It’s recently come to my attention that FTP (file transfer protocol) can cause some serious security concerns when developing and maintaining a Web site. Apparently, when files are uploaded or downloaded via FTP, all ASCII files are transferred as plain text. Therefore, anyone trying to spy on you through your FTP connection can easily see the content of any files you upload (including all of your passwords, etc. that you might have embedded in your files). Apparently, even the username and password you use to login to your FTP server are sent as plain text, making it rather easy for someone to pick those up while spying on you, as well.

What’s the Solution?

It seems that SFTP is the generally accepted solution. SFTP is extremely similar to FTP, except that you connect through a secure shell to the FTP server, and then all files are apparently encrypted during transfer.

How Do I Do That?

Connecting to a server through an SFTP protocol is essentially the same as connecting through a standard FTP protocol. The only real difference is that you instruct your FTP client to connect to your SSH port rather than your FTP port (in most cases, FTP defaults to port 21 while SSH defaults to port 22). If you have an FTP client that doesn’t allow you to insert custom port numbers, you can try connecting to sftp://example.com instead of ftp://example.com (where example.com is the address you normally use to access your site).

Which Clients Support SFTP?

The two clients that seem to be the most popular for use with SFTP are WinSCP and Filezilla. I’m sure that there are probably hundreds of other clients that support SFTP, but those two definitely do, and seem to be the most widely recommended.

Which Web Hosts Support SFTP?

This question is a bit more difficult to answer. However, it seems that basically any host offering SSH to its customers also offers SFTP (as the two seem to go hand-in-hand). Therefore, if you Web host offers SSH, it’s definitely worth at least trying to connect to your server through SFTP when uploading and downloading files.

Where Can I Read More?

There are plenty of great articles on the subject, and most can be found easily through Google. However, here are a few that I’ve read on the subject that I think explain the whole situation rather well.

Wikipedia also has two articles on the subject:

2 Responses

  • Ra

    Is it safe to use ssh or sftp through windows? I know it is on linux.

    • Are you asking about setting up SSH and SFTP on a Windows server, or are you talking about connecting to a server with SSH and SFTP from your regular Windows desktop/notebook computer?