Security Experts:

Chrome to Label FTP Resources as "Not Secure"

Google announced on Thursday that future versions of Chrome will label resources delivered via the File Transfer Protocol (FTP) as “Not secure.”

The change will be implemented starting with Chrome 63, currently scheduled for release in December 2017. The move is part of Google’s long-term plan to flag all non-secure connections in an effort to alert users and encourage website owners and administrators to migrate to HTTPS.

“We didn't include FTP in our original plan, but unfortunately its security properties are actually marginally worse than HTTP (delivered in plaintext without the potential of an HSTS-like upgrade),” Google software engineer Mike West explained.

West pointed out that FTP usage for top-level navigations was 0.0026% in the last month. In the case of downloads, there were roughly 5% that were conducted over something other than HTTP/HTTPS, which could be FTP.

Google has encouraged website developers to migrate the downloads they offer, particularly for executable files, from FTP to HTTPS, and pointed as an example to the Linux Kernel Archives, which plans on terminating all FTP services by the end of the year.

Chrome developers have been discussing the possibility of removing built-in support for FTP since January 2014, but for the time being the use of the protocol will only be marked as “not secure.”

Chrome marks FTP sites as not secure

“When a feature gets usage that low, we generally start talking about removing it. Especially if it exposes attack surface or is fundamentally unsafe on the network, as FTP does and is,” said Google’s Chris Palmer.

FTP has been around in its current form since the 1980s. Support for the SSL and TLS protocols can be added via the FTP Secure (FTPS) extension, but FTPS is not supported by web browsers.

“As for FTPS, I'm glad it exists, but if we were going to focus on getting server operators to migrate to a new protocol, we would focus (and are focusing) on HTTPS,” Palmer added.

Related: Chrome Addresses Threat of Unicode Domain Spoofing

Related: Chrome 59 Patches 30 Vulnerabilities

Related: Fake Chrome Font Update Attack Distributes Backdoor

Related: Google Tightens Security Rules for Chrome Extensions

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.