Mastering FTP, FTPS, and SFTP: When to Use Active vs Passive Mode

Uploading files to cloud storage is straightforward, but the FTP protocols behind the scenes have important distinctions.

A developer built an image‑sharing site that stores photos in Upyun cloud storage. After encountering disorganized files, he used an FTP client to connect to the storage, reorganized the images, and decided to explore FTP features in depth.

FTP, FTPS, and SFTP Overview

FTP

FTP (File Transfer Protocol) is an application‑layer protocol for transferring files between a client and a server. It uses separate command and data channels and is one of the oldest file‑transfer methods.

How FTP Works

When establishing a connection, FTP creates a command channel for instructions and a data channel for the actual file transfer.

FTP requires user credentials for access; public FTP servers may allow anonymous access, but data is sent unencrypted, posing security risks.

FTPS

FTPS adds SSL/TLS encryption to FTP and comes in two modes:

Implicit FTPS runs on port 990; the entire session is encrypted from the start.

Explicit FTPS starts with an unencrypted connection on the standard FTP port (21) and upgrades to SSL/TLS after the client sends AUTH TLS or AUTH SSL.

When implicit mode is enabled, the default port changes to 990 and both client and server must support SSL. In explicit mode, the connection begins like regular FTP, but the client must request encryption before transmitting credentials.

SFTP

SFTP (Secure File Transfer Protocol) is built on SSH and differs from FTP entirely. It uses a single encrypted connection for both commands and data.

SFTP offers two authentication methods: password‑based (encrypted) login and SSH‑key authentication.

Understanding these protocols lets users select the appropriate security and functionality for their file‑transfer needs.

Active vs. Passive Transfer Modes

Active Mode

In active (port) mode, the client opens a random port and sends a PORT command to the server, which then connects from its data port (20) back to the client’s specified port.

Passive Mode

In passive mode, the client connects to the server’s command port (21), sends a PASV command, and the server opens a random port for data transfer. The client then initiates the data connection to that port.

Active mode can be blocked by firewalls because the server initiates connections to the client, while passive mode is generally firewall‑friendly for the client.

Choosing the right mode depends on network topology and security requirements.

By grasping these protocol variations and transfer modes, users can manage cloud storage more efficiently and securely.