INFO: TLS/SSL implicit and explicit modes difference
No encryption/plain mode
Communication schema:
- Client connects to the server.
- Client talks to the server over this unencrypted channel.
- Username + password is sent unencrypted.
Sample code:
Ftp ftp = new Ftp();
ftp.Connect("example.com", SslMode.None);
TLS/SSL - Explicit mode
Communication schema:
- Client connects to the server.
- Client explicitly requests TLS/SSL encryption to be switched on.
- Client talks to the server using encrypted channel.
- Username + password is sent encrypted.
Sample code:
Ftp ftp = new Ftp();
ftp.Connect("example.com", SslMode.Explicit);
or
Ftp ftp = new Ftp();
ftp.Connect("example.com", SslMode.None);
ftp.Secure(); // request encryption
TLS/SSL - Implicit mode
Communication schema:
- Client connects to the server and TLS/SSL encryption is switched on implicitly as soon as the channel is established.
- Client talks to the server using encrypted channel.
- Username + password is sent encrypted.
Sample code:
Ftp ftp = new Ftp();
ftp.Connect("example.com", SslMode.Implicit);
More info
- TLS/SSL Explicit mode usually uses the same port as Plain (unsecure) mode.
- TLS/SSL Implicit mode requires dedicated port.
- TLS/SSL Implicit mode cannot be run on the same port as TLS/SSL Explicit mode.
- TLS/SSL Implicit mode cannot be run on the same port as plain (unsecure) communication.
- The TLS/SSL protocol is the same in both Explicit and Implicit mode. Both are equally secure.
Common ports
Question: I got a hostname and port. Which security mode should I use?
Answer: The following table lists common ports and their security modes:
| Protocol |
No encryption Plain port |
TLS/SSL Explicit port |
TLS/SSL Implicit port |
|---|---|---|---|
| FTP | 21 | 21 | 990 |
| SMTP | 25 or 587 | 25 or 587 | 465 |
| IMAP | 143 | 143 | 993 |
| POP3 | 110 | 110 | 995 |
| Telnet | 23 | 23 | 992 |
| HTTP | 80 | - | 443 |
SFTP and SSH shell are not listed - they run over SSH protocol, which is always secure and runs on port 22.