>>There was something with how username / pwd gets transported and the like. Can't remember the details, it's old.
>>
>>There is enough to be found, but just an example https://www.centrestack.com/ftp-replacement/
>
>FTP uses separate command and data channel, all unsecured.
>IIRC:
>FTPS still uses separate data and command, possibly many data channels:
>more ports open in FW, bad when not using dedicated server, but parallel download possible.
>Worse on client? Dunno.
>Upd:
>But danger of misconfigure to only encrypt part... /Upd:
>
>SFTP was built on SSL, uses only 1 channel, less ports needed.
>No problem if you map wrong file into the directory unless you operate on "*" / whole directory.
>
>HTTPS up/download also secure, but I guess gives more attack surface than dedicated SFTP server.
>Al ? Care to voice opinion forged by biz reading and learning ?

I don't know of any inherent vulnerabilities with SFTP. One discussion is at https://securityboulevard.com/2021/05/sftp-security-is-it-truly-secure/ .

I haven't worked with it much. One of my clients uses it to transfer files to/from government agencies. Those agencies lock down their servers hard, with IP whitelisting etc. They have to comply with some data handling regulations so I assume SFTP is "good enough" for those purposes.

I don't know of any simple way to securely transfer files which is suitable for general end users. I'd be interested to hear if anyone else has found anything. For example, I've used:

- 7Zip encrypted archives as e-mail attachments. This requires the recipient to install 7Zip
- Temporary/throwaway Dropbox accounts. Who knows how they retain files and can be compelled to provide them to other agencies. Yes, the files you upload can be encrypted with something like 7Zip but if you're doing that you may as well use e-mail attachments (as long as they're not too large)
- I haven't used PGP encrypted mail but my limited understanding is it's not trivial to implement. A significant PITA if you just want to transfer a couple of files
- Anything which offers temporary or one-time download links can be intercepted

With the general trend towards more cyber incidents and tighter security requirements, the seemingly simple concept "transfer this file from A to B securely" is getting harder and harder to implement in practice.