Why is SFTP/Filezilla not recommended in the File Transfer tools?

Given my dissatisfaction with the File Sharing recommendations on PG, I asked a friend who works in a bank on what they do.

I was told SFTP is the general standard for big businesses, and a tool such as Filezilla can be used to transfer files through this protocol. I looked it up, and it’s open-sourced, cross-platform and does not require use a third-party client.

But maybe I am missing something?

Filezilla installed spyware straight from the official setup some years ago. Not dure if they still do that.

From my understanding, privacy guides will recommend end to end encrypted storage service if available. Ftp and sftp is not and cannot be e2e encrypted. The other server will have access to your files and will be able to read them if they were not encrypted on your machine before the upload. Pretty sure privacy guide would tell you that if there are more secure and private service that does a job better than sftp eoth all the same features and more (sharing) AND are e2e encrypted, the its not worth to suggest a worst option.

If you just need to transfer files from computer A to computer B, then sure SFTP is a decent protocol for that. There’s simply no category for these kind of tools on PG I think. There is “cloud storage”, and there is “file sharing and sync”, but even the latter is more about sharing files with mere mortals. You can’t reasonably tell somebody: here’s the domain of my FTP server and here’s your username and password, just download something if you feel like it. No, even stuff like Firefox Send is hard to understand for regular people. And if it’s just syncing between your own computers, then yes you can do a setup with sftp or rsync, but if you know enough to do so, then you don’t need the guide page anyway.

As for FileZilla… :nauseated_face: Just use a decent client. Or the one that’s already built inside your OS. Not something from a developer that is happy to distribute literal malware. And “open source” it is on paper maybe, but there’s none of the developer community that normally forms around open source projects. Just this guy hiding a source code download somewhere on his page and licensing it appropriately. But even though it’s licensed with an open source license, it doesn’t seem like he wants people to actually take advantage of any of that. Just one recent example: Can't install python or filezilla via winget · Issue #2513 · microsoft/winget-cli · GitHubTimKosse.FileZilla.Client was removed as per the application developer’s request.” Can’t have people easily install and maintain bloat and malware-free FileZilla installations on their machines, right? Even though the license allows distribution by anyone, he’d rather have you go to his site and download his special binaries. No thanks.

1 Like

Let’s take this into a travel analogy because this is a transport protocol after all.

You’ve decided to use an airplane (your SFTP in this analogy) it is fast and secure but still have to land somewhere (a remote computer). Do you have your passport with you (TLS/SSL certificates)? Is the landing zone secure (what is the underlying OS)? Are there even security around with gates and keys (is there at rest encryption)?

SFTP is a protocol, in the same way how HTTPS is a protocol. What matters is the actual implementation and design of the file transfer. SFTP is just literally a pipe for your data to go through and that isn’t enough. Other details and features are already solved in the recommended apps such as syncthing that makes a modern file sharing much more than just SFTP.

I haven’t used Filezilla in a long while and if @yipii is right, its not very trustworthy anymore and should probably use other programs/apps.


Terminal gang :sunglasses:

1 Like

SFTP in bsinesses? Definitely not. No good audit trails. No MFA. This is really not true. SFTP is an old protocl with some security layer, really no good reason to use this still, especially not for documents syncing. This is just something people use to connect to servers but that I wouldn’t even recommend.

1 Like

@ph00lt0 Sounds more like you’re describing FTPS lol


SFTP is the better one. It is a newer protocl from what I know.

FTPS is running over the ssh protocol but still uses the old FTP.

Neither I would recommend for syncing files in businesses. This is not a suitable solution for file syncing.

FTPS doesn’t use SSH, it’s just encrypted FTP.

SFTP is (part of) SSH, so it is definitely the better one. SSH is very secure. For one-time file transfers I don’t see what the issue with it would be. You could certainly add MFA, auditing, etc., exactly as you can with SSH.

That being said, for keeping things in sync these simple transfer tools are not really suitable, yeah. Maybe rsync if you’re looking for a CLI tool? I guess it depends on what OP is trying to actually do. “File sharing” is very vague :confused:


I am thinking of sending a document from computer A to computer B, via email. (I know email is not recommended, but it is the only choice I have for people I do not know well)

A = me using private email, B = other person using Gmail.

If I do not want Google reading this document, then simply adding it as an attachment will make it readable by Google. Therefore I am interested in alternative methods, bringing me to the PG file sharing page.

It is a bad idea to send links to people, if they do not already trust you and you want their attention. Both a Firefox Send link, and an encrypted email temporary mailbox link are therefore bad ideas, as most people are unfamiilar with them.

Sp I asked a friend who works in a bank what they do, and was told that they would send an email saying “check your SFTP”. I did not understand, so asked what software did this involve, and was told Filezilla for example. I don’t understand how SFTP can work without a software application. I’m sure there is a Terminal route, but I doubt this is common among businesses.

As for Filezilla, I wonder. If I download Filezilla, and person B downloads Filezilla, and I sent a file to person B through Filezilla - then who may have access to this file except me and person B? This I don’t understand.

In other words, I am wondering if there is any File Transfer options, mediated through email, which are familiar to people working in business - and do not involve either attachments which would be read by the recipients email provider, or unfamiliar links which arouse suspicion of malware.

As i understand it, SFTP requires a server your can ssh into, so not practical for everyday use. It cant be used peer to peer from my understanding, so you would have a server that would have access to your files.

1 Like

Thanks for explaining for us. Hmm I dont really know of any other way, other than to host the file yourself, put it behind a password login that only the recipient knows, and email them a link to download it.

Although when they download it, it will be accessible by their OS or browser they use when they download it. So if recipient is using Apple device to download, ofc Apple will have access to it. Or if they use Chrome browser to download, Google will have access to it.

That really limits your solution pool down to… very little (basically nothing). As I see it, there are a couple of options:

  1. Send (easy to use, encrypted, requires a link, self-hosted or publicly available instances)
  2. Use an encrypted attachment (you could use one of the tools suggested by PG to encrypt the file, for example)
  3. Send a link that they can use in something like Onionshare
  4. Self-host Nextcloud or something
  5. Encrypt the file and then put it on a cloud storage platform like Google Drive or Dropbox
  6. Use SFTP on a self-hosted server (probably the worst option for convenience)

Honestly, there aren’t many good options for what you are trying to do unfortunately.

1 Like


Sp I asked a friend who works in a bank what they do, and was told that they would send an email saying “check your SFTP”.

Banks can sort of get by with this because they already have files hosted on their own server and already have their users create an account, so authentication/login is already there. But their documents are still subject to being downloaded and read by whatever OS or browser the recipient is using to download. I assume this is probably why many of them just don’t even allow you to download much and just allow you to view the contents directly on the site after you login. But of course a person could still print/save to PDF :slight_smile: