Google Chrome 63, expected to be released sometime around December, will label resources delivered over the FTP protocol as “Not secure”, a member of the Chrome security team has shared.
This change is part of Google’s continuous effort to “accurately communicate the transport security status of a given page.”
“We didn’t include FTP in our original plan [which involved marking HTTP as non-secure], but unfortunately its security properties are actually marginally worse than HTTP (delivered in plaintext without the potential of an HSTS-like upgrade). Given that FTP’s usage is hovering around 0.0026% of top-level navigations over the last month, and the real risk to users presented by non-secure transport, labeling it as such seems appropriate,” Mike West noted.
The File Transfer Protocol (FTP) is a network protocol used for transferring computer files between a client and server.
It’s an old protocol – it dates back to 1971 – and does not encrypt its traffic, meaning that all transmissions can be read by anyone able to perform packer capture on the network.
It can be secured with SSL/TLS, “becoming” thus FTPS (aka “FTP Secure”), but Chrome and all the other major browsers don’t support FTPS.
“Because FTP usage is so low, we’ve thrown around the idea of removing FTP support entirely over the years. In addition to not being a secure transport, it’s also additional attack surface, and it currently runs in the browser process,” noted Chris Palmer, another member of the Chrome security team.
But until that happens, ftp:// resources will get marked as “Not secure”, and West has urged developers to switch from using FTP to HTTPS for public-facing downloads.