Google Will Mark FTP Sites “Not Secure” in Chrome 63
FTP is unencrypted and vulnerable, so Google will mark it “Not Secure” starting in December
Google has announced plans to begin labelling FTP sites “Not Secure” beginning with the release of Chrome 63 in December 2017.
In a post left on Google’s Security-dev forum, Mike West lays out the decision, explaining that as part of Google’s “ongoing effort to accurately communicate the transport security status of a given page” that it will now mark resources delivered via FTP “Not Secure.”
“We didn’t include FTP in our original plan, but unfortunately its security properties are actually marginally worse than HTTP (delivered in plaintext without the potential of an HSTS-like upgrade). Given that FTP’s usage is hovering around 0.0026% of top-level navigations over the last month, and the real risk to users presented by non-secure transport, labeling it as such seems appropriate.”
What is FTP?
FTP, or File Transfer Protocol (ftp://) is a decades-old network protocol that is used to transfer files between clients and servers. Originally created back in 1971, FTP does not encrypt traffic by default, making it susceptible to interception and manipulation by eavesdropping third parties.
FTP can be secured using an SSL/TLS, which in turn creates FTPS. Unfortunately, FTPS is not a widely-supported feature on most browsers, including Chrome, due to its low usage rate.
Per Google’s Chris Palmer:
“Because FTP usage is so low, we’ve thrown around the idea of removing FTP support entirely over the years. In addition to not being a secure transport, it’s also additional attack surface, and it currently runs in the browser process.”
For the time being, Google Chrome will continue to support FTP, but starting in December it will be marked “Not Secure.”
Related: Google Will Add TLS Interception Warning in Chrome 63
Google suggests migrating public-facing downloads from FTP to HTTPS.
What We Hashed Out (For the Skimmers)
Here’s what we covered in today’s discussion:
- Starting in December 2017 with the release of Chrome 63, Google will mark FTP sites “Not Secure.”
- FTP stands for File Transfer Protocol, it has been around since the 1970’s and is not encrypted.
- Google recommends migrating public-facing downloads from FTP to HTTPS for better security.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownA Call To Let’s Encrypt: Stop Issuing “PayPal” Certificates
in Industry Lowdown