Chrome willResources delivered via FTP as “Not Secure”

Google continues the ongoing effort to communicate the transport security status of a given page labeling resources delivered via FTP as “Not secure” in Chrome,

Last week, Google announced that future versions of Chrome will label resources delivered via the File Transfer Protocol (FTP) as “Not secure.”

Chrome FTP not secure

The security improvement will be implemented starting with Chrome 63 version that is planned for release in December 2017. Google continues its effort to encourage website owners and administrators to migrate adopting HTTPS.

“As part of our ongoing effort to accurately communicate the transport security status of a given page, we’re planning toresources delivered over the FTP protocol as “Not secure”, beginning in Chrome 63 (sometime around December, 2017).” said Google software engineer Mike West.

According to Google, the FTP usage for top-level navigations was 0.0026% in the last month. Roughly 5% of the downloads were not conducted over HTTP/HTTPS, which could be FTP.

“We didn’t include FTP in our original plan, but unfortunately its security properties are actually marginally worse than HTTP (delivered in plaintext without the potential of an HSTS-like upgrade). Given that FTP’s usage is hovering around 0.0026% of top-level navigations over the last month, and the real risk to users presented by non-secure transport, labeling it as such seems appropriate.” continues West.

Google encouraged developers to follow the example of the linux kernel archives by migrating public-facing downloads from FTP to HTTPS and terminating all FTP services by the end of the year.

FTP has been around since the 1980s, even if support for the SSL and TLS protocols can be added via the FTP Secure (FTPS) extension the FTPS is not supported by web browsers.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Chrome, FTP)

[adrotate banner=”12″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.