File transfer is a common requirement in most businesses. While there are numerous ways to get a file from Point A to Point B over a network, perhaps the most common method still in use is FTP: File Transfer Protocol. FTP is a network file transfer protocol that was first described in RFC 959 in 1980 and has undergone numerous changes and additions since then.
By itself, FTP does not offer significant security. Connections are password protected, but all data (including passwords) is sent in plain text over the network. These days, of course, security is a primary concern, and old FTP is no longer an option for moving sensitive data across the Internet.
To address these security concerns, a strategy was devised to add a security layer to FTP using SSL/TLS. This new protocol is known as FTPS and is described in RFC 2228. Today, most FTP servers and clients support this FTPS protocol without requiring extensive user experience.
Still, when trying to set up a new FTPS connection in most standard FTP clients, users are still left with a bewildering array of options to choose from with names like Implicit FTPS and CCC FTPS, among others.
This article will explain what these options mean and how to successfully determine which options are right for your connection.
understand ports
First, you need a little information about TCP/IP (the underlying protocol of the Internet). Most people know that an IP address is a numerical way to identify a computer on the Internet. When a user connects to an FTP server with a URL of, say, ftp.myhost.com, that address is translated behind the scenes into an IP address that uniquely identifies that server.
Although the IP address is necessary for your computer to communicate with a server on the Internet, it is not enough. We also need a way to tell that server which program on that server you want to access. For example, the same server computer could be running a web server, FTP server, email server, etc.
Ports are a simple numerical method of identifying these different programs (also known as services). Therefore, to connect to an FTP server on the Internet, your FTP client software will use an IP address (to identify the server) and a port number (to indicate that you want to connect via FTP).
implicit ftp
One of the first attempts to establish a standard method of securing FTP with SSL required the client to connect to a special port to tell the FTP server that the client wishes to use SSL to secure the FTP connection. While old FTP uses port 21 to establish a connection, implicit FTPS uses port 990 instead.
This method is considered deprecated, but is still widely used and is still supported by most secure commercial FTP clients and servers.
explicit FTPS
The aforementioned RFC 2228 that defines the FTPS standard uses a different method to determine whether or not SSL/TLS should be used to secure an FTP connection. Instead of using a special port to establish a connection, explicit FTPS (also known as FTPES) uses port 21, the same port as insecure plain FTP.
It uses negotiation to determine how and if the connection should be secured. Behind the scenes, the client software tells the server software which method it wants to use to secure the connection based on the configuration options you make in the client software.
Explicit FTPS is generally the preferred method of securing an FTP connection and is widely supported by commercial FTP servers and clients.
more choices
When configuring most FTP clients, users are presented with more than two options for FTPS (implicit and explicit). This is because Explicit FTPS is broken down into three different options that identify which parts of the FTP connection will be protected.
An FTP session basically consists of two data streams:
- The control channel (all FTP commands, usernames, passwords, and server responses)
- The data channel (the actual files you are trying to upload and download)
This leaves three main options for which parts of the session will be encrypted:
- Control + Data: everything is encrypted
- Data Only (sometimes called CCC or Clear Control Channel): Files you upload and download are encrypted, but FTP commands and responses are sent in clear text (usernames and passwords are still encrypted)
- Control Only (sometimes called CDC or Clear Data Channel): The files you upload and download are not protected, but FTP commands and responses, as well as usernames and passwords, are encrypted.
These three options are available only for explicit FTPS. Implicit FTPS has only one “flavor”: both control and data channels are encrypted.
It’s also worth noting that because Explicit FTPS is the official standard, many FTP clients just call it FTPS. A common list of options might look like this:
- implicit ftp
- FTPS Control + Data
- FTPS control only
- FTPS data only
How do I choose?
When you have a requirement to transmit data to or from an FTPS server, you are limited to the options supported by that server. This of course leads to the question: How do I know what a particular server supports?
In many cases, the server administrator will provide all the information you need to connect to the server, such as your username, password, and what settings are supported. If you don’t receive instructions on which FTPS options to choose, in most cases the best way forward is to simply try each one until you find one that works.
By far the most common option is FTPS (explicit) with control channels and encrypted data.
Which option is the best?
Both implicit and explicit FTPS offer comparable levels of encryption (assuming that with explicit FTPS you choose the option to encrypt both data and control channels).
From a practical point of view, Explicit FTPS offers some advantages that make it a superior option. For example:
- It is the standard and supported version of FTPS and is most likely to be widely supported in the future.
- It uses the same ports as Simple FTP, so it doesn’t require additional firewall configuration (assuming your firewall is already configured for Simple FTP).
potential hazards
Most users connect to the Internet behind a NAT firewall. This poses problems for FTPS connections.
The FTP protocol requires the client and the server to pass IP address information back and forth. When connecting to the Internet behind a NAT firewall, the FTP client must be able to send the IP address of the NAT firewall and not the IP address of the computer actually running the FTP client to the FTP server.
Because plain FTP sends all information in clear text, most NAT firewalls automatically detect this and replace the client’s reported IP address with their own IP address. With FTPS, this technique is not possible if all control channel information sent from the FTP client is encrypted.
If you are using Explicit FTPS, one option is to use the CCC mode described above. This mode sends commands that include the IP address in clear text so that the NAT firewall can perform address translation. However, not all FTP servers support this mode. Many FTPS clients offer an option for “My IP Address” (or some similar name) to tell the client what IP address to send to the server.
A similar problem occurs when the FTP server is running on a computer that is behind a NAT firewall. By default, most FTP clients connect to an FTP server using something called “passive mode”. This mode requires the FTP server to send its IP address to the FTP client. As in the previous case, the NAT firewall needs to replace the FTP server’s IP address with its own IP address, which it cannot do because the data coming from the FTP server is encrypted. Many FTPS clients offer options to work around this limitation. For example, when configuring the connection, you may need to select an option for “Restrict IP address” (or some similar name) which tells the client to ignore the incorrect IP address sent by the FTP server and use the IP address used to connect. to the FTP server first.
