Enough With the FTP, Already – Go With SCP (or SFTP) When Available
People still use FTP – No, that’s not a question, it’s a statement of fact.
Time after time at my last job I used to overhear co-workers using that most dreaded of acronyms: FTP (File Transfer Protocol). While this is useful for certain things, namely (er, maybe…?) local, non-scheduled file transfer, there are non-plain (a pun you might get later) alternatives that should be used in a business or security-oriented implementation. Those alternatives are SCP (Secure Copy Protocol) or SFTP (Secure File Transfer Protocol).
FTP, SFTP and SCP can help accomplish the same thing, which is to move files from here to there (or, based on relativity, from there to here) nice and quickly and over ethernet. There is one major difference between FTP and the other 2, though: FTP sends data in plain-text whereas SCP and SFTP use the SSH (Secure Shell) protocol for communication. Again, this is for security purposes, so when it comes to websites and transferring sensitive information, it is always better to err on the side of security.
The Difference Between SCP and SFTP
Before we can get to the differences, we need to divert from the heading a bit and talk about the similarities. Both protocols use SSH for the authentication and encryption of the connection. Since SSH typically uses TCP (Transmission Control Protocol), both SFTP and SCP will, by default, use TCP, which guarantees traffic. Both have options for command line connection or nice, pretty interfaces. Now that we’ve finished our diversion, we can talk about the ways they diverge.
SCP is really only meant for the one thing that was mentioned: moving files from here to there (or there to here). When it comes to stuff like listing folder contents, or folder management, SCP itself does not really have the ability to do so. However, that underlying platform of SSH allows for that kind of functionality and many of the client-side applications have those kinds of functions built in. So, at its base, SCP cannot help you with that, you would have to try and find ad hoc ways to implement SCP in order to be able to do those kinds of things.
SFTP, on the other hand, has these functions built right into it so there is no issue there. But, again, I feel that SCP’s inherent lack of these functions does not necessarily degrade it since that can be worked around without much else needed.
And What of Convenience
Some of those same misguided co-workers have mentioned the convenience of FTP. But it could be argued, and very well so, that SCP or SFTP is actually more convenient. While FTP is not typically set up by default (perhaps the justification is that it’s not “as secure”), SSH is often available by default–ready to be quickly configured and activated.
Obviously, this all depends on the platform/flavor of distro being used. But, most SCP can be run right on an SSH session or by simply using the same credentials as would be for SSH to a destination machine. The limiting functionality takes away from the convenience, but this is not complicated stuff to set up and using a client-side interface adds that functionality right back in.
And What of Convenience for Actual Execution
Like FTP, SCP actually has some applications with the nice, simplistic and effective interfaces for moving files from here to there. The destination (typically server-side) must be set up for whichever protocol will be used. And since SFTP is not really related to FTP, it just requires a listening SSH server instance. As mentioned earlier, SCP also needs a listening SSH instance to connect and transfer. The general steps of what happens are listed at the end of this article.
If you want to check if the destination side has SSH running, here are examples of some commands:
From the command line of a top 3, popular Linux Distro, Ubuntu:
- /etc/init.d/ssh status
Or:
- service ssh status
Windows Server:
- ‘Start’ -> type ‘services.msc’
- Locate SSH service (maybe OpenSSH)
- Check if status is running
So, assuming that the results are SSH running, there would just need to be a client configured with the correct credentials. For manual use, I’d recommend FileZilla for SFTP and WinSCP for SCP. Otherwise, developers should investigate the command-line commands to include in their code.
Now that we know FTP is inferior on an important level, continue to practice happy scrutinizing.
Check out Ross’s Email Security Series:
- Email Security – Part 1: Certificate Signed Emails
- Email Security – Part 2: Phishing and Other Falseness
- Email Security – Part 3: Sender Policy Framework (SPF)
- Email Security – Part 4: DKIM (DomainKeys Identified Mail)
- Email Security – Part 5: DMARC, Reporting and Email
- Email Security – Bonus: S/Mime Certificates for Apple Users
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownA Call To Let’s Encrypt: Stop Issuing “PayPal” Certificates
in Industry Lowdown