FTP Options
Mississippi College
Computer Science
Dr. Bennet

This page explains, for anyone interested, some of the options used with WinSCP. This is is optional material. It is not part of the lab, and I will not ask about it on any quiz or exam.

A networking protocol is a set of rules governing how computers communicate, with various protocols for different purposes. For example, HTTP is used by browsers to get web page files from the server. To place files on the server, we use a protocol for general file transmission. Many have been developed; WinSCP supports three: SFTP, SCP and FTP. Originally, it supported only SCP, which it's named for.

FTP is the oldest of the three, so it has the simplest name: FTP stands for File Transfer Protocol. SCP is the Secure Copy Protocol, and SFTP is the Secure File Transfer Protocol. FTP suffers from a common problem in older Internet protocols: it can be easily snooped. Anyone with the right equipment and software, and access to the lines carrying Internet traffic can copy all the information sent during an FTP session. When you are sending files to a web server, you're probably not trying to keep those secret, but the snooper can also read your account and password.

The standard way to prevent Internet snooping is to encrypt the data while in transit. This prevents the snooper from knowing the password (and the file contents, should that be important). The secure protocols (SCP and SFTP) were designed from the start to do this, and the old FTP protocol has been modified to support encryption on request. It can encrypt in different ways, selected by options which appear after you select the FTP protocol. Those are “No Encryption,” “SSL/TLS”, “SSL Explicit” and “TLS Explicit”. TLS is a newer version of SSL, the same protocol used by secure web sites. “No Encryption” runs FTP in its original form without snooping protection; the other three encrypt in different ways. The “SSL/TLS” option starts encryption when the connection starts. The others make the connection, talk to the FTP server, and then ask it to begin encrypting traffic before sending passwords or file contents.

Why have all these ways of doing it? Mostly because different folks tried doing it different ways at different times, and these all became popular enough not to fade away. Any will work, the only issue is that both ends must be prepared to do it the same way. For purposes of our lab, the server does understand SFTP and SCP, but does not use those protocols for the web accounts. For those, it uses FTP, and will accept connections without encryption, or using TLS Explicit. The two other secure options will not work because the server is not set up to use them, and it's better to not use the unsecured version.