Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Chrome to Label FTP Resources as “Not Secure”

Google announced on Thursday that future versions of Chrome will label resources delivered via the File Transfer Protocol (FTP) as “Not secure.”

Google announced on Thursday that future versions of Chrome will label resources delivered via the File Transfer Protocol (FTP) as “Not secure.”

The change will be implemented starting with Chrome 63, currently scheduled for release in December 2017. The move is part of Google’s long-term plan to flag all non-secure connections in an effort to alert users and encourage website owners and administrators to migrate to HTTPS.

“We didn’t include FTP in our original plan, but unfortunately its security properties are actually marginally worse than HTTP (delivered in plaintext without the potential of an HSTS-like upgrade),” Google software engineer Mike West explained.

West pointed out that FTP usage for top-level navigations was 0.0026% in the last month. In the case of downloads, there were roughly 5% that were conducted over something other than HTTP/HTTPS, which could be FTP.

Google has encouraged website developers to migrate the downloads they offer, particularly for executable files, from FTP to HTTPS, and pointed as an example to the Linux Kernel Archives, which plans on terminating all FTP services by the end of the year.

Chrome developers have been discussing the possibility of removing built-in support for FTP since January 2014, but for the time being the use of the protocol will only be marked as “not secure.”

Chrome marks FTP sites as not secure

“When a feature gets usage that low, we generally start talking about removing it. Especially if it exposes attack surface or is fundamentally unsafe on the network, as FTP does and is,” said Google’s Chris Palmer.

FTP has been around in its current form since the 1980s. Support for the SSL and TLS protocols can be added via the FTP Secure (FTPS) extension, but FTPS is not supported by web browsers.

“As for FTPS, I’m glad it exists, but if we were going to focus on getting server operators to migrate to a new protocol, we would focus (and are focusing) on HTTPS,” Palmer added.

Related: Chrome Addresses Threat of Unicode Domain Spoofing

Related: Chrome 59 Patches 30 Vulnerabilities

Related: Fake Chrome Font Update Attack Distributes Backdoor

Related: Google Tightens Security Rules for Chrome Extensions

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.