Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Chrome to Label FTP Resources as “Not Secure”

Google announced on Thursday that future versions of Chrome will label resources delivered via the File Transfer Protocol (FTP) as “Not secure.”

Google announced on Thursday that future versions of Chrome will label resources delivered via the File Transfer Protocol (FTP) as “Not secure.”

The change will be implemented starting with Chrome 63, currently scheduled for release in December 2017. The move is part of Google’s long-term plan to flag all non-secure connections in an effort to alert users and encourage website owners and administrators to migrate to HTTPS.

“We didn’t include FTP in our original plan, but unfortunately its security properties are actually marginally worse than HTTP (delivered in plaintext without the potential of an HSTS-like upgrade),” Google software engineer Mike West explained.

West pointed out that FTP usage for top-level navigations was 0.0026% in the last month. In the case of downloads, there were roughly 5% that were conducted over something other than HTTP/HTTPS, which could be FTP.

Google has encouraged website developers to migrate the downloads they offer, particularly for executable files, from FTP to HTTPS, and pointed as an example to the Linux Kernel Archives, which plans on terminating all FTP services by the end of the year.

Chrome developers have been discussing the possibility of removing built-in support for FTP since January 2014, but for the time being the use of the protocol will only be marked as “not secure.”

Chrome marks FTP sites as not secure

“When a feature gets usage that low, we generally start talking about removing it. Especially if it exposes attack surface or is fundamentally unsafe on the network, as FTP does and is,” said Google’s Chris Palmer.

FTP has been around in its current form since the 1980s. Support for the SSL and TLS protocols can be added via the FTP Secure (FTPS) extension, but FTPS is not supported by web browsers.

Advertisement. Scroll to continue reading.

“As for FTPS, I’m glad it exists, but if we were going to focus on getting server operators to migrate to a new protocol, we would focus (and are focusing) on HTTPS,” Palmer added.

Related: Chrome Addresses Threat of Unicode Domain Spoofing

Related: Chrome 59 Patches 30 Vulnerabilities

Related: Fake Chrome Font Update Attack Distributes Backdoor

Related: Google Tightens Security Rules for Chrome Extensions

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.