SSL, TLS, SSH2 - which are the differences?

Message

petit prince · #1 Post by **petit prince** » 2005-04-02 21:31

Hi,

I am experimenting a bit with connections between FileZilla's latest client and server builds, especially with the SSL/TLS/SSH2-implementation of the latest server build 0.9.6a. So far encrypted connections work like a charm and so first of all I would like to take the opportunity to thank the programmers of this wonderful FTP client and server: Thank you very much, your work is highly appreciated!

My question: Which are the differences of the different encryption methods and which one should I use? - I have already read a bit by googling the web, and as far as I understand, implicit encryption will only encrypt logins and passwords while explicite encryption will encrypt everything (including the actual files that are transferred). The difference between SSH2 and SSL/TLS is also clear, but what exactly is the difference between explicit SSL and explicit TLS? And which one should I prefer?

Thank you very much for every answer

petit prince

#2 Post by **botg** » 2005-04-02 22:21

You propably already know standard FTP. With the latest version of FZS you can also use FTP over SSL/TLS (short: FTPS). SSL and TLS are very similar, in fact TLS is basically a newer version of SSL.
FileZilla Server itself treats SSL and TLS exactly the same, its part of the SSL library to decide what to use.
Using SSL encryption, the normal FTP traffic just gets tunneled through a SSL/TLS connection. The difference between implicit and explicit SSL is, that using implicit SSL, the SSL handshake will be done immediately upon connection, while using explicit SSL, the client has to tell the server with an ftp command to enable SSL, usually before sending the username and password.
Thus regardless of implicit or explicit SSL, the same data will be encrypted.
In addition to that, the client can tell the server whether the data channels for files and directory listings have to use SSL as well or not using the PROT command.

SFTP on the other hand is a completely different protocol based on SSH. Despite the name, it has nothing in common with FTP.

petit prince · #3 Post by **petit prince** » 2005-04-02 23:12

Hi 'botg',

thank you very much for this in-depth-explanation! - I realise I was wrong regarding my understand of the implicit/explicit difference. Just one last question:

botg wrote:FileZilla Server itself treats SSL and TLS exactly the same, its part of the SSL library to decide what to use.

In FileZilla Client "FTP over SSL (explicit mode)" and "FTP over TLS (explicit mode)" are two different options when you set up a new FTP account. Does your statement above mean that the choice between these two on the client's side doesn't make any difference as long as you connect to a FileZilla 0.9.6a Server? - Once again, thank you very much!

petit prince

#4 Post by **botg** » 2005-04-03 07:15

Yes, if connecting to FZS, there's no difference in chosing explicit SSL or explicit TLS.

petit prince · #5 Post by **petit prince** » 2005-04-03 12:57

botg wrote:Yes, if connecting to FZS, there's no difference in chosing explicit SSL or explicit TLS.

Once again, thank you very much, 'botg', I believe the differences are now much clearer to me!

petit prince