Does FTPS (FTP+S) offer better security than SFTP on the server side?
I had an exchange with some third party sysadmin yesterday regarding the setup of a file transfer interface between our servers.
I suggested using SFTP because our application has good support for it. My interlocutor absolutely wants FTP+S (FTP+TLS) which we currently don't support and would need to develop.
I argued that I did not see any real benefit in FTP+S over SFTP since both offer solid traffic encryption. SFTP is readily available and can be made even more secure with public key authentification. Last but not least, its single connection mode makes it much nicer to use behind corporate firewalls.
The sysadmin almost called me an idiot, stating that SFTP works on top of SSH which is a protocol designed for administration purpose, and that opening a SSH port for any other use than administration is clearly a bad idea because it opens a broad attack vector against the host system.
I am wondering if this argument is valid. There seem to be various ways to restrict a SSH session to only allow SFTP file transfer. There is the internal-sftp subsystem that comes with openSSH, where you can easily set up a chroot and disable TCP forwarding. I even heard about solutions that presumably allow users to connect via SFTP without requiring an entry in the passwd file... I do not see any clear problem with SFTP that you would not have with FTP+S, but I could be missing something?
So, despite of the restrictions that you can apply to SSH, is FTP+S a better option for file transfers, security wise?
From the security they provide in theory FTPS and SFTP are similar.
In practice you have the following advantages and disadvantages:
With FTPS client applications often fail to validate the certificates properly, which effectively means man in the middle is possible. With SFTP instead users simply skip information about the host key and accept anything, so the result is the same.
But users and admins with more knowledge could make use of SSH keys properly and use these also for authentication which then makes SFTP much easier to use compared to using passwords. And if passwords are forbidden at all then this is also more secure because brute force password attacks are no longer possible.
FTP uses dynamic ports for data connections and information about these ports is transferred in-band. This makes already plain FTP (without TLS) a nightmare when firewalls, NAT or similar is involved. With FTPS (FTP+TLS) this gets even worse because due to the encryption of the control connection helper applications on the firewall can no longer find out which ports need to be opened. This means that to pass FTPS you would need to open a wide range of ports which is bad for security(*). SFTP is much better because it uses only a single connection for control and data.
FTP(S) servers often provide anonymous access and SFTP servers usually don't. Several FTP(S) servers also offer pseudo users, i.e. users taken from same database or similar which are not real users on the system. If you have proper users only anyway this does not matter.
SFTP uses the SSH protocol and you have to configure the system properly to only allow SFTP access and not also SSH (terminal) access or even SSH forwarding. With FTP this is easier because FTP can do only file transfer anyway.
(*) Several comments do not really believe that having a wide range of ports open is bad for security. Thus let me explain this in more detail:
FTP uses separate TCP connections for data transfer. Which ports are used for these connection are dynamic and information about these gets exchanged inside the control connection. A firewall which does not know which ports are in use currently can only allow a wide port range which maybe will be used sometimes FTP.
These ports need to allow access from outside to inside because in FTP passive mode the client connects to some dynamic port on the server (i.e. relevant for server side firewall) and for FTP active mode the server connects to some dynamic port on the client (relevant for client side firewall).
Having a wide range of ports open for unrestricted access from outside to inside is not what somebody usually considers a restrictive firewall which protects the inside. This is more similar to having a big hole in the door where a burglar might come into the house.
To work around this problem most firewalls employ "helpers" for FTP which look into the FTP control connection to figure out which ports need to be opened for the next data connection. One example is ip_conntrack_ftp for iptables. Unfortunately with FTPS the control connection is (usually) encrypted so these helpers are blind and cannot dynamically open the required ports. This means either FTP does not work or a wide range of ports need to be open all the time.
+0 – Regarding the last bullet point: the SITE command (esp. SITE EXEC) has a pretty bad history in terms of security/exploits. The "can only do file transfers" is only true of a sane and correctly configured FTP server. — Apr 28, 2016 at 10:06
+6 – "open a wide range of ports (which is insecure!)" Without any reasons given as to why that would be insecure, I think it's a bit of an odd statement. I generally disagree (if your security depends upon ports being closed, something is probably wrong), but I thought I'd comment and ask before just editing it... (Overall, good answer though -- upvoted.) — Apr 28, 2016 at 12:52
+6 – @Luc: I thought it was obvious why opening a wide range of ports in a firewall is a bad idea. But I reworded this part so it is hopefully more clear. And of course your security should not depend on ports being closed but such restrictions are part of security in depth. Having unrestricted access from outside to inside on a wide range of ports is just a bad idea even if the systems inside are considered (mostly) secure. — Apr 28, 2016 at 13:22
+4 – @SteffenUllrich your edit didn't actually explain how the system is made less secure by having ports accessible. Having the FTP server listening on multiple ports is no less secure than having it listening on just one. I know your advise is popular, but as far as I know it's popularity is just cargo-culting. — Apr 28, 2016 at 15:14