What is Explicit and Implicit FTPS?

You may have noticed that this is our second blog post on the different configurable modes of FTP, in recent days - after our previous blog on the differences between active and passive FTP. We often write about our experiences at the time and the past 30-days have been no exception, having spoken with and assisted a number of customers through the intricacies of FTP.

One such question which keeps coming up is the difference between implicit and explicit FTP - otherwise known as FTPS.

The well-known and veteran protocol that is FTP has one major drawback; in that it is considered insecure due to its lack of encryption. Both data being transferred between client and server; and the credentials used for authentication are sent "as is", meaning they can be intercepted and read with little effort.

Even for internal transfers this is likely to be unacceptable as privileged account usernames and passwords can be intercepted and used for unauthorised system access. Which could lead to a serious data breach.

To combat this glaring flaw, FTP can make use of SSL/TLS (hence the term FTPS) and ensure that the two parties can exchange data securely.

With the only choice being whether to use explicit or implicit FTPS.

Explicit FTPS is a mode of FTPS in which the client "explicitly" requests the server to create a secured session, using SSL/TLS, on port 21 prior to authentication.

In essence, the client connects to the traditionally insecure port of 21 and then has to specifically request a secure connection be established.

With implicit FTPS, the client connects to a dedicated implicit FTPS port, usually 990, where SSL/TLS connections are always provided without request.

So that the unencrypted channel on port 21 can be left open for instances where this is permissible, implicit FTPS makes use of a dedicated port for secure connections.

The easiest way to remember the difference between the two modes is that explicit FTPS must be switched on by a command issued from the client; and implicit FTPS is always on.

Modern MFT solutions such as MOVEit Transfer, GoAnywhere, Globalscape and Axway support both explicit and implicit FTPS - and are highly regarded for their security features, such as file encryption at rest, tamper-evident audit logging and multi-factor authentication.

Pro2col has over 20 years of technical experience with MOVEit and other MFT solutions, which could help you to design and implement a secure file transfer system. Book a call today with one of our solution specialists to learn more.

About the Author     Chris Payne is the Director of Strategic Alliances and Technical at Pro2col, with decades of experience in software management and Managed File Transfer solutions. Chris is not your traditional techie with server racks under the stairs. He advocates for a healthy work/life balance, saving his love for technology for work and developing his passion for craft beer at home. Chris is a qualified brewer and has on occasion whipped out the brewing equipment. He’ll be up for a Friday pint. Find out more about Chris Payne here.