Friday, September 22, 2017

Google Will Mark FTP Sites As "Not Secure"

When Google releases Chrome 63 in December 2017, it will mark FTP sites “Not Secure.” That is because FTP is unencrypted and vulnerable. FTP means File Transfer Protocol. It has been implemented in the 1970’s, before hackers, malware & phishing sites were everywhere.

Goggle explained its decision in a Chrome developers group:

“We didn’t include FTP in our original plan, but unfortunately its security properties are actually marginally worse than HTTP (delivered in plaintext without the potential of an HSTS-like upgrade). Given that FTP’s usage is hovering around 0.0026% of top-level navigations over the last month, and the real risk to users presented by non-secure transport, labeling it as such seems appropriate.”

FTP does not encrypt traffic by default. It sends your information, including username and password, unencrypted. That was okay in the 70's but not today.

FTP can be secured using an SSL/TLS, which in turn creates FTPS. Unfortunately, FTPS is not a widely-supported feature on most browsers, including Chrome, due to its low usage rate.

Nevertheless, Google Chrome will continue to support FTP, albeit with the “Not Secure” label attached. Google suggests migrating public-facing downloads from FTP to HTTPS.