted in clear-text it is possible for someone to intercept your login information, and access your account. 2) Any data you transmit to the server is accessible to people looking for it. That means that if you're transmitting confidential records, someone can intercept and record them.

 

FTPS

FTPS is the normal FTP protocol with the addition of SSL (Secure Socket Layers) and/or TLS (Transport Layer Security), the successor to SSL. FTPS does two important things. 1) It verifies that the server you're connecting to is indeed the one you think it is, as opposed to a spoofed address. 2) It encrypts your login information, so that it's impossible (well, highly improbable) that someone can steal it. However, in FTPS, normal data transfer is often left unencrypted.

If you insist on using a FTP or FTPS program I recommend SmartFTP which has both an excellent interface and good implementation.

 

SCP

SCP uses SSH1 for complete encryption covering both your authentication information and your file transfers. However, the SCP protocol was written to open a connection to the server, transfer a single file and then close the connection. Therefore, it doesn't allow you to browse directories, change file permissions, etc. Some SCP clients get around this by allowing you to access shell commands. A fair bare bones SCP client is PSCP put out by the makers of PuTTY.

 

SFTP

SFTP mainly uses SSH2 and encrypts both your login information and your file transfers. Additionally, it has built in mechanisms for viewing directories, changing file permissions, etc. Basically, SFTP is a fully secure equivalent to FTP, and can be used in exactly the same way, although it's based on a completely different protocol.

A good program for both SCP and SFTP is WinSCP which has a slightly clunky interface but excellent functionality.