Unencrypted FTP transfers will soon be labelled as insecure in Google Chrome, the search giant has announced.
According to a posting on the Chromium Google Groups forum, the move forms part of the firm's "ongoing effort to accurately communicate the transport security status of a given page".
Google employee and Chrome security team member Mike West said that Google would label resources delivered over the FTP protocol as "Not secure", beginning in Chrome 63 (sometime around December, 2017).
"We didn't include FTP in our original plan, but unfortunately its security properties are actually marginally worse than HTTP (delivered in plaintext without the potential of an HSTS-like upgrade). Given that FTP's usage is hovering around 0.0026% of top-level navigations over the last month, and the real risk to users presented by non-secure transport, labelling it as such seems appropriate," he said.
He encouraged developers to follow the example of the linux kernel archives by migrating public-facing downloads (especially executables) from FTP to HTTPS.
FTP dates back to 1971 and does not encrypt data passing between clients and servers, this means that traffic can be read by anyone able to perform packet capture on the network. It can be secured with SSL/TLS (this is FTPS), but many browsers do not support this.
"Because FTP usage is so low, we've thrown around the idea of removing FTP support entirely over the years. In addition to not being a secure transport, it's also additional attack surface, and it currently runs in the browser process," said Chris Palmer, another member of the Chrome security team.
As such, it would appear that branding FTP transfers as insecure will not have an enormous affect on the use of FTP, however, for companies still using the rather ancient technique, the labeling could serve as a means to promote them to upgrade and update thier IT infastructure and processes.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Spanish spyware outfit uncovered, develops exploits for Windows, Chrome, and FirefoxNews Google was only able to discover the company after an anonymous submission was made to its Chrome bug reporting programme
-
Google adds new security vendor plugins for Chrome, improved Chrome OS policy controls for IT adminsNews New integrations across various security pillars aim to improve Chrome OS and Chrome browser security for enterprise customers
-
Google patches second Chrome browser zero-day of 2022
News Google acted quickly to secure against the type confusion vulnerability that was under active exploitation
-
Acer Chromebook Spin 513 review: Cheap and mostly cheerfulReviews An affordable Chromebook convertible with good looks but mediocre performance
-
Google says Chrome is now faster than Safari on Apple SiliconNews According to Apple's own benchmarks, Chrome 99 scored the highest out of any browser ever tested
-
Google Chrome update fixes zero-day under active exploitation
News Google releases a fresh wave of patches for severe vulnerabilities that could facilitate code execution and system takeover via Google Chrome
-
Asus Chromebook CX9 (CX9400CE) review: The most stylish Chromebook on the marketReviews A sleek, expensive Chromebook that tries to bring professional style to Google’s OS
-
Chromebook shipments plunge due to 'shift in demand'News Sales of Chrome OS devices fell 29.8% in the third quarter of 2021 to 6.5 million units, according to IDC
