ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

Why you shouldn't still be using FTP, SSH is more secure, SFTP on windows

Updated on August 16, 2011

Why you shouldn't still be using FTP

We all know and love FTP, most of us use it every day to move files back and forth between our web servers and local copies of our sites, but did you know that FTP is an insecure transport and a better option exists!

A safer alternative to FTP is to use Secure Shell, for those of you on UNIX platforms there are no worries as it comes built into the OS. Windows users have a harder path, Windows has no built in SSH server, but fortunately a number of free and robust solutions exist.

In this hub I will explain the difference between the two protocols and contrast the reasons for switching to SSH.

As Windows Server 2008 R2 does not have a native SSH Server, I propose a two candidate SFTP servers and some client applications.

File Transfer Protocol (FTP)

File transfer over the network using the File Transfer Protocol (FTP) has its roots in the 1980’s. FTP provides functions to upload, download, and delete files, to create and delete directories and read directory contents.

Although FTP is very popular, it has certain disadvantages that make it a poor choice of transport in the current technology landscape. The major drawbacks include the lack of the uniform format for directory listing and the presence of the secondary connection (DATA connection). Further, there are security holes in the FTP protocol as detailed here by RFT2577: FTP Security Considerations


Secure Shell (SSH)

The Secure Shell (SSH) family of protocols has been developed under the UNIX family of operating systems. Initially, the primary function of SSH was to secure remote shell access to UNIX systems. Later, SSH was extended with file transfer protocol, first SCP in SSH 1.x followed by SFTP in SSH2.

SSH is a very flexible protocol and many different types of services can run on top of it. Additionally, the protocol's open architecture allows these services to run all at the same time without impeding each other.

Version 1 of the SSH protocol is out-dated, insecure, and generally not recommended for use. The SSH version 2 protocol, or SSH2, specifies how a client can connect securely to an SSH server and to use the resulting secure link to access the server's resources.

SSH2 has been standardised by the Internet Engineering Task Force (IETF) and the majority of the world's SSH servers now support SSH2. The application features of SSH include enabling the client to execute programs, transfer files and forward other TCP/IP connections over the secure link.

SSH2 also provides for server authentication, encryption, data integrity verification and client authentication. Server authentication is performed using the DSA or the RSA public key algorithm. For encryption and data integrity verification, a number of algorithms are provided with every SSH2 product. Client authentication can be performed using, amongst others, a password or a public key algorithm such as DSA or RSA.

SSH Services

One service that is often used is the remote console. To provide this service, a channel is created in the SSH session, and the channel is used to exchange data using a terminal emulation protocol such as vt100 or xterm. The client displays to the user a console window within which the user can execute programs on the server as if he or she was logged on locally. For security reasons, if you are just interested in file transfer, this feature must be disabled.

Another very popular service is port forwarding also known as TCP/IP connection tunnelling. With SSH port forwarding it is possible to secure a TCP/IP connection established by an independent application that would otherwise be vulnerable to network attacks. This is akin to creating a VPN between parties.

Finally, SSH also provides a service known as the exec request, which is conceptually very similar to a remote console. The exec request executes a program on the server in the same way a remote console does, but the program's input and output are sent in a raw format without any terminal encoding. Exec requests are very useful for network automation purposes. For security reasons, this feature must be disabled on file transfer only type usage scenario.


FTPS (also called FTP Secure and FTP-SSL) is an extension to the commonly used File Transfer Protocol (FTP) that adds support for the Transport Layer Security and the Secure Sockets Layer (SSL) cryptographic protocols.

The SSH File Transfer Protocol (also called Secure File Transfer Protocol or SFTP) is a network protocol that provides file access, file transfer, and file management functionality over any reliable data stream.

The "SFTP" abbreviation is often mistakenly used to specify some kind of Secure FTP, by which people most often mean FTPS. Another regular mistake that is made is thinking of SFTP as some kind of FTP over SSL. SFTP is in fact an abbreviation of "SSH File Transfer Protocol".


Widely known and used
Has good standards background that strictly defines most, if not all, aspects of operations.
The communication can be read and understood by humans
Has only one connection with no need for an additional DATA connection.
Provides services for server-to-server file transfer
The connection is always secured.
SSL/TLS has good authentication mechanisms
The directory listing is uniform and machine readable.
FTP and SSL/TLS support is built into many Internet communication frameworks and Windows 2008 R2 has built in support for this.
The protocol includes operations for permissions and attributes manipulation, file locking as well as other functionality.


Does not have a uniform directory listing format
The communication is binary and can't be logged "as is" for human reading.
Requires a secondary DATA channel, which makes it hard to use behind the firewalls
SSH keys are harder to manage and validate
Doesn't define a standard for file name character sets (encodings)
The standards define certain things as optional or recommended, which leads to certain compatibility problems between different software titles from different vendors
Not all FTP servers support SSL/TLS (Windows Server 2008 R2 does)
No server-to-server copy and recursive directory removal operations
Doesn't have a standard way to get and change file and directory attributes
No built-in SSH/SFTP support in VCL and .NET frameworks.
Security issues exist in protocol

Server Selection

Option 1 - freeSSHd

freeSSHd is an open source SSH server that is simple to install. There is no official support for this product and the product forum is moderately busy.

The settings to secure the installation by disabling terminal shell, tunnelling and other types of access are not readily available. It is assumed that a moderate skill in network administration would be needed to harden this application.

No guides or detailed help files either are to be found on the product website.

Option 2 - Bitvise WinSSHD

Bitvise WinSSHD is a commercial product that has a free option for home use, so if you are just using it to move some files for yourself there is no charge. If you have greater aspirations for it, it is only $ 100 for a perpetual license per machine.

This is a very flexible and feature rich application with extensive documentation that details how to install, administer and harden the installation. The product website has an active forum and it is possible to contact the developers directly for additional support.

Client Application

A SSH Client application is required to connect to a SSH server. As the protocol is standardised any SSH client will do. Options include Tunnelier, Putty and CoffeeCupFTP. The preferred client is the Bitvise Tunnelier SSH client.

The most compelling features of this application include:

Price: Use at a one site is free as long for not more than five users. Licences over this limit cost $45.00 each.

High speed: transfer rates of up to 5MB/s when connected to a WinSSHD server and where network bandwidth and disk resources permit this.

Scriptable: A scriptable command-line remote execution client (sexec) and a command-line terminal emulation client (stermc) are included.

Rock Solid File Transfer

So there you have it, rock solid and secure, just the way we like it!


    0 of 8192 characters used
    Post Comment

    • MetalLemon profile imageAUTHOR

      Allan Rees 

      7 years ago from Brisbane, Australia

      Thanks I did some research on this a while back. Sharing is caring

    • Manna in the wild profile image

      Manna in the wild 

      7 years ago from Australia

      Good info here. Nice and accurate.


    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at:

    Show Details
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the or domains, for performance and efficiency reasons. (Privacy Policy)
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)