Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Chrome to label FTP sites insecure

It's only 0.0026 per cent of traffic, but it's all in plaintext so deserves a red flag

Simon Sharwood Fri 15 Sep 2017  //  00:58 UTC

Google's Chrome browser will soon label file transfer protocol (FTP) services insecure.

Google employee and Chrome security team member Mike West yesterday announced the plan on the Chromium.org security-dev mailing list.

“As part of our ongoing effort to accurately communicate the transport security status of a given page, we're planning to label resources delivered over the FTP protocol as 'Not secure'.”

“We didn't include FTP in our original plan,” West wrote, referring to the decision to mark HTTP as insecure. Adding FTP to Chrome's naughty list was decided upon because “its security properties are actually marginally worse than HTTP (delivered in plaintext without the potential of an HSTS-like upgrade). Given that FTP's usage is hovering around 0.0026% of top-level navigations over the last month, and the real risk to users presented by non-secure transport, labelling it as such seems appropriate.”

As we noted when covering Debian's decision to dump its FTP archive, the protocol was published in 1971. Age alone doesn't make it a bad protocol, but it was designed for gentler times. It's therefore hard to disagree with Google's decision.

West points out that the Linux Kernel archive has also binned FTP, with ftp://ftp.kernel.org/ taken offline on March 1st, 2017, in favour of HTTPS. ®
Send us news
31 Comments

Chrome Enterprise Premium promises extra security – for a fee

Paying for browsers is no longer a memory from the 1990s

Cisco creates architecture to improve security and sell you new switches

Hypershield detects bad behavior and automagically reconfigures networks to snuff out threats

OpenAI's GPT-4 can exploit real vulnerabilities by reading security advisories

While some other LLMs appear to flat-out suck

Microsoft squashes SmartScreen security bypass bug exploited in the wild

Plus: Adobe, SAP, Fortinet, VMware, Cisco issue pressing updates

Japanese government rejects Yahoo<i>!</i> infosec improvement plan

Just doesn't believe it will sort out the mess that saw data leak from LINE messaging app

Crooks exploit OpenMetadata holes to mine crypto – and leave a sob story for victims

'I want to buy a car. That's all'

Ransomware feared as IT 'issues' force Octapharma Plasma to close 150+ centers

Source blames BlackSuit infection – as separately ISP Frontier confirms cyberattack

US government excoriates Microsoft for 'avoidable errors' but keeps paying for its products

In what other sphere does a bad supplier not feel pain for its foulups?

Fire in the Cisco! Networking giant's Duo MFA message logs stolen in phish attack

Also warns of brute force attacks targeting its own VPNs, Check Point, Fortinet, SonicWall and more

Zero-day exploited right now in Palo Alto Networks' GlobalProtect gateways

Out of the PAN-OS and into the firewall, a Python backdoor this way comes

French issue <em>alerte rouge</em> after local governments knocked offline by cyber attack

Embarrassing, as its officials are in the US to discuss Olympics cyber threats

Ex-CEO of 'unicorn' app startup HeadSpin heads to jail after BS'ing investors

Lachwani faked it but didn't make it