FTP is unencrypted and vulnerable, so Google will mark it “Not Secure” starting in December
Google has announced plans to begin labelling FTP sites “Not Secure” beginning with the release of Chrome 63 in December 2017.
In a post left on Google’s Security-dev forum, Mike West lays out the decision, explaining that as part of Google’s “ongoing effort to accurately communicate the transport security status of a given page” that it will now mark resources delivered via FTP “Not Secure.”
“We didn’t include FTP in our original plan, but unfortunately its security properties are actually marginally worse than HTTP (delivered in plaintext without the potential of an HSTS-like upgrade). Given that FTP’s usage is hovering around 0.0026% of top-level navigations over the last month, and the real risk to users presented by non-secure transport, labeling it as such seems appropriate.”
What is FTP?
FTP, or File Transfer Protocol (ftp://) is a decades-old network protocol that is used to transfer files between clients and servers. Originally created back in 1971, FTP does not encrypt traffic by default, making it susceptible to interception and manipulation by eavesdropping third parties.
FTP can be secured using an SSL/TLS, which in turn creates FTPS. Unfortunately, FTPS is not a widely-supported feature on most browsers, including Chrome, due to its low usage rate.
Per Google’s Chris Palmer:
“Because FTP usage is so low, we’ve thrown around the idea of removing FTP support entirely over the years. In addition to not being a secure transport, it’s also additional attack surface, and it currently runs in the browser process.”
For the time being, Google Chrome will continue to support FTP, but starting in December it will be marked “Not Secure.”
Google suggests migrating public-facing downloads from FTP to HTTPS.
What We Hashed Out (For the Skimmers)
Here’s what we covered in today’s discussion:
- Starting in December 2017 with the release of Chrome 63, Google will mark FTP sites “Not Secure.”
- FTP stands for File Transfer Protocol, it has been around since the 1970’s and is not encrypted.
- Google recommends migrating public-facing downloads from FTP to HTTPS for better security.