According to this article
I do understand that FTPES is safer than FTPS.
But still I keep asking myself what are the difference between those two mode ?
What's difference between Explicit and implicit SSL ?
And how can one safer than the other ?
Best Answer
FTPES is actually less secure in regards to uknowing users compared to FTPS. With FTPES a client must explicitly ask for an encrypted FTP connection whereas with implicit FTPS negotiation is not allowed. A client is immediately expected to challenge the FTPS server with a TLS/SSL ClientHello message. If such a message is not received by the FTPS server, the server should drop the connection.
The problem with FTPES is that when an attacker would be performing a man-in-the-middle attack he would be able to negotiate a non-encrypted link (SSL stripping) if you're client is set up to negotiate the connection explicitly (hence the E in FTPES).