Chrome to label FTP sites insecure

Google's Chrome browser will soon label file transfer protocol (FTP) services insecure.

Google employee and Chrome security team member Mike West yesterday announced the plan on the Chromium.org security-dev mailing list.

“As part of our ongoing effort to accurately communicate the transport security status of a given page, we're planning to label resources delivered over the FTP protocol as 'Not secure'.”

“We didn't include FTP in our original plan,” West wrote, referring to the decision to mark HTTP as insecure. Adding FTP to Chrome's naughty list was decided upon because “its security properties are actually marginally worse than HTTP (delivered in plaintext without the potential of an HSTS-like upgrade). Given that FTP's usage is hovering around 0.0026% of top-level navigations over the last month, and the real risk to users presented by non-secure transport, labelling it as such seems appropriate.”

As we noted when covering Debian's decision to dump its FTP archive, the protocol was published in 1971. Age alone doesn't make it a bad protocol, but it was designed for gentler times. It's therefore hard to disagree with Google's decision.

West points out that the Linux Kernel archive has also binned FTP, with ftp://ftp.kernel.org/ taken offline on March 1st, 2017, in favour of HTTPS. ®