◂ Back to Resources
Understanding Explicit and Implicit FTPS
You might have seen our recent post discussing the configurable modes of FTP, particularly focusing on active versus passive FTP. We often share insights based on customer interactions, and the last month has been no exception, as we've worked with numerous clients navigating the complexities of FTP. A recurring question we encounter is the distinction between implicit and explicit FTP, collectively referred to as FTPS.
Posted: 21-10-2024
Read time: 3 min
Article
FTPS
FTP Security
File Transfer
Networking
What is FTPS?
FTP, a widely-used protocol, has a significant weakness—its lack of encryption. When data is transferred between a client and a server, and during authentication, all information, including usernames and passwords, is sent in plain text. This makes it easy for anyone intercepting the data to read it.
Even for internal data transfers, this is usually unacceptable, as sensitive login credentials could be captured and used to gain unauthorised access to systems, potentially leading to serious data breaches.
To address this vulnerability, FTP can be secured using SSL/TLS encryption, which transforms it into FTPS, allowing for secure data transmission.
The key decision to make is whether to use explicit or implicit FTPS.
What is Explicit FTPS?
In explicit FTPS, the client must "explicitly" request that the server establish a secure session using SSL/TLS. This occurs on port 21, the same port used for unsecured FTP connections.
Essentially, the client connects over the usual, non-secure port and then sends a command to initiate encryption for the session.
What is Implicit FTPS?
In contrast, implicit FTPS operates on a dedicated port—usually port 990—where SSL/TLS encryption is automatically enabled without any specific request from the client.
This method allows the standard port 21 to remain available for unsecured connections, while port 990 is reserved solely for secure communications.
A simple way to remember the distinction: in explicit FTPS, the client must request encryption, while in implicit FTPS, encryption is always on by default.
Managed File Transfer (MFT)
Modern MFT solutions, including MOVEit Transfer, GoAnywhere, Globalscape, and Axway, support both explicit and implicit FTPS modes. These platforms are highly regarded for their advanced security features, such as file encryption at rest, audit logs that reveal any tampering, and multi-factor authentication.
With multiple decades of experience in MFT and other file transfer systems, Threpoly possesses significant knowledge of file transfer protocols, including FTPS. It would seem obvious that implicit FTPS would be the most secure method as it does not permit the use of insecure FTP, however risk can be complex and need weighing up with your level of exposure and the number of trading partners who would be impacted.
While implicit FTPS is certainly better, it may be an eventual destination rather than an immediate one.