The pitfalls of comparison charts

Yesterday, a potential customer asked us about a comparison chart (original version, current version) at one of our competitor's website, which compared Rebex SFTP with Eldos SFTPBlackBox. He was afraid he might need some authentication schemes we don't support yet. Yes, we don't support SSH host-based and OpenPGPauthentication at the moment, mostly beacuse no one ever bothered to ask for them. Chances are you won't need it either, and if you do, please let us know about it. But that's not what I wanted to say now. My point is this:

Both Rebex STP and Eldos SFTPBlackBox are mature products that will undoubtedly cover 99% of usage scenarios.

This means that unless you happen to come across the small number of scenarios one of the components can't handle, comparing the feature lists won't help you decide which one to choose. Instead, my advice is this:

Instead of studying comparison charts, give both components a try and choose the one that works. If both work, choose the one whose API you like most!

After all, if any features are missing in either one, chances are it's rarely used, and if you actually do happen to need one of them, both Rebex and Eldos are friendly vendors who will happily add them for you (unless it's something tricky).

If I convinced you, there is no need to read any further. If you still prefer to check out the comparison charts, then that's fine as well, of course. Just be aware of the pitfalls. For example, there are some inaccuracies in Eldos's comparison chart. I'm sure they are not intentional – naturally, their component is the one they are most familiar with, and although we have an extensive feature list, we know some of thpse features were hard to find in the previous version of our website. So here goes:

  1. Price – The starting price of Rebex SFTP is $349, not $449. And although you won't get the source code for this, you can distribute the DLLs to your clients without any additional royalty fees, which you can't do with Eldos's cheapest licensing schemes. Also, I'm unsure about Eldos' claimed starting price of $294. Using their calculator, the lowest quote I managed to get (.NET edition / SFTPBlackBox client / In-House / 1 Developer / USD) was $339, and you can't distribute the DLLs to your clients with that license – you would need to get 'Vendor' license, which costs $465...

  2. Evaluation – I bet one can easily convince most vendors to extend their evaluation periods. It's just usually not advertised as a feature... But still, if you do need to extend Rebex SFTP's trial period, just ask! :-)

  3. Platforms – Rebex SFTP works with ASP.NET as well (with necessary permissions – it uses TCP sockets). The next release will officially support Mono (it has been unofficially supported for years), beta for Xamarin.iOS has already been released and Xamarin.Android support is coming soon as well (in fact, as soon as we are done with the sample app). And if you buy Rebex SFTP license now, you will get support for these platforms for free.

  4. SSH server component – A full-featured beta is already available as well. If you would like to try it, just let us know.

  5. Transport layer (sockets/custom) – We do support any custom transport as well.
    (Update: As of 2013-06-13 20:00 UTC, this has been fixed. Thanks, Eldos! :-)

  6. Proxy support – In addition to what's in the chart, we support using an SSH server as a proxy
    We also support NTLM authentication for HTTP CONNECT proxies (optionally with single sign-on).

  7. SFTP versions supported – This is a tricky subject and deserves
    a blog post of its own!
    The SFTP protocol is no longer evolving and is currently described by "IETF draft documents" that have been "expired" for years. One of the reasons for this unfortunate state is that it was getting somewhat out of hand and the IETF working group responsible for SSH decided to cease working on it. In words of OpenSSH (which includes the most commonly used SFTP server) developers, "more recent versions of the [...] drafts [... are hopelessly bloated and broken" and OpenSSH won't even be supporting those more recent versions (v4 to v6). We mostly agree with them, but we still implemented v4 which actually still includes useful features such as mandatory UTF-8 charset support, text-file support and string-based owner/group attributes support, and v4 is actually supported by a lot of servers. On the other hand, we agree that v5 and v6 are not even worth supporting – that's when the development of the protocol went out of hand. For example, v5 added support for calculating MD5 checksums, v6 removed it again with no replacement... This said, if you presented a scenario that requires v5 or v6 support, we might reconsider our position!
    As for v2 support - this version is not even defined by the expired IETF drafts (the first one already defined v3) and we believe it's extinct. No one ever asked for it since the first release of Rebex SFTP in 2006. In fact, no one even mentioned it... But it's almost identical to v3, which means we can add support for it within days if you need it and if any server actually supports it (and doesn't support v3).

  8. SSH authentication schemes – Yes, yes... It's true that we don't support some of those authentication schemes at the moment. There seems to be no demand for them, so we concentrated instead on more useful features. However, adding support for custom GSS-API modules or host-based schemes would be trivial, it's just that no one ever asked. If you need any of the missing schemes, just let us know and you might be pleasantly surprised soon. Also, as far as I know, Pageant or ssh-agent are not really "authentication schemes", but rather means of storing and accessing the actual private keys. We docurrently support a combination of password, public-key and keyboard-interactive schemes.

  9. SSH key management – we do support DSS and RSA keys as well (you can use .NET's RSACryptoServiceProvider and DSACryptoServiceProvider with Rebex SFTP).

  10. Low-level SFTP methods – we do support low-level read and write through Sftp object's GetStream method. We don't support lock because it was introduced in SFTP v5 (see point 7).

But frankly, what's most interesting is not what is in the chart, but rather what is not there. Highlights from our feature list include:

  • Common API for SFTP and FTP (includes FTP/SSL). If you plan to ever support the FTP protocol as well, you will find our IFtp interface very useful.

  • Rebex SFTP includes support for the SCP "protocol" (through a separate object). This is very useful when working with SSH servers that don't support SFTP.

  • Rebex SFTP integrates nicely with Rebex SSH Shell which adds terminal emulation capabilities – it's even possible to share a single SSH session for both SFTP and SSH terminal emulation.

  • We have .NET 4.0-style asynchronous API that greatly simplifies asynchronous programming when used with .NET's await keyword.

  • We support single sign-on authentication with Kerberos and NTLM.

  • We have a powerful multi-file API that makes it possible to transfer (or list or delete) multiple files easily.

  • Atomic POSIX-rename support (tremendously useful in some scenarios, such as when accessing FAT file systems though Unix servers).

  • CryptoAPI key storage support makes it possible to use one of CryptoAPI's many providers to store private keys in Windows key stores or smart cards, reducing the need for Pageant or ssh-agent.

  • Eldos claims "strict observance of the standards" (here). That's fine, and we would like to always strictly observe the standards as well, but we don't live in an ideal world and the actual servers we communicate with are far from perfect. Sometimes, they even deviate from those standards! That's why we added numerous workarounds over the years to make sure we work with as many servers as possible. The best thing about all this is that most of those workarounds are automatic and you don't ever have to care about it.

  • Rebex SFTP is written in 100% managed C # and our DLLs can be used on both 32bit and 64bit systems. It doesn't rely on any third-party library (except what's provided by the OS or .NET itself) and doesn't include any third party or open source code. We are familiar with all parts of it. Yes, we even implemented the ZLIB algorithm ourselves.

I guess Eldos SFTPBlackBox has some of these features as well, although it's a pity they have not included them in the chart. But what's the purpose of a comparison chart if many must-have features are not even mentioned, while relatively minor ones such as proxy support (which we do have) are? Give the components a try instead!