Chrome to brand FTP as “not secure”

On 14 September, it was announced in a Chrome developers group that Chrome will mark FTP (File Transfer Protocol) resources in the address bar as “not secure.”  The change is expected to be made by the release of Chrome 63 in December 2017.

Developer Mike West wrote:

We didn’t include FTP in our original plan (for Chrome development), but unfortunately its security properties are actually marginally worse than HTTP. Given that FTP’s usage is hovering around 0.0026% of top-level navigations over the last month, and the real risk to users presented by non-secure transport, labeling it as such seems appropriate.

FTP is so old it used to run on top of NCP (Network Control Program) before switching to the internet protocol suite, TCP/IP, in 1980. As of 2017, it’s now about 46 years old, which makes it 13 years older than I am.

Back in 1971, when FTP was invented, the internet as we know it didn’t exist. Its precursor, ARPANet did, but it was used exclusively by academics and members of the military.

Computer networks were a lot simpler than they are today, and they didn’t have to deal with malware, criminal hackers, cyberattacks and the other risks, which are an everyday reality now.

These days FTP is normally used for downloading files from public archives or for uploading webpages and media files to web servers. FTP can be set up so that users have to supply a username and password or in anonymous configuration where authentication isn’t required.

What makes FTP “not secure” is that all the data that’s uploaded and downloaded is sent in unencrypted plain text, including your username and password.

This means that FTP users are vulnerable to Man-in-The-Middle (MiTM) attacks that can steal usernames and passwords or modify files as they pass over a network.

As Cyber-Ark’s Adam Bosnian put it when speaking about the security weaknesses of FTP to Security Week “any network sniffer can hijack it”.

When people use FTP to transfer their files they’ll often use an FTP client like FileZilla but all modern web browsers support FTP too and aside from the ftp:// in the address bar you probably wouldn’t notice.

As Mike West wrote, 0.0026% of top-level navigations in August recorded by Chrome developers are FTP addresses, so very few Chrome users will notice the new “not secure” label.

West also recommended that developers follow the example set by The Linux Kernel Archives to migrate public-facing downloads from FTP to the much more secure HTTPS.

As a response to West’s post, Chrome developer Chris Palmer added:

Because FTP usage is so low, we’ve thrown around the idea of removing FTP support entirely over the years. In addition to not being a secure transport, it’s also additional attack surface, and it currently runs in the browser process.

There are other solutions for transferring files, not least a version of FTP which uses encryption to keep your data safe, called SFTP (Secure FTP.) The AS2 (Applicability Statement 2) and MFT (managed file transfer) protocols can also serve as secure FTP alternatives, as can tools like scp and rsync.

Frankly, I’d like to see FTP phased out entirely, for all possible implementations. Computer networks would be more secure and could function better if FTP went the way of other ill conceived 1970s inventions like pet rocks and vinyl topped cars.