Goggle explained its decision in a Chrome developers group:
“We didn’t include FTP in our original plan, but
unfortunately its security properties are actually marginally worse than HTTP
(delivered in plaintext without the potential of an HSTS-like upgrade). Given
that FTP’s usage is hovering around 0.0026% of top-level navigations over the
last month, and the real risk to users presented by non-secure transport,
labeling it as such seems appropriate.”
FTP does not encrypt traffic by default. It sends your
information, including username and password, unencrypted. That was okay in the 70's but not today.
FTP can be secured using an SSL/TLS, which in turn creates
FTPS. Unfortunately, FTPS is not a widely-supported feature on most browsers,
including Chrome, due to its low usage rate.
Nevertheless, Google Chrome will continue to support
FTP, albeit with the “Not Secure” label attached. Google suggests migrating public-facing downloads from FTP
to HTTPS.
