FTP Sites get ‘Not secure’ Label with Chrome

Friday, September 15, 2017 @ 02:09 PM gHale


Google Chrome 63 will label resources delivered over the FTP protocol as “Not secure.”

This change is part of Google’s continuous effort to “accurately communicate the transport security status of a given page.”

RELATED STORIES
Chrome Attack is a RAT
Chrome RCE Vulnerability Released
Chrome 60 Now Available
Mozilla Releases Firefox 54

“We didn’t include FTP in our original plan [which involved marking HTTP as non-secure], but unfortunately its security properties are actually marginally worse than HTTP (delivered in plaintext without the potential of an HSTS-like upgrade). Given that FTP’s usage is around 0.0026 percent of top-level navigations over the last month, and the real risk to users presented by non-secure transport, labeling it as such seems appropriate,” Google’s Mike West said in a post.

The File Transfer Protocol (FTP) is a network protocol used for transferring computer files between a client and server.

A protocol that started in 1971, it does not encrypt its traffic, which translated means anyone getting on the network can read all transmissions.

It can be secured with SSL/TLS, “becoming” thus FTPS (aka “FTP Secure”), but Chrome and the other major browsers don’t support FTPS.

In the meantime, ftp:// resources will get marked as “Not secure”, and West said developers should to switch from using FTP to HTTPS for public-facing downloads.

In order to make a reasonable decision about whether removing FTP from Chrome is the right path forward, it would be helpful to understand how many FTP downloads users generally trigger,” West said. “I’ve only looked into numbers for top-level navigation (`Navigation.MainFrameSchemeDifferentPage`), which I don’t believe includes downloads.”

In essence about 4.73 percent of downloads over the last month were using a non-HTTP(S) scheme, West said. “I think that might be an overestimate for `ftp:`, as it’s not clear to me where `blob:` or `filesystem:` get bucketed, but it’s a useful upper-bound on FTP traffic.”

Chrome 63 should release sometime around December.



Leave a Reply

You must be logged in to post a comment.