Mobile app version of vmapp.org
Login or Join
Lee4591628

: What might happen if I use FTP client without TLS? For some reason connecting to server using FTP client (eg. filezilla) is not working with TLS encryption enabled. I had to disable it to

@Lee4591628

Posted in: #Ftp #Https #Security

For some reason connecting to server using FTP client (eg. filezilla) is not working with TLS encryption enabled. I had to disable it to use FTP. So wondering why is TLS needed in the first place and what are the risks I am having by disabling.

10.01% popularity Vote Up Vote Down


Login to follow query

More posts by @Lee4591628

1 Comments

Sorted by latest first Latest Oldest Best

 

@Radia820

Source: webmasters.stackexchange.com/a/477/20604
It's important to keep a few things in mind when using FTP - it is not
encrypted by default meaning your credentials and content that you
send are sent in the clear so are vulnerable to interception. To
address this you should connect to your hosting provider using FTPS
(FTP over SSL/TLS).





Source: SFTP, FTPS and SecureFTP differences and security implications

There are 3 different protocols commonly used for transfering files over the Internet, and they are commonly confused between.


FTPS - an extension to the FTP protocol to support using FTP over SSL/TLS. This is typically based on a client-requested negotiation, and there are specific FTP commands to request/enforce/implement the encryption using SSL.
FTP over SSH (commonly called SecureFTP) - tunneling standard FTP over a SSH connection. Take into account that it is a bit more complicated to force the data channels to continue tunneling over SSH, even if the control channel is tunnelled.
SFTP - This is a completely different protocol, SSH File Transfer Protocol. This is not related to FTP, but is a completely different protocol. SFTP is actually a sub-protocol from the SSH protocol suite, i.e. a SSH extension (however I understand that it can be used seperately, too).


Advantage of FTPS is that it is similar to HTTPS - same type of certificate, etc. Many webservers support FTPS natively, and thus it is often "simpler" to set up and have admins up to speed faster.
SFTP has advantage in *nix shops, that are typically already more SSH-friendly - if they already set up a public SSH server securely, its pretty simple to add SFTP functionality.

Note that SecureFTP (FTP over SSH) is NOT trivial in any case (even if you already have the SSH set up), and I haven't seen it in use by security-conscious orgs (that's not to say it CAN'T be, but isn't commonly).

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme