Last week, Google announced that future versions of Chrome will label resources delivered via the File Transfer Protocol (FTP) as “Not secure.”
The security improvement will be implemented starting with Chrome 63 version that is planned for release in December 2017. Google continues its effort to encourage website owners and administrators to migrate adopting HTTPS.
“As part of our ongoing effort to accurately communicate the transport security status of a given page, we’re planning to label resources delivered over the FTP protocol as “Not secure”, beginning in Chrome 63 (sometime around December, 2017).” said Google software engineer Mike West.
“We didn’t include FTP in our original plan, but unfortunately its security properties are actually marginally worse than HTTP (delivered in plaintext without the potential of an HSTS-like upgrade),” Google software engineer Mike West explained.
According to Google, the FTP usage for top-level navigations was 0.0026% in the last month. Roughly 5% of the downloads were not conducted over HTTP/HTTPS, which could be FTP.
“We didn’t include FTP in our original plan, but unfortunately its security properties are actually marginally worse than HTTP (delivered in plaintext without the potential of an HSTS-like upgrade). Given that FTP’s usage is hovering around 0.0026% of top-level navigations over the last month, and the real risk to users presented by non-secure transport, labeling it as such seems appropriate.” continues West.
Google encouraged developers to follow the example of the linux kernel archives by migrating public-facing downloads from FTP to HTTPS and terminating all FTP services by the end of the year.
FTP has been around since the 1980s, even if support for the SSL and TLS protocols can be added via the FTP Secure (FTPS) extension the FTPS is not supported by web browsers.
[adrotate banner=”9″]
(Security Affairs – Chrome, FTP)
[adrotate banner=”12″]