SFTP vs tunneling?

I am new to the SFTP thing and may be getting a little mixed up. I am using WinSCP 5.5.5. My understanding of SSH is that it requires a tunnel be used so that passwords and data can be encrypted, correct?

I think that SFTP means SSH is added to FTP, so tunneling is required for it to be called SFTP, otherwise it's just FTP.

Let's look at two examples:

1) If I fill out SFTP session login details, and try to login without going to "Advanced..." to put a check mark at Tunnel > Connect settings, the connection goes through successfully without mention of any tunneling.

2) If I go to "Advanced..." > Connection > Tunnel > Connect through SSH Tunnel and mark that box then fill in tunnel login details, then login, it mentions I connected through a tunnel.

In Example #1, is encryption present because login authentication does not mention a tunnel?
Does lack of a tunnel (required for encryption?) mean it's no longer SFTP, but actually FTP?
If so, has my login password already been compromised to the Internet? Suppose I already had a master password set (which I did), will my login password still be compromised?

Is Example #2 (enabling the tunnel) required for sftp to, in fact, be stfp? Or am I doing something like double encryption (adding extra overhead)?

I looked all over the Internet and this website, but couldn't find anything on this... so answers would be appreciated! I apologize for all the questions, just answer them quickly one by one. :wink:

SFTP is not FTP tunneled through SSH. SFTP is not related to FTP at all.

See
https://winscp.net/eng/docs/tunneling
https://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol

martin wrote:

SFTP is not FTP tunneled through SSH. SFTP is not related to FTP at all.
See
https://winscp.net/eng/docs/tunneling
https://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol

Thanks very much for the reply. I read the info at both links and understand better now. The second URL states the following: "The [SFTP] protocol itself does not provide authentication and security; it expects the underlying protocol to secure this. SFTP is most often used as subsystem of SSH protocol version 2 implementations."

I disabled tunneling and verified the security by logging into my website's remote directories via WinSCP. Once remotely connected, without tunneling enabled there's still a locked SSH-2 icon and SFTP-3 text at the bottom right of the application window.

What I still don't understand is this: if SFTP is already secured with SSH-2 without tunneling enabled, then what additional security benefit does tunneling give for SFTP purposes? Your first URL makes tunneling sound like it is useful only as a proxy for SFTP purposes, and my home network has no access restrictions put on it by the host provider holding the files.

So does this mean that I only need tunneling in a public network that could be restricted from accessing the website files held by the host provider? Or is tunneling beneficial even in an unrestricted home network?

Yes. SSH tunneling, when used to tunnel an already encrypted connection (another SSH/SFTP connection), is a kind of proxy only. There's no additional security (well actually encrypting twice gives some additional security, but it's not really the point).

Typically this is used when you need to access a server A that cannot be accessed directly from your machine. But you have an access to a server B that can access the server A. Then you tunnel through the server B to the server A.

Your related questions on superuser.com:
https://superuser.com/q/806814/213663
https://superuser.com/q/806939/213663

What you are saying makes sense. I'm new to SFTP and tunneling, so it takes time for me to understand some concepts.

Thanks for posting the links to my questions on Stack Exchange and for adding some tags to one of them. I'm pretty new to Stack Exchange and it was helpful.