A brief history of FTP (in)security
The FTP protocol as used today was defined in 1985 (RFC 959) based on a design created in 1971.
It was designed without taking security into consideration. All transmissions are in clear text, including username, password, and actual transferred data. All FTP communication can be easily intercepted by anyone able to capture your local or Internet traffic.
This problem is common to many of the Internet Protocol specifications (Telnet, SMTP, IMAP, etc.) that were designed prior to the creation of encryption mechanisms such as SSL or TLS.
In 1997 (RFC 2228), the FTP protocol was extended, and specifications for using secure connections were set in place. The end result is what is commonly known as the FTPS protocol.
The FTPS protocol is also sometimes referred to as Secure FTP or FTP over SSL. All these names refer to the same protocol extension.
FTPS should not be confused with the SFTP protocol, a secure file transfer subsystem for the Secure Shell (SSH) protocol. FTPS is not compatible with SFTP.
Upgrade the security of your legacy FTP server
With the widespread popularity of wireless networks, it is easier than ever to monitor network traffic. And therefore capture usernames, passwords, and actual data sent over the plain old FTP protocol.
Until recently, in order to secure public FTP servers using TLS you had to buy and manually install an X509 / SSL Certificate from one of the trusted certificate authorities. A certificate was typically valid for 1 or 2 years, and the process of buying, obtaining, and then installing a new certificate was slow and painful, as most steps required manual interventions.
With the creation of the Let's Encrypt certificate authority, you can now automatically get a TLS certificate at no extra cost in a matter of seconds.
By switching to FTPS, usernames, passwords, and actual data transferred by your FTP server are protected using the latest security standard.
Let's Encrypt and FTPS
Let's Encrypt (sometimes shortened as LetsEncrypt) is a certificate authority that provides SSL/X.509 certificates at no charge.
SFTPPlus can automatically and seamlessly request certificates for HTTPS and FTPS file transfer services. You only need to configure the domain name, SFTPPlus will take care of the rest. No need to use external tools like letencrypt.exe copy files in paths like /etc/letsencryt or C:siteswwwroot.
For technical details on Let's Encrypt in general, and on using it with a FTPS server in particular, consult the dedicated article.
If you have decided to use Let's Encrypt, check our dedicated documentation page to see how to enable Let's Encrypt for your FTP server.
This resource is written as of SFTPPlus version 3.43.0.