冰峰雪晴

sFTP vs FTPs

时间：2016-06-15 ┊ 阅读：2,219 次 ┊ 标签: 分享 , 系统 , 配置

sFTP is a highly-secure protocol, it's always encrypted from end-to-end.

FTPs is also highly-secure, but it has the ability to turn encryption
on/off at different points in the conversation. In theory, FTPs could
be as secure as sFTP. But in practice, it almost never is.

FTP is a very old protocol. The first standard for it was published in
1971, when the Internet was only a handful of computers, and they all
trusted each other. Some of the things that FTP does are, quite
frankly, a really bad idea in today's world.

It uses a different port for every file transfer, forcing firewalls to
have a whole range of ephemeral ports open. Not a good idea for security.

It calculates the IP address and port number during the conversation,
and sends them over the control channel. In order to make that work
with NAT, the NAT router has to read every packet, and change the data
in the packet. That can't work if the data is encrypted (the NAT router
can no longer read it -- duh, it's encrypted!)

So FTPs typically uses the encryption only for the userid/password, and
then drops back to plain-text mode. That's not nearly as secure as
sFTP, which stays encrypted throughout the conversation.

Frankly, the problem with FTPs is they tried to "put lipstick on a pig".
They took a protocol that had some serious flaws already, and tried to
add cryptography to it... and it's just not as good as the totally
re-imagined sFTP protocol (which was designed for security from the
ground up.)

To me (someone who has spent a lot of time studying the inner workings
of these protocols) the idea that FTPs is more secure than sFTP is
absolutely ludicrous.

If your problem is that SSH allows interactive logins as well as file
transfers, then you should change your SSH configuration to disallow the
interactive logins for those users.

Thanks to Scott Klement

本文固定链接: https://www.amkevin.com/83.html｜冰峰雪晴｜转载请注明出处,谢谢