People still use FTP – No, that’s not a question, it’s a statement of fact.
Time after time at my last job I used to overhear co-workers using that most dreaded of acronyms: FTP (File Transfer Protocol). While this is useful for certain things, namely (er, maybe…?) local, non-scheduled file transfer, there are non-plain (a pun you might get later) alternatives that should be used in a business or security-oriented implementation. Those alternatives are SCP (Secure Copy Protocol) or SFTP (Secure File Transfer Protocol).
FTP, SFTP and SCP can help accomplish the same thing, which is to move files from here to there (or, based on relativity, from there to here) nice and quickly and over ethernet. There is one major difference between FTP and the other 2, though: FTP sends data in plain-text whereas SCP and SFTP use the SSH (Secure Shell) protocol for communication. Again, this is for security purposes, so when it comes to websites and transferring sensitive information, it is always better to err on the side of security.
The Difference Between SCP and SFTP
Before we can get to the differences, we need to divert from the heading a bit and talk about the similarities. Both protocols use SSH for the authentication and encryption of the connection. Since SSH typically uses TCP (Transmission Control Protocol), both SFTP and SCP will, by default, use TCP, which guarantees traffic. Both have options for command line connection or nice, pretty interfaces. Now that we’ve finished our diversion, we can talk about the ways they diverge.
SCP is really only meant for the one thing that was mentioned: moving files from here to there (or there to here). When it comes to stuff like listing folder contents, or folder management, SCP itself does not really have the ability to do so. However, that underlying platform of SSH allows for that kind of functionality and many of the client-side applications have those kinds of functions built in. So, at its base, SCP cannot help you with that, you would have to try and find ad hoc ways to implement SCP in order to be able to do those kinds of things.
SFTP, on the other hand, has these functions built right into it so there is no issue there. But, again, I feel that SCP’s inherent lack of these functions does not necessarily degrade it since that can be worked around without much else needed.
And What of Convenience
Some of those same misguided co-workers have mentioned the convenience of FTP. But it could be argued, and very well so, that SCP or SFTP is actually more convenient. While FTP is not typically set up by default (perhaps the justification is that it’s not “as secure”), SSH is often available by default–ready to be quickly configured and activated.
Obviously, this all depends on the platform/flavor of distro being used. But, most SCP can be run right on an SSH session or by simply using the same credentials as would be for SSH to a destination machine. The limiting functionality takes away from the convenience, but this is not complicated stuff to set up and using a client-side interface adds that functionality right back in.
And What of Convenience for Actual Execution
Like FTP, SCP actually has some applications with the nice, simplistic and effective interfaces for moving files from here to there. The destination (typically server-side) must be set up for whichever protocol will be used. And since SFTP is not really related to FTP, it just requires a listening SSH server instance. As mentioned earlier, SCP also needs a listening SSH instance to connect and transfer. The general steps of what happens are listed at the end of this article.
If you want to check if the destination side has SSH running, here are examples of some commands:
From the command line of a top 3, popular Linux Distro, Ubuntu:
- /etc/init.d/ssh status
- service ssh status
- ‘Start’ -> type ‘services.msc’
- Locate SSH service (maybe OpenSSH)
- Check if status is running
So, assuming that the results are SSH running, there would just need to be a client configured with the correct credentials. For manual use, I’d recommend FileZilla for SFTP and WinSCP for SCP. Otherwise, developers should investigate the command-line commands to include in their code.
Now that we know FTP is inferior on an important level, continue to practice happy scrutinizing.
Check out Ross’s Email Security Series:
- Email Security – Part 1: Certificate Signed Emails
- Email Security – Part 2: Phishing and Other Falseness
- Email Security – Part 3: Sender Policy Framework (SPF)
- Email Security – Part 4: DKIM (DomainKeys Identified Mail)
- Email Security – Part 5: DMARC, Reporting and Email
- Email Security – Bonus: S/Mime Certificates for Apple Users