Google Will Mark FTP Sites “Not Secure” in Chrome 63
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Google Will Mark FTP Sites “Not Secure” in Chrome 63

FTP is unencrypted and vulnerable, so Google will mark it “Not Secure” starting in December

Google has announced plans to begin labelling FTP sites “Not Secure” beginning with the release of Chrome 63 in December 2017.

Google Chromec 63 FTP "Not Secure" warning

In a post left on Google’s Security-dev forum, Mike West lays out the decision, explaining that as part of Google’s “ongoing effort to accurately communicate the transport security status of a given page” that it will now mark resources delivered via FTP “Not Secure.”

“We didn’t include FTP in our original plan, but unfortunately its security properties are actually marginally worse than HTTP (delivered in plaintext without the potential of an HSTS-like upgrade). Given that FTP’s usage is hovering around 0.0026% of top-level navigations over the last month, and the real risk to users presented by non-secure transport, labeling it as such seems appropriate.”

What is FTP?

FTP, or File Transfer Protocol (ftp://) is a decades-old network protocol that is used to transfer files between clients and servers. Originally created back in 1971, FTP does not encrypt traffic by default, making it susceptible to interception and manipulation by eavesdropping third parties.

FTP can be secured using an SSL/TLS, which in turn creates FTPS. Unfortunately, FTPS is not a widely-supported feature on most browsers, including Chrome, due to its low usage rate.

Per Google’s Chris Palmer:

“Because FTP usage is so low, we’ve thrown around the idea of removing FTP support entirely over the years. In addition to not being a secure transport, it’s also additional attack surface, and it currently runs in the browser process.”

For the time being, Google Chrome will continue to support FTP, but starting in December it will be marked “Not Secure.”

Related: Google Will Add TLS Interception Warning in Chrome 63

Google suggests migrating public-facing downloads from FTP to HTTPS.

What We Hashed Out (For the Skimmers)

Here’s what we covered in today’s discussion:

  • Starting in December 2017 with the release of Chrome 63, Google will mark FTP sites “Not Secure.”
  • FTP stands for File Transfer Protocol, it has been around since the 1970’s and is not encrypted.
  • Google recommends migrating public-facing downloads from FTP to HTTPS for better security.


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.