Science Fair Project Encyclopedia
The 'Secure FTP' label is misleading in that only the control channel is secured; the data channel is still transmitted in cleartext outside of the SSH tunnel. This is a marked difference to sftp or scp where the entire conversation [credentials and data] are encrypted.
Because of the way FTP works, a Secure FTP session may not be as secure as you think. When you log into an FTP site, change directories or get a directory listing your commands are being transmitted over the control channel on port 21 to the FTP server. Since you are tunneling port 21 over SSH the commands are encrypted and kept safe from prying eyes. However, the actual file transfer is happening over the data channel on some other, random, port which is not in the tunnel and is therefore available for anyone to sniff.
The contents of this article is licensed from www.wikipedia.org under the GNU Free Documentation License. Click here to see the transparent copy and copyright details