Who uses encrypted FTP connections over regular FTP?

[♥Biancoblu]

Just out of curiosity, who uses encrypted FTP connections as opposed to non encrypted?

 

For a long time I've used regular FTP until someone told me it was better to use an encrypted connection, so I tried SFTP (SSH).

Then I moved to other hosts that didn't allow SSH as they claimed it had security holes, so I was advised to use FTPES.

 

I know some people say encrypted FTP is useless whilst others claim the exact opposite, so what's your opinion and why?

What do you use yourself?

 

Thanks

Isa

[Guest]

@@Biancoblu

 

I personally don't use it as there is a noticeable decrease in connection speed to most servers. The only time I might use it is if a client requests it.

 

 

 

Chris

[MrPhil]

Keep in mind that regular FTP is quite insecure: it sends the password to the server in plain text, and anyone snooping on the line can see it. WinSCP is popular, if your host supports it, but I don't know if it encrypts the data too. SSH/SFTP may or may not have security holes -- I suppose almost any security system will have flaws if you pound on it hard enough. It would certainly be better than plain FTP, but I don't know by how much. FTPES I'm not familiar with.

 

Anything that uses SSL or other means to encrypt data in transit is going to be noticeably slower than unencrypted transmissions. That's just a given. If you need security, at the very least you want passwords and such securely encrypted, but if you don't need the data itself encrypted, you might find something that leaves the data alone and gives you higher transfer speeds.

[♥John W]

I only use SFTP but I have dedicated server and the data center got me started with sftp in 2007 as the most secure way to connect to a server. For me security is most important but SFTP can be optimized to be very fast. A lot of softare supports it and you can use a generated key pair to connect.

 

@@Biancoblu the security flaws that your host is talking about is letting users have access to it becaue I think it always has a shell type connection so access is limited. Basically, they don't trust you with it which is not a bad thing. If they have changed the shell port from 22 to something unknown then that is more secure but is best kept a secret.

[♥Biancoblu]

Thanks for all your replies.

 

Personally I think my ecommerce should be transferred via an encrypted connection just to be on the safer side.....then again I am a complete security obsessed person :D

It is true though that the transfer is considerably slower.

 

Like I said, my present host make me use FTPES as they refuse the use of SFTP.

Googling FTPES, I read that, although I do not know if this article is really correct:

 

FTPES represents FTP over explicit TLS/SSL. As far as I know, this is the safest FTP connection as either a public or private key combo is used to encrypt data. This is the same process that is used when you make a purchase online at a "secured" website. If you don't use a secured website, you might as well just post all of your personal information on the Internet for everyone to see.

link here

[cornishpirate]

I moved to SFTP recently as my PCI scanner failed me on standard FTP. No problems, just upgraded my version of Beyond Compare to the Pro version in order to support it.

 

Guess it's a warning to everyone that PCI compliance is getting tougher.