What is FTPS?

File Transfer Protocol Secure (FTPS) is a secure file transfer protocol based on File Transfer Protocol (FTP). It was created as a substitute for FTP, which sends usernames, passwords and data in plaintext. That means anyone can intercept, read or sell confidential information sent with FTP.

Does FTPS use TCP or UDP?

FTPS uses Transmission Control Protocol (TCP), not User Datagram Protocol (UDP). Here’s why that matters:

With TCP, the sending computer checks to make sure the other computer is ready to receive files. With UDP, the sending computer sends files without making sure they’ll be received. That means there’s a risk of files arriving out of order or not at all.

TCP verifies that the receiving computer is ready to receive files with a three-way handshake:

Sending computer sends a message called a SYN.
Receiving computer sends a message back called a SYN ACK.
Sending computer acknowledges the receiving computer’s message with an ACK RECEIVED MESSAGE.

Does FTPS use SSL, TLS or SSH?

FTPS uses Secure Sockets Layer (SSL) or Transport Layer Security (TLS), not Secure Shell (SSH) to encrypt files. The client and server negotiate together to decide whether to use SSL or TLS.

The client and server agree on a key to use for encryption with an SSL/TLS handshake:

Acknowledgement

Client sends a Hello message with the version number and the cipher suite it can support.

For this example, we’ll assume the client supports TLS.

The server chooses the cipher suite based on the client’s available cipher suites. It sends a certificate, which includes the server’s public key. Finally, it sends a Hello Done message.

The public key encrypts data and can be shared with anyone. The private key decrypts data and shouldn’t be shared with anyone.

The public key is the server’s way of presenting its identity to the client.

Key Exchange

The client checks the certificate to make sure it hasn’t expired. It generates a pre-master secret based on the server’s public key. It encrypts the secret with the public key.

The server decrypts the pre-master secret with its private key.

Symmetric Encryption Key Generation

The client generates a symmetric encryption key based on the pre-master secret. It sends a Client Finished message.
The server generates a symmetric encryption key based on the pre-master secret too.

Change Cipher Spec and Send Data

Server sends a message called Change Cipher Spec.

This message tells the client that the negotiations are changing from asymmetric encryption to symmetric encryption. The server sends a Server Finished message.

Data is encrypted and sent.

Does FTPS need a certificate?

Yes, FTPS needs a certificate because it uses SSL/TLS.

How does FTPS work?

TCP handshake.

FTPS uses TCP port 21 if it’s an explicit connection and TCP port 990 if it’s an implicit connection.

SSL or TLS handshake.

The client and server negotiate a port for passive or active transfers. Passive transfers are on TCP port 3000-3050. Active transfers are on TCP port 20.

Both the client and server generate an encryption key to encrypt the data with.

Data is encrypted and sent.

FTPS vs SFTP and HTTPS

SSH File Transfer Protocol (SFTP) and Hypertext Transfer Protocol Secure (HTTPS) are two other encrypted file transfer protocols that are sometimes used instead of FTPS.

Category	FTPS	SFTP	HTTPS
Speed	A bit faster than SFTP because FTPS uses two different connections that run asynchronously to achieve the highest data transfer speed possible.	SFTP is a bit slower than FTPS because synchronization packets are sent on the same channel as data packets.	HTTPS has better download speeds, but it isn’t great for uploading. It also doesn’t transfer large files quickly.
Ease of Implementation	More difficult than SFTP to implement because you need to open multiple ports.	Considered the easiest FTP protocol to implement because only one port needs to be open.	Very firewall-friendly and no need to open ports.
Great for	When you need to track user movement during sessions because FTPS logs all of that.	When you need a secure file transfer protocol that is also easy to configure.	When you need secure web-based file transfers and fast downloads.
Security	Equal to SFTP and HTTPS in security because it encrypts usernames, passwords and contents of data.	Equal to FTPS and HTTPS in security because it encrypts usernames, passwords and contents of data.	Equal to FTPS and SFTP in security because it encrypts usernames, passwords and contents of data.

Other factors that affect file transfer speed include:

Speed of each machine’s disk
Speed of the network
Network tuning
Machine tuning

Is FTPS secure enough?

The answer to this depends on what you’re using FTPS for. If you’re using FTPS to send non-confidential files to family or friends, it’s probably fine.

But if you’re using FTPS servers with no additional security measures in place, it’s probably not secure enough.

For example, if your organization needs to achieve Payment Card Industry Data Security Standard (PCI DSS) compliance you’d also need:

A secure firewall configuration
Data encryption at rest
Antivirus software
Restrictions on access to data on a need-to-know basis and more.

Implicit vs Explicit FTPS

Category	Implicit FTPS	Explicit FTPS (FTPES)
Port Number	Port 990	Port 21
Popularity	Deprecated because it’s never been formally standardized. No standard means no implementation is correct.	More used because it has a standard and strict rules and guidelines on how to implement it.
If client doesn’t meet security requirements,	Server drops connection.	Connection is declined or transfer is made insecurely using FTP.
Encryption	SSL/TLS connection is established immediately, which means everything (login and file transfer) is encrypted.	Users can choose what is encrypted: just the credentials, credentials and the file or only the file.

Is FTPS enough for your business?

FTPS is more secure than FTP because it encrypts data, but it doesn’t have everything you need to completely secure file transfers.

Thru, our cloud managed file transfer (MFT) platform, includes many security features to help you remain compliant with GDPR and HIPAA, including:

File payload encryption with Pretty Good Privacy (PGP)
Encryption at rest
Role-based access controls
Antivirus scanning
Multi-factor authentication

datatracker.ietf.org/doc/html/rfc4217
Video by F5 DevCentral. Breaking Down the TLS Handshake

Cookie	Duration	Description
__cfruid	session	Cloudflare sets this cookie to identify trusted web traffic.
ASP.NET_SessionId	session	Issued by Microsoft's ASP.NET Application, this cookie stores session data during a user's website visit.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
_uetsid	1 day	Bing Ads sets this cookie to engage with a user that has previously visited the website.
_uetvid	1 year 24 days	Bing Ads sets this cookie to engage with a user that has previously visited the website.
SRM_B	1 year 24 days	Used by Microsoft Advertising as a unique ID for visitors.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_V6RF3B9LE4	2 years	This cookie is installed by Google Analytics.
_gat_UA-1502461-4	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_session_id	14 days	Cookie set by G2 to store the visitor’s navigation by recording the landing pages. This allows the website to present products and indicate the efficiency of the website.
undefined	never	Wistia sets this cookie to collect data on visitor interaction with the website's video-content, to make the website's video-content more relevant for the visitor.

Cookie	Duration	Description
ANONCHK	10 minutes	The ANONCHK cookie, set by Bing, is used to store a user's session ID and also verify the clicks from ads on the Bing search engine. The cookie helps in reporting and personalization as well.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
MUID	1 year 24 days	Bing sets this cookie to recognize unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.

What Is FTPS?