FTPS : Explicit vs Implicit
Bimal K Barik
Principal Engineer @ OpenText | eInvoicing | API | EDI | B2B | Integration
What is FTPS?
?The well-known and veteran protocol that is FTP has one major drawback; in that it is considered insecure due to its lack of encryption. Both data being transferred between client and server; and the credentials used for authentication are sent "as is", meaning they can be intercepted and read with little effort.
Even for internal transfers this is likely to be unacceptable as privileged account usernames and passwords can be intercepted and used for unauthorised system access. Which could lead to a serious data breach.To combat this glaring flaw, FTP can make use of SSL/TLS (hence the term FTPS) and ensure that the two parties can exchange data securely.With the only choice being whether to use explicit or implicit FTPS.
What is Explicit FTPS?
?Explicit FTPS is a mode of FTPS in which the client "explicitly" requests the server to create a secured session, using SSL/TLS, on port 21 prior to authentication. Only Data channel is encrypted
In essence, the client connects to the traditionally insecure port of 21 and then has to specifically request a secure connection be established.
What is Implicit FTPS?
?With implicit FTPS, the client connects to a dedicated implicit FTPS port, usually 990, where SSL/TLS connections are always provided without request.So that the unencrypted channel on port 21 can be left open for instances where this is permissible, implicit FTPS makes use of a dedicated port for secure connections.
The easiest way to remember the difference between the two modes is that explicit FTPS must be switched on by a command issued from the client; and implicit FTPS is always on.Both Data n Communication channel Encrypted