FTP Resources Will Be Marked Not Secure in Chrome Starting Later This Year

Google engineer Mike West writes: As part of our ongoing effort to accurately communicate the transport security status of a given page, we're planning to label resources delivered over the FTP protocol as "Not secure", beginning in Chrome 63 (sometime around December, 2017). We didn't include FTP in our original plan, but unfortunately its security properties are actually marginally worse than HTTP (delivered in plaintext without the potential of an HSTS-like upgrade). Given that FTP's usage is hovering around 0.0026% of top-level navigations over the last month, and the real risk to users presented by non-secure transport, labeling it as such seems appropriate. We'd encourage developers to follow the example of the linux kernel archives by migrating public-facing downloads (especially executables!) from FTP to HTTPS.

So how about FTPS

[guruevi]

FTP can be done using TLS and there is also SSH-FTP. FTPS is no more or less secure than HTTPS.

Have you ever downloaded large files over HTTP? It's not built for it, you practically need a download manager because the browsers will just choke or won't be able to continue unfinished downloads and there are hacks that make it work but many configurations aren't set up right to continue partial downloads.

Re:As someone who has to administer firewalls...

[RightwingNutjob]

See, it's IT-monkeys like you that make for most of the trouble in technical work. Yes, FTP isn't secure by itself, but it's simple. And in many contexts I can think of, simple and unlikely to break because someone forgot to update his certificate beats encrypted but way more fragile by a mile.