What is the difference between ftp encryption types SSL, TLS, SFTP and SSH ?

17/12/2006, 12h00

I have seen a couple of different encryption types for ftp connections:

TLS
SSL
SFTP
SSH

Ok, provided an ftp server offers all these types: which type should I choose
to setup the ftp server or to select from the ftp clients view ?

Is the security for all these types similar and the difference refers only different protocols?

What are the pros and cons ?

Marcus

17/12/2006, 12h18

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Marcus Mender wrote, On 12/17/2006 01:00 PM:
> I have seen a couple of different encryption types for ftp connections:
These are not at all about FTP in the first place.

>
> TLS
Transport layer security, you find this commonly used in e.g. the SMTP
protocol (sending emails)

> SSL
Secure Socket Layer, what is used by https:// connections. The primary
difference between SSL and TLS is that SSL is negotiated on connection,
while TLS upgrades from an ordinary connection. This is why for the HTTP
protocol, the default non-secured port is 80 and the default secure port
(SSL) is 443, while for SMTP both encrypted and non-encrypted will
happen on port 25 by default.

I wrote a small article about the difference between TLS and SSL, and my
wish that TLS to be used for web traffic at
http://www.kfwebs.net/articles/artic...--SSL-and-HTTP

> SFTP

This protocol is a subservice of SSH, and in many ways replaced the scp
file transfer (which again replaced rcp).

> SSH

secure shell, replaced telnet by offering a secure connection into the
system.

>
> Ok, provided an ftp server offers all these types: which type should I choose
> to setup the ftp server or to select from the ftp clients view ?
SFTP and SSH have nothing to do with FTP per se, so an FTP server won't
offer it.

>
> Is the security for all these types similar and the difference refers only different protocols?
>
There are quite a lot of differences, personally I don't allow any
user/pass logins to happen to my system, but only authentications based
on Public Key Infrastructure, so I'm using SFTP mostly to get access to
files.

> What are the pros and cons ?
You haven't mentioned what context you want to use this in. If you were
to provide a webhosting service, you wouldn't have an option but to use
FTP.

If it is only for your own use I would personally go for SSH/SFTP and
disable ordinary FTP at all.

>
> Marcus
>

- --
- ----------------------------
Kristian Fiskerstrand
http://www.kfwebs.net
- ----------------------------
http://www.secure-my-email.com
http://www.secure-my-internet.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBRYU1fBbgz41rC5UIAQhCCBAAqhTsu19xKh2poAlHQX AfH6I4W8UxXa5V
vPWHG+wumdbpxHBrT7TqjJaH8bZIiu1Xq5JIJyrDXLpm9CYbeE b+f2oxHPHSwKtU
Itlc65tiKtLgz6qMQJl/LefnQQym2U+4MaYkrp7pHvAcibWjJtB0OyWcyMiw8xri
isBzmKGvQ6Iai/VO6kj/WtI4t0miW+ZOcWQSeh/hkB+Qh/V7jzb3y5EhYAlKncWE
T82NlalUuUg8rtmmdMl4SNTqVG64ocVTfwH918MetnLoyBIbWj aSRisBlWP94NS0
UcEsxhJeKdpfQv9kWL802qj5E/84/GMgmQronJ/1UDBDylIQcXwzl/n0ligAzzic
Wupf0HsnlAbmUrBr4BbXxdcFqbwAjwFE8CUdnjM0yWDIbxZxtL KIxIkfcBG90WXI
C8ODHEG3k+Eg1X3VKoZ9ZQ+dNA5MbrFlmOkFUDxYtx0/oORYgntgGFRgJFpVWSdZ
5vBFieYo/uSek86E64qvwIuDgoNgw5M/HSIFyB5f4RYtE1jP9QJU9zDDNi7PnC8X
DKv36R6HBR20TP0+YJuRxqEDXWU+Rx7eIfHUPmaMqQv1LKG8u0 6ioZ933UuJmu28
73kzJe/4bI9Z1ZAh5OtxQvRWHRcp+QSHlRmdoF9wG2RJHtnM18lw0QxG2 IqfMJ6E
Wk32hO1mKEc=
=1X1a
-----END PGP SIGNATURE-----

17/12/2006, 12h48

Marcus Mender wrote:
> I have seen a couple of different encryption types for ftp connections:
>
> TLS
> SSL
> SFTP
> SSH
>
> Ok, provided an ftp server offers all these types: which type should I choose
> to setup the ftp server or to select from the ftp clients view ?
>
> Is the security for all these types similar and the difference refers only different protocols?
>
> What are the pros and cons ?

At the "big picture" level, you do what is best given what you have
control over. If you can control the client base 100%, you can do
whatever you want. If you only have partial control (you'd tell them
to download xyz etc.). you may need to consider potential configuration
problems for the users. If you have no control (raw public access),
you definitely want things as accepting as possible.

It's trivial (Google) to find folks arguing the benefits and
drawbacks:
http://freshmeat.net/articles/view/1576/ is an early result that gives
you a flavor.

--
Tony Lawrence
Unix/Linux/Mac OS X Resources
http://aplawrence.com

17/12/2006, 16h14

On Sun, 17 Dec 2006 12:00:42 +0000, Marcus Mender wrote:

> I have seen a couple of different encryption types for ftp connections:
>
> TLS
> SSL
> SFTP
> SSH
>
> Ok, provided an ftp server offers all these types: which type should I choose
> to setup the ftp server or to select from the ftp clients view ?
>
> Is the security for all these types similar and the difference refers only
> different protocols?
>
> What are the pros and cons ?
>
> Marcus
>
I don't know that much about this, other than to refer these links:

SFTP: http://en.wikipedia.org/wiki/SSH_file_transfer_protocol
FTPS: http://en.wikipedia.org/wiki/FTPS

ssh based solutions appear to have an advantage (IMO) because the
authentication can be certificate based. For example, configure ssh
not to accept passwords, and set a rate limit firewall rule to minimize
brute force attacks which attempt to gain access by guessing a valid
username/password pair. You would generate a certificate for valid users
and then send it to them (perhaps by email.) The passphrase which
unlocks the passphrase can be revealed by some other method (telephone?).

Another consideration...
Giving someone access (read/write) to a file repository on your system
can be a good way for communicating large files back and forth. The
problem is that you cannot control how careful the person given access
will be maintaining the secrecy of their access method. If someone else
obtains the credentials, they can act as an imposter to gain access to
the files in the repository. Therefore, I have recommended using strong
encryption for sensitive data which is sent to the repository. That way,
only the files will be readable by the intended recipicient only For
example, no matter what method is used to transmit the files, a strong
encryption tool, such as gpg, should be used also. This method overcomes
the unencrypted nature of email.

Sender -> encrypts file for recipient
Sender -> places file in repository using some protocol

Recipient -> retrieves encrypted file from repository
Recipient -> uses gpg to decipher the message.

The "con" to this method is that it requires manual setup and user
interaction. The "pro" is that it is a very secure channel (IMO).

--
Douglas Mayne

17/12/2006, 17h48

Marcus Mender wrote:

> I have seen a couple of different encryption types for ftp connections:
>
> TLS

TLS is the successor to SSL:

http://searchsecurity.techtarget.com...557332,00.html

> SSL

SSL is

http://searchsecurity.techtarget.com...343029,00.html

> SFTP

http://en.wikipedia.org/wiki/SSH_file_transfer_protocol

> SSH

http://isp.webopedia.com/TERM/S/SSH.html

>
> Ok, provided an ftp server offers all these types: which type should I
> choose to setup the ftp server or to select from the ftp clients view ?

If I read you right, none will work with ftp, ftp is a protocol that is not
encrypted.

>
> Is the security for all these types similar and the difference refers only
> different protocols?

Security varies according to protocol, they have different levels of
security and different functions.

>
> What are the pros and cons ?

Depends on what you want to do., sftp would not work if you wanted a
terminal session, ssh (not counting scp) is not the best for file
transfers.

>
> Marcus

Not sure what you want to do, exactly, but the best method for encypted file
transfers may be ssl using web browsers... If we knew exactly what you
wanted to do, it may us give better advise.

17/12/2006, 17h51

On Sunday 17 December 2006 13:00, Marcus Mender stood up and addressed the
masses in /comp.os.linux.misc/ as follows...:

> I have seen a couple of different encryption types for ftp connections:
>
> TLS
> SSL
> SFTP
> SSH
>
> Ok, provided an ftp server offers all these types: which type should I
> choose to setup the ftp server or to select from the ftp clients view ?

I'm not an expert on encryption, but all of the aforementioned are
variations to the Secure Sockets Layer technology.

TLS is a newer version of SSL - it is more secure. /ssh/ is the SSL/TLS
version of /telnet./ It offers you a remote login to another machine, but
negotiates an encryption before the login occurs, so that password sniffers
would not be any good in trying to obtain a password, whereas /telnet/
sends everything over the network "as is".

/sftp/ is not to be confused with /ftps./ /sftp/ is the built-in FTP server
(or client) of the OpenSSL package. Regular FTP clients don't use this.

> Is the security for all these types similar and the difference refers only
> different protocols?

Hmm... /ssh/ and /sftp/ are different tools. /SSL/ is the security
technology that contains both /ssh/ and /sftp,/ but it's already becoming
outdated in favor of TLS, which is more secure. Does that answer your
question properly?

> What are the pros and cons ?

That question is meaningless, I'm afraid. You seem to be inquiring about a
secure FTP server. A lot of the security of an FTP server depends on how
it is set up - does it allow anonymous logins or not, etc.

You can have /ftps,/ which is similar to /https./ /sftp/ is something else
and works via the SSH server. For my own needs, I would prefer /sftp/
since plain FTP is by nature insecure and very exploitable.

--
With kind regards,

*Aragorn*
(registered GNU/Linux user #223157)

17/12/2006, 19h00

>>>>> "Aragorn" == Aragorn <stryder@telenet.invalid> writes:

Aragorn> Hmm... /ssh/ and /sftp/ are different tools. /SSL/ is the
Aragorn> security technology that contains both /ssh/ and /sftp,/ but

This is a common misconception. The SSH protocol is completely separate
from TLS/SSL; they have nothing to do with one another. OpenSSH uses the
OpenSSL *library*, but for other things.

--
Richard Silverman
res@qoxp.net

17/12/2006, 19h10

Marcus Mender wrote:
> I have seen a couple of different encryption types for ftp connections:
>
> TLS
> SSL
> SFTP
> SSH
>
> Ok, provided an ftp server offers all these types: which type should I choose
> to setup the ftp server or to select from the ftp clients view ?
>
> Is the security for all these types similar and the difference refers only different protocols?
>
> What are the pros and cons ?

TLS is a variation on SSLv3. SSL and TLS are transport encryption
protocols layered on top of the base protocol. So just like https is
http over SSL/TLS, ftps is ftp over SSL/TLS.

SFTP is SCP with an ftp interface. SCP is the file copy program for ssh
(secure shell), so that's probably what you mean by SSH, as well.
SSH/SCP is an entirely different protocol designed specifically for
encrypted terminal sessions and file transfers.

ftp/ftps requires two connections, one for control and one for data.
SSL/TLS requires that you install a digital cert which your clients
trust, just like https for the web. Unlike https which uses a different
port from http (but like smtps which uses the same port for smtp), the
client first establishes a tcp connection to the regular port, then
sends a STARTTLS command, which the server may or may not recognize. If
the server recognizes the command, SSL/TLS is negotiated. ftps also
supports client-side certificates for authentication.

ftps has never been very popular. It's also not generally recommended
because of confusing implementations, lack of support, etc.

sftp/scp requires one connection. The server generates its own keys,
and the clients have to trust it the first time they connect.
Afterwards if the client sees the server key change, the client should
suspect foul play (or a stupid admin). It also supports public key
authentication, where the keys are created by the clients, but it's
harder to set up in an enterprise environment (1000's or 10000's or so
of users) because you have to authorize each key individually (and
individuals manage their own keys).

If you're going to implement sftp, you might as well implement scp,
instead. scp is the "real" protocol in both.

Lots more could be said. But I'll stop there.

18/12/2006, 07h27

you could classified 4 types of your list into 2 main groups:

1.TLS,SSL - they're very similar in practice.

2.SSH,SFTP - SSH uses SFTP while transfering data,so you might think
they're same.

compare between TLS and SSH
I think SSH is more popular than TLS.You config the server as ftp
server,so you could probably select SFTP.

Thanks.

Warachet S.

Marcus Mender wrote:
> I have seen a couple of different encryption types for ftp connections:
>
> TLS
> SSL
> SFTP
> SSH
>
> Ok, provided an ftp server offers all these types: which type should I choose
> to setup the ftp server or to select from the ftp clients view ?
>
> Is the security for all these types similar and the difference refers only different protocols?
>
> What are the pros and cons ?
>
> Marcus

18/12/2006, 20h31

mmmm@buzz.com (Marcus Mender) (06-12-17 12:00:42):

> I have seen a couple of different encryption types for ftp
> connections:
>
> TLS
> SSL
> SFTP
> SSH
>
> Ok, provided an ftp server offers all these types: which type should I
> choose to setup the ftp server or to select from the ftp clients view?

From the client's view, certainly TLS and SSL are more convenient, but
for home user purposes, they probably are overkill. At the moment, SSL
and TLS are essentially the same. TLS (v1) is just a container
protocol, which currently encapsulates SSLv3. It might contain newer,
more secure protocols in the future, so TLS is preferable over SSL.

To make those two protocols as secure as possible, you need to deal with
certificates. Server-side certificates are only half of the story.
They only authenticate the server. So if you want to authenticate the
client cryptographically, you will need client certificates. Not all
client programs support that, and there are even some server programs,
which don't.

However, if you already have an SSH server with key-based authentication
running, and you have got a client that supports SFTP (which is FTP over
an SSH tunnel), then you're already set. You can continue to use your
normal SSH keys for FTP authentication, which is of course preferable in
this case.

> Is the security for all these types similar and the difference refers
> only different protocols?

From the cryptological perspective, yes. There are minor
cryptographical differences, but all in all, their security is
equivalent.

> What are the pros and cons ?

One major reason to prefer SFTP is its simplicity. Setting up a proper
certificate infrastructure for SSL and TLS may be overkill, and requires
some cryptological skills. This is suitable for large networks with
many users. There it would make sense to create an own certificate
authority (CA), which you can use for more things than just FTP. Users
could use the same certificate to securely authenticate to all services
offered by the network.

The downside of SFTP is that there is no trusted arbitrator (a CA in
SSL/TLS terminology). This is good for small networks, but very bad for
larger ones.

In short: Prefer SFTP for home networks and small companies; prefer
SSL/TLS for large enterprise networks.

Regards,
E.S.

19/12/2006, 05h44

>>>>> "ES" == Ertugrul Soeylemez <never@drwxr-xr-x.org> writes:

ES> However, if you already have an SSH server with key-based
ES> authentication running, and you have got a client that supports
ES> SFTP (which is FTP over an SSH tunnel),

Actually it's not; SFTP is a separate protocol which has nothing to do
with FTP.

--
Richard Silverman
res@qoxp.net

19/12/2006, 07h17

Allen Kistler wrote:

> If you're going to implement sftp, you might as well implement scp,
> instead. scp is the "real" protocol in both.

Which is why it doesn't handle symlinks well. FTP can, and can mirror
them either way well.

A major flaw in almost all SSH/SFTP/SCP setups is the lack of chroot
cages: users who can get onto the server can go poking around the rest
of the system, which is a serious security issue. I've encouraged the
authors to include chroot cage capability, and tried providing patches,
but they've never brought them into the main codeline, so I've given
up. It's handy for systems where you already have user privileges: it's
quite dangerous for systems where you only want people to upload or
download specific directories, not to give them logiin access.

For many such setups, I've instead switched to WebDAV over HTTPS. It's
built into Windows, it allows Apache based account and user management
quite apart from system accounts, the "chroot" like behavior is built
right into Apache as a set of run-time configuration options, and it
easily supports uploading and downloading, anonymous repositories, and
all he other useful features of FTP except for the sniffable passwords
and the very awkward 2-port behavior.

19/12/2006, 20h48

mmmm@buzz.com (Marcus Mender) (06-12-17 12:00:42):

> I have seen a couple of different encryption types for ftp
> connections:
>
> TLS
> SSL
> SFTP
> SSH
>
> Ok, provided an ftp server offers all these types: which type should I
> choose to setup the ftp server or to select from the ftp clients view?

From the client's view, certainly TLS and SSL are more convenient, but
for home user purposes, they probably are overkill. At the moment, SSL
and TLS are essentially the same. TLS (v1) is just a container
protocol, which currently encapsulates SSLv3. It might contain newer,
more secure protocols in the future, so TLS is preferable over SSL.

To make those two protocols as secure as possible, you need to deal with
certificates. Server-side certificates are only half of the story.
They only authenticate the server. So if you want to authenticate the
client cryptographically, you will need client certificates. Not all
client programs support that, and there are even some server programs,
which don't.

However, if you already have an SSH server with key-based authentication
running, and you have got a client that supports SFTP (which is FTP over
an SSH tunnel), then you're already set. You can continue to use your
normal SSH keys for FTP authentication, which is of course preferable in
this case.

> Is the security for all these types similar and the difference refers
> only different protocols?

From the cryptological perspective, yes. There are minor
cryptographical differences, but all in all, their security is
equivalent.

> What are the pros and cons ?

One major reason to prefer SFTP is its simplicity. Setting up a proper
certificate infrastructure for SSL and TLS may be overkill, and requires
some cryptological skills. This is suitable for large networks with
many users. There it would make sense to create an own certificate
authority (CA), which you can use for more things than just FTP. Users
could use the same certificate to securely authenticate to all services
offered by the network.

The downside of SFTP is that there is no trusted arbitrator (a CA in
SSL/TLS terminology). This is good for small networks, but very bad for
larger ones.

In short: Prefer SFTP for home networks and small companies; prefer
SSL/TLS for large enterprise networks.

Regards,
E.S.

19/12/2006, 21h55

Marcus Mender skrev:
> I have seen a couple of different encryption types for ftp connections:
>
> TLS
> SSL
> SFTP
> SSH
>
> Ok, provided an ftp server offers all these types: which type should I choose
> to setup the ftp server or to select from the ftp clients view ?
>
> Is the security for all these types similar and the difference refers only different protocols?
>
> What are the pros and cons ?
>
> Marcus
>

Briefly:
SSL is an encryption type.
SSH is remote login using SSL to get encrypted command line access
("secure telnet")
SFTP is file transfer using SSL
TLS is an encryption type (AFAIK, like SSL, but different...)

SSL has fairly universal support across OS/HW platforms. So for the
basic, "universally available" service you'd set up your server with
SSL, to provide SSH (I guess a command line FTP client would use that)
and SFTP support.

20/12/2006, 06h09

>
> Marcus Mender skrev:
> > I have seen a couple of different encryption types for ftp connections:
> > TLS
> > SSL
> > SFTP
> > SSH
> > Ok, provided an ftp server offers all these types: which type should I
> > choose
> > to setup the ftp server or to select from the ftp clients view ?
> > Is the security for all these types similar and the difference refers
> > only different protocols?
> > What are the pros and cons ?
> > Marcus
> >
>
> Briefly:
> SSL is an encryption type.

No. It is a communications protocol which employs encryption as part of
its operation.

> SSH is remote login using SSL to get encrypted command line access
> ("secure telnet")

No. The SSH protocol is not, and does not use, SSL at all.

> SFTP is file transfer using SSL

No. SFTP (typically) runs over SSH which (v.s.) is not SSL.

--
Richard Silverman
res@qoxp.net

20/12/2006, 19h39

"Marcus Mender" <mmmm@buzz.com> wrote in message
news:4585316a$0$27617$9b4e6d93@newsspool2.arcor-online.net...
>I have seen a couple of different encryption types for ftp connections:
>
> TLS
> SSL

TLS and SSL are two versions of the same protocol (SSL comes in versions 2.0
and 3.0, TLS comes in versions 1.0 and 1.1 - TLS 1.0 is SSL 3.1).

FTP has been extended by a standard that describes the operation of FTP over
SSL and TLS. This extension is commonly known as FTPS. It's a relatively
obvious means of adding security to FTP.

> SFTP
> SSH

These are nothing to do with FTP.

SSH stands for "Secure SHell" - as such, it establishes a secured connection
for a logon shell. Unless your FTP users are significantly trusted, you
don't want them running commands on your system, so you won't want them
connecting to SSH. Same for SFTP, which is simply a file transfer mechanism
added on top of SSH (i.e. you need SSH in order to implement SFTP - so SFTP
users are SSH users and can log on and issue commands)

> Ok, provided an ftp server offers all these types: which type should I
> choose
> to setup the ftp server or to select from the ftp clients view ?
>
> Is the security for all these types similar and the difference refers only
> different protocols?

The encryption and authentication schemes will be similar - the security is
not, because FTPS (FTP over TLS and SSL) allows only for usual FTP
activities (generally, this is file transfer), whereas SFTP and SSH allow
for the user to execute commands that will run on the server.

> What are the pros and cons ?

FTPS allows transfer of files; SFTP / SSH allow transfer of files and
execution of commands through a protocol whose primary designed purpose is
to execute commands on the server.

If you're looking to allow your users to execute commands, go with SSH /
SFTP; if you only want them to be able to transfer files, choose the
protocol (FTPS) that is designed to allow just that.

Alun.
~~~~

21/12/2006, 03h01

>>>>> "AJ" == Alun Jones <alun@texis.invalid> writes:

AJ> SSH stands for "Secure SHell" - as such, it establishes a secured
AJ> connection for a logon shell. Unless your FTP users are
AJ> significantly trusted, you don't want them running commands on
AJ> your system, so you won't want them connecting to SSH. Same for
AJ> SFTP, which is simply a file transfer mechanism added on top of
AJ> SSH (i.e. you need SSH in order to implement SFTP - so SFTP users
AJ> are SSH users and can log on and issue commands)

This is not necessarily true. sftp uses an SSH subsystem to start the
sftp server. Some SSH servers allow you to specify that certain users may
only initiate subsystems and not exec or shell channels. Even in those
that don't, you can make the account shell something which will only run
sftp-server.

--
Richard Silverman
res@qoxp.net

21/12/2006, 17h19

"Richard E. Silverman" <res@qoxp.net> wrote in message
news:m2zm9iq7dy.fsf@darwin.oankali.net...
>>>>>> "AJ" == Alun Jones <alun@texis.invalid> writes:
>
> AJ> SSH stands for "Secure SHell" - as such, it establishes a secured
> AJ> connection for a logon shell. Unless your FTP users are
> AJ> significantly trusted, you don't want them running commands on
> AJ> your system, so you won't want them connecting to SSH. Same for
> AJ> SFTP, which is simply a file transfer mechanism added on top of
> AJ> SSH (i.e. you need SSH in order to implement SFTP - so SFTP users
> AJ> are SSH users and can log on and issue commands)
>
> This is not necessarily true. sftp uses an SSH subsystem to start the
> sftp server. Some SSH servers allow you to specify that certain users may
> only initiate subsystems and not exec or shell channels. Even in those
> that don't, you can make the account shell something which will only run
> sftp-server.

Thanks for the correction.

I'm still inclined to suggest that if you don't want to provide shell
access, it's more secure to rely on software that doesn't have shell access
as a feature, than to rely on one that can be configured not to provide it.

Alun.
~~~~

21/12/2006, 21h02

mmmm@buzz.com (Marcus Mender) (06-12-17 12:00:42):

> I have seen a couple of different encryption types for ftp
> connections:
>
> TLS
> SSL
> SFTP
> SSH
>
> Ok, provided an ftp server offers all these types: which type should I
> choose to setup the ftp server or to select from the ftp clients view?

From the client's view, certainly TLS and SSL are more convenient, but
for home user purposes, they probably are overkill. At the moment, SSL
and TLS are essentially the same. TLS (v1) is just a container
protocol, which currently encapsulates SSLv3. It might contain newer,
more secure protocols in the future, so TLS is preferable over SSL.

To make those two protocols as secure as possible, you need to deal with
certificates. Server-side certificates are only half of the story.
They only authenticate the server. So if you want to authenticate the
client cryptographically, you will need client certificates. Not all
client programs support that, and there are even some server programs,
which don't.

However, if you already have an SSH server with key-based authentication
running, and you have got a client that supports SFTP (which is FTP over
an SSH tunnel), then you're already set. You can continue to use your
normal SSH keys for FTP authentication, which is of course preferable in
this case.

> Is the security for all these types similar and the difference refers
> only different protocols?

From the cryptological perspective, yes. There are minor
cryptographical differences, but all in all, their security is
equivalent.

> What are the pros and cons ?

One major reason to prefer SFTP is its simplicity. Setting up a proper
certificate infrastructure for SSL and TLS may be overkill, and requires
some cryptological skills. This is suitable for large networks with
many users. There it would make sense to create an own certificate
authority (CA), which you can use for more things than just FTP. Users
could use the same certificate to securely authenticate to all services
offered by the network.

The downside of SFTP is that there is no trusted arbitrator (a CA in
SSL/TLS terminology). This is good for small networks, but very bad for
larger ones.

In short: Prefer SFTP for home networks and small companies; prefer
SSL/TLS for large enterprise networks.

Regards,
E.S.

(Third time trying to send this message...)

23/12/2006, 14h53

Ertugrul Soeylemez wrote:

> The downside of SFTP is that there is no trusted arbitrator (a CA in
> SSL/TLS terminology). This is good for small networks, but very bad for

There's also the lack of control over where the client can see: this is
built into most FTP and HTTP/HTTPS tools, but is most definitely *not*
built into SFTP. The version of SSH from ssh.com may finally support it
well, I haven't had a chance to try that in a while, but the OpenSSH
server does not include anything resembling a real chroot cage. What is
unfortunately labeled as chroot operation is only for a small set of
operations, not general access. So an SFTP client generally has access
to the entire filesystem of any OpenSSH based SFTP server.

This is a very serious access management problem: There have been
various patches and proposals for years to address it, such as those at
http://sourceforge.net/projects/chrootssh/, but they've never been
accepted into the OpenSSH main code line.

If you want normal upload/download, you want client access and GUI
access built into most operating systems, it's really hard to beat
WebDAV over HTTPS.

> In short: Prefer SFTP for home networks and small companies; prefer
> SSL/TLS for large enterprise networks.

Small companies are also notorious for foolishness such as users with
un-password-protected SSH keys on NFS accessible directories, or on
backup tapes that others can restore from. As much as I love SSH as a
remote access tool, the default client behavior of allowing
passphrase-less keys is a very serious problem. Like the tendency of
Subversion clients to store passphrases in local clear-text, I'd love
to see it disabled by default.

Hmm. You know, that's actually a good feature idea to add as an
ssh_config default option....

23/12/2006, 19h28

NK> Ertugrul Soeylemez wrote:

>> The downside of SFTP is that there is no trusted arbitrator (a CA
>> in SSL/TLS terminology).

This is not a property of SFTP at all, but rather of some implementations,
OpenSSH in particular. Both the VanDyke and ssh.com products, for
example, support X.509 certificates for host and user authentication.

--
Richard Silverman
res@qoxp.net

25/12/2006, 11h09

"Ertugrul Soeylemez" <never@drwxr-xr-x.org> ha scritto nel messaggio
news:emesp9$3jo$02$1@news.t-online.com...
mmmm@buzz.com (Marcus Mender) (06-12-17 12:00:42):

> However, if you already have an SSH server with key-based authentication
> running, and you have got a client that supports SFTP (which is FTP over
> an SSH tunnel), then you're already set. You can continue to use your
> normal SSH keys for FTP authentication, which is of course preferable in
> this case.

A little correction. SFTP in not FTP over SSH. SFTP uses an SSH subsystem to
start the sftp server (as Richard tell in another message) where you can
issue commands and retry/send file and navigate on directory (with privilege
you have from the user used to log in), using SSH protocol.

You can have FTP over SSH, where FTP protocol is tunnelled via SSH. So,
first you must to authenticate yourself from SSH point of view
(username/password or username/key), and after you must to authenticate to
FTP server. The two authentication may have different username and password.

On same implementation, you can tunnelled a telnet protocol under SSH. For
example you can login on your machine at office using SSH protocol (and so
ciphering packets and medium authentication). From that you can ftp/telnet
on you machines. The "local" (office) packet are in "clear" text, when pass
throught SSH machine and sent to you are ciphered.

This implementation is useful when authentication and security are not in
application (for example trasnferring file by FTP from two machine trought
Internet) and is not possibile to change or modify it.

Hope this .

I wish to all a Merry Christmas 2006!
Cesare

28/12/2006, 21h27

Should you decide to go TLS/SSL then you also need to consider whether
you want to support implicit or explicit connections. Explicit
connections are typically run on port 21 and allow you to support both
standard unencrypted FTP sessions as well as encrypted sessions. To
start an encrypted session the client will send the AUTH TLS or AUTH
SSL command prior to login in order to encrypt the command channel.
Implicit SSL on the other hand typically runs on port 990 and requires
an encrypted SSL connection. Most all servers support explicit SSL,
some support both explicit and implicit SSL.

Van Glass
JSCAPE
Managed File Transfer and Security Solutions
http://www.jscape.com/secureftpserver/

Marcus Mender wrote:
> I have seen a couple of different encryption types for ftp connections:
>
> TLS
> SSL
> SFTP
> SSH
>
> Ok, provided an ftp server offers all these types: which type should I choose
> to setup the ftp server or to select from the ftp clients view ?
>
> Is the security for all these types similar and the difference refers only different protocols?
>
> What are the pros and cons ?
>
> Marcus

17/12/2006, 12h00	#1
Marcus Mender Messages: n/a Hébergeur:	What is the difference between ftp encryption types SSL, TLS, SFTP and SSH ? I have seen a couple of different encryption types for ftp connections: TLS SSL SFTP SSH Ok, provided an ftp server offers all these types: which type should I choose to setup the ftp server or to select from the ftp clients view ? Is the security for all these types similar and the difference refers only different protocols? What are the pros and cons ? Marcus

17/12/2006, 12h48	#3
Tony Lawrence Messages: n/a Hébergeur:	Re: What is the difference between ftp encryption types SSL, TLS, SFTP and SSH ? Marcus Mender wrote: > I have seen a couple of different encryption types for ftp connections: > > TLS > SSL > SFTP > SSH > > Ok, provided an ftp server offers all these types: which type should I choose > to setup the ftp server or to select from the ftp clients view ? > > Is the security for all these types similar and the difference refers only different protocols? > > What are the pros and cons ? At the "big picture" level, you do what is best given what you have control over. If you can control the client base 100%, you can do whatever you want. If you only have partial control (you'd tell them to download xyz etc.). you may need to consider potential configuration problems for the users. If you have no control (raw public access), you definitely want things as accepting as possible. It's trivial (Google) to find folks arguing the benefits and drawbacks: http://freshmeat.net/articles/view/1576/ is an early result that gives you a flavor. -- Tony Lawrence Unix/Linux/Mac OS X Resources http://aplawrence.com

17/12/2006, 16h14	#4
Douglas Mayne Messages: n/a Hébergeur:	Re: What is the difference between ftp encryption types SSL, TLS, SFTP and SSH ? On Sun, 17 Dec 2006 12:00:42 +0000, Marcus Mender wrote: > I have seen a couple of different encryption types for ftp connections: > > TLS > SSL > SFTP > SSH > > Ok, provided an ftp server offers all these types: which type should I choose > to setup the ftp server or to select from the ftp clients view ? > > Is the security for all these types similar and the difference refers only > different protocols? > > What are the pros and cons ? > > Marcus > I don't know that much about this, other than to refer these links: SFTP: http://en.wikipedia.org/wiki/SSH_file_transfer_protocol FTPS: http://en.wikipedia.org/wiki/FTPS ssh based solutions appear to have an advantage (IMO) because the authentication can be certificate based. For example, configure ssh not to accept passwords, and set a rate limit firewall rule to minimize brute force attacks which attempt to gain access by guessing a valid username/password pair. You would generate a certificate for valid users and then send it to them (perhaps by email.) The passphrase which unlocks the passphrase can be revealed by some other method (telephone?). Another consideration... Giving someone access (read/write) to a file repository on your system can be a good way for communicating large files back and forth. The problem is that you cannot control how careful the person given access will be maintaining the secrecy of their access method. If someone else obtains the credentials, they can act as an imposter to gain access to the files in the repository. Therefore, I have recommended using strong encryption for sensitive data which is sent to the repository. That way, only the files will be readable by the intended recipicient only For example, no matter what method is used to transmit the files, a strong encryption tool, such as gpg, should be used also. This method overcomes the unencrypted nature of email. Sender -> encrypts file for recipient Sender -> places file in repository using some protocol Recipient -> retrieves encrypted file from repository Recipient -> uses gpg to decipher the message. The "con" to this method is that it requires manual setup and user interaction. The "pro" is that it is a very secure channel (IMO). -- Douglas Mayne

17/12/2006, 17h48	#5
left_coast Messages: n/a Hébergeur:	Re: What is the difference between ftp encryption types SSL, TLS, SFTP and SSH ? Marcus Mender wrote: > I have seen a couple of different encryption types for ftp connections: > > TLS TLS is the successor to SSL: http://searchsecurity.techtarget.com...557332,00.html > SSL SSL is http://searchsecurity.techtarget.com...343029,00.html > SFTP http://en.wikipedia.org/wiki/SSH_file_transfer_protocol > SSH http://isp.webopedia.com/TERM/S/SSH.html > > Ok, provided an ftp server offers all these types: which type should I > choose to setup the ftp server or to select from the ftp clients view ? If I read you right, none will work with ftp, ftp is a protocol that is not encrypted. > > Is the security for all these types similar and the difference refers only > different protocols? Security varies according to protocol, they have different levels of security and different functions. > > What are the pros and cons ? Depends on what you want to do., sftp would not work if you wanted a terminal session, ssh (not counting scp) is not the best for file transfers. > > Marcus Not sure what you want to do, exactly, but the best method for encypted file transfers may be ssl using web browsers... If we knew exactly what you wanted to do, it may us give better advise.

17/12/2006, 17h51	#6
Aragorn Messages: n/a Hébergeur:	Re: What is the difference between ftp encryption types SSL, TLS, SFTP and SSH ? On Sunday 17 December 2006 13:00, Marcus Mender stood up and addressed the masses in /comp.os.linux.misc/ as follows...: > I have seen a couple of different encryption types for ftp connections: > > TLS > SSL > SFTP > SSH > > Ok, provided an ftp server offers all these types: which type should I > choose to setup the ftp server or to select from the ftp clients view ? I'm not an expert on encryption, but all of the aforementioned are variations to the Secure Sockets Layer technology. TLS is a newer version of SSL - it is more secure. /ssh/ is the SSL/TLS version of /telnet./ It offers you a remote login to another machine, but negotiates an encryption before the login occurs, so that password sniffers would not be any good in trying to obtain a password, whereas /telnet/ sends everything over the network "as is". /sftp/ is not to be confused with /ftps./ /sftp/ is the built-in FTP server (or client) of the OpenSSL package. Regular FTP clients don't use this. > Is the security for all these types similar and the difference refers only > different protocols? Hmm... /ssh/ and /sftp/ are different tools. /SSL/ is the security technology that contains both /ssh/ and /sftp,/ but it's already becoming outdated in favor of TLS, which is more secure. Does that answer your question properly? > What are the pros and cons ? That question is meaningless, I'm afraid. You seem to be inquiring about a secure FTP server. A lot of the security of an FTP server depends on how it is set up - does it allow anonymous logins or not, etc. You can have /ftps,/ which is similar to /https./ /sftp/ is something else and works via the SSH server. For my own needs, I would prefer /sftp/ since plain FTP is by nature insecure and very exploitable. -- With kind regards, Aragorn (registered GNU/Linux user #223157)

17/12/2006, 12h18	#2
Kristian Fiskerstrand Messages: n/a Hébergeur:	Re: What is the difference between ftp encryption types SSL, TLS,SFTP and SSH ? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Marcus Mender wrote, On 12/17/2006 01:00 PM: > I have seen a couple of different encryption types for ftp connections: These are not at all about FTP in the first place. > > TLS Transport layer security, you find this commonly used in e.g. the SMTP protocol (sending emails) > SSL Secure Socket Layer, what is used by https:// connections. The primary difference between SSL and TLS is that SSL is negotiated on connection, while TLS upgrades from an ordinary connection. This is why for the HTTP protocol, the default non-secured port is 80 and the default secure port (SSL) is 443, while for SMTP both encrypted and non-encrypted will happen on port 25 by default. I wrote a small article about the difference between TLS and SSL, and my wish that TLS to be used for web traffic at http://www.kfwebs.net/articles/artic...--SSL-and-HTTP > SFTP This protocol is a subservice of SSH, and in many ways replaced the scp file transfer (which again replaced rcp). > SSH secure shell, replaced telnet by offering a secure connection into the system. > > Ok, provided an ftp server offers all these types: which type should I choose > to setup the ftp server or to select from the ftp clients view ? SFTP and SSH have nothing to do with FTP per se, so an FTP server won't offer it. > > Is the security for all these types similar and the difference refers only different protocols? > There are quite a lot of differences, personally I don't allow any user/pass logins to happen to my system, but only authentications based on Public Key Infrastructure, so I'm using SFTP mostly to get access to files. > What are the pros and cons ? You haven't mentioned what context you want to use this in. If you were to provide a webhosting service, you wouldn't have an option but to use FTP. If it is only for your own use I would personally go for SSH/SFTP and disable ordinary FTP at all. > > Marcus > - -- - ---------------------------- Kristian Fiskerstrand http://www.kfwebs.net - ---------------------------- http://www.secure-my-email.com http://www.secure-my-internet.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBRYU1fBbgz41rC5UIAQhCCBAAqhTsu19xKh2poAlHQX AfH6I4W8UxXa5V vPWHG+wumdbpxHBrT7TqjJaH8bZIiu1Xq5JIJyrDXLpm9CYbeE b+f2oxHPHSwKtU Itlc65tiKtLgz6qMQJl/LefnQQym2U+4MaYkrp7pHvAcibWjJtB0OyWcyMiw8xri isBzmKGvQ6Iai/VO6kj/WtI4t0miW+ZOcWQSeh/hkB+Qh/V7jzb3y5EhYAlKncWE T82NlalUuUg8rtmmdMl4SNTqVG64ocVTfwH918MetnLoyBIbWj aSRisBlWP94NS0 UcEsxhJeKdpfQv9kWL802qj5E/84/GMgmQronJ/1UDBDylIQcXwzl/n0ligAzzic Wupf0HsnlAbmUrBr4BbXxdcFqbwAjwFE8CUdnjM0yWDIbxZxtL KIxIkfcBG90WXI C8ODHEG3k+Eg1X3VKoZ9ZQ+dNA5MbrFlmOkFUDxYtx0/oORYgntgGFRgJFpVWSdZ 5vBFieYo/uSek86E64qvwIuDgoNgw5M/HSIFyB5f4RYtE1jP9QJU9zDDNi7PnC8X DKv36R6HBR20TP0+YJuRxqEDXWU+Rx7eIfHUPmaMqQv1LKG8u0 6ioZ933UuJmu28 73kzJe/4bI9Z1ZAh5OtxQvRWHRcp+QSHlRmdoF9wG2RJHtnM18lw0QxG2 IqfMJ6E Wk32hO1mKEc= =1X1a -----END PGP SIGNATURE-----

17/12/2006, 19h00	#7
Richard E. Silverman Messages: n/a Hébergeur:	Re: What is the difference between ftp encryption types SSL, TLS, SFTP and SSH ? >>>>> "Aragorn" == Aragorn <stryder@telenet.invalid> writes: Aragorn> Hmm... /ssh/ and /sftp/ are different tools. /SSL/ is the Aragorn> security technology that contains both /ssh/ and /sftp,/ but This is a common misconception. The SSH protocol is completely separate from TLS/SSL; they have nothing to do with one another. OpenSSH uses the OpenSSL library, but for other things. -- Richard Silverman res@qoxp.net

17/12/2006, 19h10	#8
Allen Kistler Messages: n/a Hébergeur:	Re: What is the difference between ftp encryption types SSL, TLS,SFTP and SSH ? Marcus Mender wrote: > I have seen a couple of different encryption types for ftp connections: > > TLS > SSL > SFTP > SSH > > Ok, provided an ftp server offers all these types: which type should I choose > to setup the ftp server or to select from the ftp clients view ? > > Is the security for all these types similar and the difference refers only different protocols? > > What are the pros and cons ? TLS is a variation on SSLv3. SSL and TLS are transport encryption protocols layered on top of the base protocol. So just like https is http over SSL/TLS, ftps is ftp over SSL/TLS. SFTP is SCP with an ftp interface. SCP is the file copy program for ssh (secure shell), so that's probably what you mean by SSH, as well. SSH/SCP is an entirely different protocol designed specifically for encrypted terminal sessions and file transfers. ftp/ftps requires two connections, one for control and one for data. SSL/TLS requires that you install a digital cert which your clients trust, just like https for the web. Unlike https which uses a different port from http (but like smtps which uses the same port for smtp), the client first establishes a tcp connection to the regular port, then sends a STARTTLS command, which the server may or may not recognize. If the server recognizes the command, SSL/TLS is negotiated. ftps also supports client-side certificates for authentication. ftps has never been very popular. It's also not generally recommended because of confusing implementations, lack of support, etc. sftp/scp requires one connection. The server generates its own keys, and the clients have to trust it the first time they connect. Afterwards if the client sees the server key change, the client should suspect foul play (or a stupid admin). It also supports public key authentication, where the keys are created by the clients, but it's harder to set up in an enterprise environment (1000's or 10000's or so of users) because you have to authorize each key individually (and individuals manage their own keys). If you're going to implement sftp, you might as well implement scp, instead. scp is the "real" protocol in both. Lots more could be said. But I'll stop there.

18/12/2006, 07h27	#9
zdk Messages: n/a Hébergeur:	Re: What is the difference between ftp encryption types SSL, TLS, SFTP and SSH ? you could classified 4 types of your list into 2 main groups: 1.TLS,SSL - they're very similar in practice. 2.SSH,SFTP - SSH uses SFTP while transfering data,so you might think they're same. compare between TLS and SSH I think SSH is more popular than TLS.You config the server as ftp server,so you could probably select SFTP. Thanks. Warachet S. Marcus Mender wrote: > I have seen a couple of different encryption types for ftp connections: > > TLS > SSL > SFTP > SSH > > Ok, provided an ftp server offers all these types: which type should I choose > to setup the ftp server or to select from the ftp clients view ? > > Is the security for all these types similar and the difference refers only different protocols? > > What are the pros and cons ? > > Marcus

18/12/2006, 20h31	#10
Ertugrul Soeylemez Messages: n/a Hébergeur:	Re: What is the difference between ftp encryption types SSL, TLS,SFTP and SSH ? mmmm@buzz.com (Marcus Mender) (06-12-17 12:00:42): > I have seen a couple of different encryption types for ftp > connections: > > TLS > SSL > SFTP > SSH > > Ok, provided an ftp server offers all these types: which type should I > choose to setup the ftp server or to select from the ftp clients view? From the client's view, certainly TLS and SSL are more convenient, but for home user purposes, they probably are overkill. At the moment, SSL and TLS are essentially the same. TLS (v1) is just a container protocol, which currently encapsulates SSLv3. It might contain newer, more secure protocols in the future, so TLS is preferable over SSL. To make those two protocols as secure as possible, you need to deal with certificates. Server-side certificates are only half of the story. They only authenticate the server. So if you want to authenticate the client cryptographically, you will need client certificates. Not all client programs support that, and there are even some server programs, which don't. However, if you already have an SSH server with key-based authentication running, and you have got a client that supports SFTP (which is FTP over an SSH tunnel), then you're already set. You can continue to use your normal SSH keys for FTP authentication, which is of course preferable in this case. > Is the security for all these types similar and the difference refers > only different protocols? From the cryptological perspective, yes. There are minor cryptographical differences, but all in all, their security is equivalent. > What are the pros and cons ? One major reason to prefer SFTP is its simplicity. Setting up a proper certificate infrastructure for SSL and TLS may be overkill, and requires some cryptological skills. This is suitable for large networks with many users. There it would make sense to create an own certificate authority (CA), which you can use for more things than just FTP. Users could use the same certificate to securely authenticate to all services offered by the network. The downside of SFTP is that there is no trusted arbitrator (a CA in SSL/TLS terminology). This is good for small networks, but very bad for larger ones. In short: Prefer SFTP for home networks and small companies; prefer SSL/TLS for large enterprise networks. Regards, E.S.

19/12/2006, 05h44	#11
Richard E. Silverman Messages: n/a Hébergeur:	Re: What is the difference between ftp encryption types SSL, TLS, SFTP and SSH ? >>>>> "ES" == Ertugrul Soeylemez <never@drwxr-xr-x.org> writes: ES> However, if you already have an SSH server with key-based ES> authentication running, and you have got a client that supports ES> SFTP (which is FTP over an SSH tunnel), Actually it's not; SFTP is a separate protocol which has nothing to do with FTP. -- Richard Silverman res@qoxp.net

19/12/2006, 07h17	#12
Nico Messages: n/a Hébergeur:	Re: What is the difference between ftp encryption types SSL, TLS, SFTP and SSH ? Allen Kistler wrote: > If you're going to implement sftp, you might as well implement scp, > instead. scp is the "real" protocol in both. Which is why it doesn't handle symlinks well. FTP can, and can mirror them either way well. A major flaw in almost all SSH/SFTP/SCP setups is the lack of chroot cages: users who can get onto the server can go poking around the rest of the system, which is a serious security issue. I've encouraged the authors to include chroot cage capability, and tried providing patches, but they've never brought them into the main codeline, so I've given up. It's handy for systems where you already have user privileges: it's quite dangerous for systems where you only want people to upload or download specific directories, not to give them logiin access. For many such setups, I've instead switched to WebDAV over HTTPS. It's built into Windows, it allows Apache based account and user management quite apart from system accounts, the "chroot" like behavior is built right into Apache as a set of run-time configuration options, and it easily supports uploading and downloading, anonymous repositories, and all he other useful features of FTP except for the sniffable passwords and the very awkward 2-port behavior.

19/12/2006, 20h48	#13
Ertugrul Soeylemez Messages: n/a Hébergeur:	Re: What is the difference between ftp encryption types SSL, TLS,SFTP and SSH ? mmmm@buzz.com (Marcus Mender) (06-12-17 12:00:42): > I have seen a couple of different encryption types for ftp > connections: > > TLS > SSL > SFTP > SSH > > Ok, provided an ftp server offers all these types: which type should I > choose to setup the ftp server or to select from the ftp clients view? From the client's view, certainly TLS and SSL are more convenient, but for home user purposes, they probably are overkill. At the moment, SSL and TLS are essentially the same. TLS (v1) is just a container protocol, which currently encapsulates SSLv3. It might contain newer, more secure protocols in the future, so TLS is preferable over SSL. To make those two protocols as secure as possible, you need to deal with certificates. Server-side certificates are only half of the story. They only authenticate the server. So if you want to authenticate the client cryptographically, you will need client certificates. Not all client programs support that, and there are even some server programs, which don't. However, if you already have an SSH server with key-based authentication running, and you have got a client that supports SFTP (which is FTP over an SSH tunnel), then you're already set. You can continue to use your normal SSH keys for FTP authentication, which is of course preferable in this case. > Is the security for all these types similar and the difference refers > only different protocols? From the cryptological perspective, yes. There are minor cryptographical differences, but all in all, their security is equivalent. > What are the pros and cons ? One major reason to prefer SFTP is its simplicity. Setting up a proper certificate infrastructure for SSL and TLS may be overkill, and requires some cryptological skills. This is suitable for large networks with many users. There it would make sense to create an own certificate authority (CA), which you can use for more things than just FTP. Users could use the same certificate to securely authenticate to all services offered by the network. The downside of SFTP is that there is no trusted arbitrator (a CA in SSL/TLS terminology). This is good for small networks, but very bad for larger ones. In short: Prefer SFTP for home networks and small companies; prefer SSL/TLS for large enterprise networks. Regards, E.S.

19/12/2006, 21h55	#14
Keme Messages: n/a Hébergeur:	Re: What is the difference between ftp encryption types SSL, TLS,SFTP and SSH ? Marcus Mender skrev: > I have seen a couple of different encryption types for ftp connections: > > TLS > SSL > SFTP > SSH > > Ok, provided an ftp server offers all these types: which type should I choose > to setup the ftp server or to select from the ftp clients view ? > > Is the security for all these types similar and the difference refers only different protocols? > > What are the pros and cons ? > > Marcus > Briefly: SSL is an encryption type. SSH is remote login using SSL to get encrypted command line access ("secure telnet") SFTP is file transfer using SSL TLS is an encryption type (AFAIK, like SSL, but different...) SSL has fairly universal support across OS/HW platforms. So for the basic, "universally available" service you'd set up your server with SSL, to provide SSH (I guess a command line FTP client would use that) and SFTP support.

20/12/2006, 06h09	#15
Richard E. Silverman Messages: n/a Hébergeur:	Re: What is the difference between ftp encryption types SSL, TLS, SFTP and SSH ? > > Marcus Mender skrev: > > I have seen a couple of different encryption types for ftp connections: > > TLS > > SSL > > SFTP > > SSH > > Ok, provided an ftp server offers all these types: which type should I > > choose > > to setup the ftp server or to select from the ftp clients view ? > > Is the security for all these types similar and the difference refers > > only different protocols? > > What are the pros and cons ? > > Marcus > > > > Briefly: > SSL is an encryption type. No. It is a communications protocol which employs encryption as part of its operation. > SSH is remote login using SSL to get encrypted command line access > ("secure telnet") No. The SSH protocol is not, and does not use, SSL at all. > SFTP is file transfer using SSL No. SFTP (typically) runs over SSH which (v.s.) is not SSL. -- Richard Silverman res@qoxp.net

20/12/2006, 19h39	#16
Alun Jones Messages: n/a Hébergeur:	Re: What is the difference between ftp encryption types SSL, TLS, SFTP and SSH ? "Marcus Mender" <mmmm@buzz.com> wrote in message news:4585316a$0$27617$9b4e6d93@newsspool2.arcor-online.net... >I have seen a couple of different encryption types for ftp connections: > > TLS > SSL TLS and SSL are two versions of the same protocol (SSL comes in versions 2.0 and 3.0, TLS comes in versions 1.0 and 1.1 - TLS 1.0 is SSL 3.1). FTP has been extended by a standard that describes the operation of FTP over SSL and TLS. This extension is commonly known as FTPS. It's a relatively obvious means of adding security to FTP. > SFTP > SSH These are nothing to do with FTP. SSH stands for "Secure SHell" - as such, it establishes a secured connection for a logon shell. Unless your FTP users are significantly trusted, you don't want them running commands on your system, so you won't want them connecting to SSH. Same for SFTP, which is simply a file transfer mechanism added on top of SSH (i.e. you need SSH in order to implement SFTP - so SFTP users are SSH users and can log on and issue commands) > Ok, provided an ftp server offers all these types: which type should I > choose > to setup the ftp server or to select from the ftp clients view ? > > Is the security for all these types similar and the difference refers only > different protocols? The encryption and authentication schemes will be similar - the security is not, because FTPS (FTP over TLS and SSL) allows only for usual FTP activities (generally, this is file transfer), whereas SFTP and SSH allow for the user to execute commands that will run on the server. > What are the pros and cons ? FTPS allows transfer of files; SFTP / SSH allow transfer of files and execution of commands through a protocol whose primary designed purpose is to execute commands on the server. If you're looking to allow your users to execute commands, go with SSH / SFTP; if you only want them to be able to transfer files, choose the protocol (FTPS) that is designed to allow just that. Alun. ~~~~

21/12/2006, 03h01	#17
Richard E. Silverman Messages: n/a Hébergeur:	Re: What is the difference between ftp encryption types SSL, TLS, SFTP and SSH ? >>>>> "AJ" == Alun Jones <alun@texis.invalid> writes: AJ> SSH stands for "Secure SHell" - as such, it establishes a secured AJ> connection for a logon shell. Unless your FTP users are AJ> significantly trusted, you don't want them running commands on AJ> your system, so you won't want them connecting to SSH. Same for AJ> SFTP, which is simply a file transfer mechanism added on top of AJ> SSH (i.e. you need SSH in order to implement SFTP - so SFTP users AJ> are SSH users and can log on and issue commands) This is not necessarily true. sftp uses an SSH subsystem to start the sftp server. Some SSH servers allow you to specify that certain users may only initiate subsystems and not exec or shell channels. Even in those that don't, you can make the account shell something which will only run sftp-server. -- Richard Silverman res@qoxp.net

21/12/2006, 17h19	#18
Alun Jones Messages: n/a Hébergeur:	Re: What is the difference between ftp encryption types SSL, TLS, SFTP and SSH ? "Richard E. Silverman" <res@qoxp.net> wrote in message news:m2zm9iq7dy.fsf@darwin.oankali.net... >>>>>> "AJ" == Alun Jones <alun@texis.invalid> writes: > > AJ> SSH stands for "Secure SHell" - as such, it establishes a secured > AJ> connection for a logon shell. Unless your FTP users are > AJ> significantly trusted, you don't want them running commands on > AJ> your system, so you won't want them connecting to SSH. Same for > AJ> SFTP, which is simply a file transfer mechanism added on top of > AJ> SSH (i.e. you need SSH in order to implement SFTP - so SFTP users > AJ> are SSH users and can log on and issue commands) > > This is not necessarily true. sftp uses an SSH subsystem to start the > sftp server. Some SSH servers allow you to specify that certain users may > only initiate subsystems and not exec or shell channels. Even in those > that don't, you can make the account shell something which will only run > sftp-server. Thanks for the correction. I'm still inclined to suggest that if you don't want to provide shell access, it's more secure to rely on software that doesn't have shell access as a feature, than to rely on one that can be configured not to provide it. Alun. ~~~~

21/12/2006, 21h02	#19
Ertugrul Soeylemez Messages: n/a Hébergeur:	Re: What is the difference between ftp encryption types SSL, TLS,SFTP and SSH ? mmmm@buzz.com (Marcus Mender) (06-12-17 12:00:42): > I have seen a couple of different encryption types for ftp > connections: > > TLS > SSL > SFTP > SSH > > Ok, provided an ftp server offers all these types: which type should I > choose to setup the ftp server or to select from the ftp clients view? From the client's view, certainly TLS and SSL are more convenient, but for home user purposes, they probably are overkill. At the moment, SSL and TLS are essentially the same. TLS (v1) is just a container protocol, which currently encapsulates SSLv3. It might contain newer, more secure protocols in the future, so TLS is preferable over SSL. To make those two protocols as secure as possible, you need to deal with certificates. Server-side certificates are only half of the story. They only authenticate the server. So if you want to authenticate the client cryptographically, you will need client certificates. Not all client programs support that, and there are even some server programs, which don't. However, if you already have an SSH server with key-based authentication running, and you have got a client that supports SFTP (which is FTP over an SSH tunnel), then you're already set. You can continue to use your normal SSH keys for FTP authentication, which is of course preferable in this case. > Is the security for all these types similar and the difference refers > only different protocols? From the cryptological perspective, yes. There are minor cryptographical differences, but all in all, their security is equivalent. > What are the pros and cons ? One major reason to prefer SFTP is its simplicity. Setting up a proper certificate infrastructure for SSL and TLS may be overkill, and requires some cryptological skills. This is suitable for large networks with many users. There it would make sense to create an own certificate authority (CA), which you can use for more things than just FTP. Users could use the same certificate to securely authenticate to all services offered by the network. The downside of SFTP is that there is no trusted arbitrator (a CA in SSL/TLS terminology). This is good for small networks, but very bad for larger ones. In short: Prefer SFTP for home networks and small companies; prefer SSL/TLS for large enterprise networks. Regards, E.S. (Third time trying to send this message...)

23/12/2006, 14h53	#20
Nico Messages: n/a Hébergeur:	Re: What is the difference between ftp encryption types SSL, TLS, SFTP and SSH ? Ertugrul Soeylemez wrote: > The downside of SFTP is that there is no trusted arbitrator (a CA in > SSL/TLS terminology). This is good for small networks, but very bad for There's also the lack of control over where the client can see: this is built into most FTP and HTTP/HTTPS tools, but is most definitely not built into SFTP. The version of SSH from ssh.com may finally support it well, I haven't had a chance to try that in a while, but the OpenSSH server does not include anything resembling a real chroot cage. What is unfortunately labeled as chroot operation is only for a small set of operations, not general access. So an SFTP client generally has access to the entire filesystem of any OpenSSH based SFTP server. This is a very serious access management problem: There have been various patches and proposals for years to address it, such as those at http://sourceforge.net/projects/chrootssh/, but they've never been accepted into the OpenSSH main code line. If you want normal upload/download, you want client access and GUI access built into most operating systems, it's really hard to beat WebDAV over HTTPS. > In short: Prefer SFTP for home networks and small companies; prefer > SSL/TLS for large enterprise networks. Small companies are also notorious for foolishness such as users with un-password-protected SSH keys on NFS accessible directories, or on backup tapes that others can restore from. As much as I love SSH as a remote access tool, the default client behavior of allowing passphrase-less keys is a very serious problem. Like the tendency of Subversion clients to store passphrases in local clear-text, I'd love to see it disabled by default. Hmm. You know, that's actually a good feature idea to add as an ssh_config default option....

23/12/2006, 19h28	#21
Richard E. Silverman Messages: n/a Hébergeur:	Re: What is the difference between ftp encryption types SSL, TLS, SFTP and SSH ? NK> Ertugrul Soeylemez wrote: >> The downside of SFTP is that there is no trusted arbitrator (a CA >> in SSL/TLS terminology). This is not a property of SFTP at all, but rather of some implementations, OpenSSH in particular. Both the VanDyke and ssh.com products, for example, support X.509 certificates for host and user authentication. -- Richard Silverman res@qoxp.net

25/12/2006, 11h09	#22
Cesare Messages: n/a Hébergeur:	Re: What is the difference between ftp encryption types SSL, TLS, SFTP and SSH ? "Ertugrul Soeylemez" <never@drwxr-xr-x.org> ha scritto nel messaggio news:emesp9$3jo$02$1@news.t-online.com... mmmm@buzz.com (Marcus Mender) (06-12-17 12:00:42): > However, if you already have an SSH server with key-based authentication > running, and you have got a client that supports SFTP (which is FTP over > an SSH tunnel), then you're already set. You can continue to use your > normal SSH keys for FTP authentication, which is of course preferable in > this case. A little correction. SFTP in not FTP over SSH. SFTP uses an SSH subsystem to start the sftp server (as Richard tell in another message) where you can issue commands and retry/send file and navigate on directory (with privilege you have from the user used to log in), using SSH protocol. You can have FTP over SSH, where FTP protocol is tunnelled via SSH. So, first you must to authenticate yourself from SSH point of view (username/password or username/key), and after you must to authenticate to FTP server. The two authentication may have different username and password. On same implementation, you can tunnelled a telnet protocol under SSH. For example you can login on your machine at office using SSH protocol (and so ciphering packets and medium authentication). From that you can ftp/telnet on you machines. The "local" (office) packet are in "clear" text, when pass throught SSH machine and sent to you are ciphered. This implementation is useful when authentication and security are not in application (for example trasnferring file by FTP from two machine trought Internet) and is not possibile to change or modify it. Hope this . I wish to all a Merry Christmas 2006! Cesare

28/12/2006, 21h27	#23
jscape@gmail.com Messages: n/a Hébergeur:	Re: What is the difference between ftp encryption types SSL, TLS, SFTP and SSH ? Should you decide to go TLS/SSL then you also need to consider whether you want to support implicit or explicit connections. Explicit connections are typically run on port 21 and allow you to support both standard unencrypted FTP sessions as well as encrypted sessions. To start an encrypted session the client will send the AUTH TLS or AUTH SSL command prior to login in order to encrypt the command channel. Implicit SSL on the other hand typically runs on port 990 and requires an encrypted SSL connection. Most all servers support explicit SSL, some support both explicit and implicit SSL. Van Glass JSCAPE Managed File Transfer and Security Solutions http://www.jscape.com/secureftpserver/ Marcus Mender wrote: > I have seen a couple of different encryption types for ftp connections: > > TLS > SSL > SFTP > SSH > > Ok, provided an ftp server offers all these types: which type should I choose > to setup the ftp server or to select from the ftp clients view ? > > Is the security for all these types similar and the difference refers only different protocols? > > What are the pros and cons ? > > Marcus

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email