Chrome Will Start Marking FTP As Non-Secure

According to a recent post by Chrome Developer Mike West, Chrome will begin marking the FTP protocol as “Not Secure” as pictured below:

Chrome FTP Not Secure
Chrome FTP Not Secure


The Google Engineer writes,


As part of our ongoing effort to accurately communicate the transport security status of a given page, we’re planning to label resources delivered over the FTP protocol as “Not secure”, beginning in Chrome 63 (sometime around December, 2017). We didn’t include FTP in our original plan, but unfortunately its security properties are actually marginally worse than HTTP (delivered in plaintext without the potential of an HSTS-like upgrade). Given that FTP’s usage is hovering around 0.0026% of top-level navigations over the last month, and the real risk to users presented by non-secure transport, labeling it as such seems appropriate. We’d encourage developers to follow the example of the linux kernel archives by migrating public-facing downloads (especially executables!) from FTP to HTTPS.


Google’s Chrome development team is making these changes as part of their continued plan for Chrome’s 2017 development. Long term the team eventually plans to mark all HTTP pages as Not secure but there is no current target date. This does mean that businesses will have some time to SSL secure their websites and redirect to the HTTPS version prior to this major change. You can read more about that here. Ultimately, the goal of these recent changes are to, “more clearly display to users that HTTP provides no data security”.






Related Posts