INFO: TLS/SSL implicit and explicit modes difference

No encryption/plain mode

Communication schema:

  1. Client connects to the server.
  2. Client talks to the server over this unencrypted channel.
  3. Username + password is sent unencrypted.
Sample code:
Ftp ftp = new Ftp();
ftp.Connect("example.com", SslMode.None);

 

TLS/SSL - Explicit mode

TLS/SSL - Implicit mode

Communication schema:

  1. Client connects to the server.
  2. Client explicitly requests TLS/SSL encryption to be switched on.
  3. Client talks to the server using encrypted channel.
  4. Username + password is sent encrypted.

Communication schema:

  1. Client connects to the server and TLS/SSL encryption is switched on implicitly as soon as the channel is established.
  2. Client talks to the server using encrypted channel.
  3. Username + password is sent encrypted.
Sample code:
Ftp ftp = new Ftp();
ftp.Connect("example.com", SslMode.Explicit);
or
Ftp ftp = new Ftp();
ftp.Connect("example.com", SslMode.None);
ftp.Secure(); // request encryption
Sample code:
Ftp ftp = new Ftp();
ftp.Connect("example.com", SslMode.Implicit);

More info

  • TLS/SSL Explicit mode usually uses the same port as Plain (unsecure) mode.
  • TLS/SSL Implicit mode requires dedicated port.
  • TLS/SSL Implicit mode cannot be run on the same port as TLS/SSL Explicit mode.
  • TLS/SSL Implicit mode cannot be run on the same port as plain (unsecure) communication.
  • The TLS/SSL protocol is the same in both Explicit and Implicit mode. Both are equally secure.

Common ports

Question: I got a hostname and port. Which security mode should I use?

Answer: The following table lists common ports and their security modes:

Protocol No encryption
Plain port
TLS/SSL
Explicit port
TLS/SSL
Implicit port
FTP 21 21 990
SMTP 25 or 587 25 or 587 465
IMAP 143 143 993
POP3 110 110 995
Telnet 23 23 992
HTTP 80 - 443

SFTP and SSH shell are not listed - they run over SSH protocol, which is always secure and runs on port 22.

Rebex .NET components for C# and VB.NET supporting TLS/SSL