On 14 September, it was announced in a Chrome developers group that Chrome will mark FTP (File Transfer Protocol) resources in the address bar as “not secure.” The change is expected to be made by the release of Chrome 63 in December 2017.
Developer Mike West wrote:
We didn’t include FTP in our original plan (for Chrome development), but unfortunately its security properties are actually marginally worse than HTTP. Given that FTP’s usage is hovering around 0.0026% of top-level navigations over the last month, and the real risk to users presented by non-secure transport, labeling it as such seems appropriate.
FTP is so old it used to run on top of NCP (Network Control Program) before switching to the internet protocol suite, TCP/IP, in 1980. As of 2017, it’s now about 46 years old, which makes it 13 years older than I am.
Back in 1971, when FTP was invented, the internet as we know it didn’t exist. Its precursor, ARPANet did, but it was used exclusively by academics and members of the military.
Computer networks were a lot simpler than they are today, and they didn’t have to deal with malware, criminal hackers, cyberattacks and the other risks, which are an everyday reality now.
These days FTP is normally used for downloading files from public archives or for uploading webpages and media files to web servers. FTP can be set up so that users have to supply a username and password or in anonymous configuration where authentication isn’t required.
What makes FTP “not secure” is that all the data that’s uploaded and downloaded is sent in unencrypted plain text, including your username and password.
This means that FTP users are vulnerable to Man-in-The-Middle (MiTM) attacks that can steal usernames and passwords or modify files as they pass over a network.
As Cyber-Ark’s Adam Bosnian put it when speaking about the security weaknesses of FTP to Security Week “any network sniffer can hijack it”.
When people use FTP to transfer their files they’ll often use an FTP client like FileZilla but all modern web browsers support FTP too and aside from the ftp:// in the address bar you probably wouldn’t notice.
As Mike West wrote, 0.0026% of top-level navigations in August recorded by Chrome developers are FTP addresses, so very few Chrome users will notice the new “not secure” label.
West also recommended that developers follow the example set by The Linux Kernel Archives to migrate public-facing downloads from FTP to the much more secure HTTPS.
As a response to West’s post, Chrome developer Chris Palmer added:
Because FTP usage is so low, we’ve thrown around the idea of removing FTP support entirely over the years. In addition to not being a secure transport, it’s also additional attack surface, and it currently runs in the browser process.
There are other solutions for transferring files, not least a version of FTP which uses encryption to keep your data safe, called SFTP (Secure FTP.) The AS2 (Applicability Statement 2) and MFT (managed file transfer) protocols can also serve as secure FTP alternatives, as can tools like scp and rsync.
Frankly, I’d like to see FTP phased out entirely, for all possible implementations. Computer networks would be more secure and could function better if FTP went the way of other ill conceived 1970s inventions like pet rocks and vinyl topped cars.
delayedthoughtengineering
I have worked with FTP protocol in a professional setting in the past, and I agree with this assessment. At best, FTP uses security through obscurity by selecting random ports to transfer data… After your username and password have already been openly tossed out into the open through the FTP control ports. The worse thing about that is that any firewall between the two parties has to open a wide pool of ports for FTP use. That’s a huge gash in a security system to allow malware to spill through. I hope they’ll keep SFTP (SSH FTP, not the insecure SFTP variety) and FTPS as “acceptable” protocols. At least those protocols -try- to be a little more secure. FTP over SSH is probably best, because it only uses the one, established SSH port.
Bryan
I also agree with this–in fact surprised it hasn’t been done sooner.
I just wish they’d swap the deadlines between maligning FTP and HTTP[no S]…some of us have a lot of sites (without any forms or payment pages) to upgrade. :-/
Head of Better (@tattooed_mummy)
Yes – i still run a blog on HTTP but as it has no shop and no downloads I haven’t looked at changing it yet – that and the fact the Google Blogger make it difficult to use a vanity url with HTTPS
Laurence Marks
I don’t see the concern about anonymous FTP. There are no passwords. You’re asked to enter your email address as a courtesy, but it’s not mandatory. There are some applications and sites which will simply shut down, rather than go through the hassle of certificates.,
Paul Ducklin
It’s not just the passwords, it’s the lack of integrity control over what you upload or download. For that reason, even HTTP is no longer suitable, and HTTPS should be used instead. And if we’re getting strict about HTTPS (as indeed we ought to) then it seems silly to ignore FTP.
As far as I can see, Chrome won’t stop you using FTP. It will just bug you about the risk of doing so. So sites that can’t be bothered to change will still be able to exist, just not in a security vacuum any more…
Head of Better (@tattooed_mummy)
pft! FTP is 7 years younger than I am!
Good article, very informative.
Bryan
Then sorry HoB… you also are no longer permitted as an unencrypted Internet protocol.
:,)
Matt
Which is why we have SFTP and FTP/S. Nothing to see here, just another group of people trying to appear cutting edge by stating what has been obvious for so long that people have stopped talking about it.
Nobody_Holme
I still love my pet rock, how rude!
Jamie Caloway
I need help. I transcribe at home and I use an ftp server to upload and download work. Chrome will tell me the ftp is not secure and most of the time I am unable to login to get the work or upload it when I am done. Please tell me what to do?
This creates problems for me when trying to meet a deadline. I have listed below the ftp server i need to access. Other users of the ftp do not have this problem.
Paul Ducklin
Well, Chrome is right (albeit annoying). FTP *is* insecure. Presumably at least some of what you transcribe is confidential, or at least non-public, so I assume that the customers of the company you work for would greatly prefer the company to use secure FTP or HTTPS instead…
It’s probably a difficult question to ask, but why not try suggesting to the company that it upgrade?
In the meantime you might have to switch browsers to one that is less strict.
Mark Stockley
As Duck says, if you can, talk to the company about upgrading.They should probably be looking into whether or not this process will fall foul of GDPR regulations.
If upgrading to SFTP is too much work for them then they might find switching to a cloud-based file storage like Google Drive, Box or Dropbox is an easier way to fix their data loss and compliance risks.