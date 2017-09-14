FTP Resources Will Be Marked Not Secure in Chrome Starting Later This Year (google.com) 19
Google engineer Mike West writes: As part of our ongoing effort to accurately communicate the transport security status of a given page, we're planning to label resources delivered over the FTP protocol as "Not secure", beginning in Chrome 63 (sometime around December, 2017). We didn't include FTP in our original plan, but unfortunately its security properties are actually marginally worse than HTTP (delivered in plaintext without the potential of an HSTS-like upgrade). Given that FTP's usage is hovering around 0.0026% of top-level navigations over the last month, and the real risk to users presented by non-secure transport, labeling it as such seems appropriate. We'd encourage developers to follow the example of the linux kernel archives by migrating public-facing downloads (especially executables!) from FTP to HTTPS.
...FTP just needs to die. The two port requirement and worse still, people who don't get it still insisiting on 'active' FTP, is a pain in the backside for firewall admins (we had one vendor insist that passive mode was 'insecure' and active mode was somehow 'secure' but after some browbeating and the threat of the wire brush of enlightenment accepted they should use this new fangled "sftp" which didn't have any of the drawbacks of ftp, passive or active).
FTP's day was done over ten years ago.
or... the kind of people who use FTP are also the kind that disable telemetry.
(and... the kind that use sFTP are the kind that don't use a browser.)
FTP can be done using TLS and there is also SSH-FTP. FTPS is no more or less secure than HTTPS.
Have you ever downloaded large files over HTTP? It's not built for it, you practically need a download manager because the browsers will just choke or won't be able to continue unfinished downloads and there are hacks that make it work but many configurations aren't set up right to continue partial downloads.
I've noticed a lot of https or torrent as download options for large files.
GOPHER!
At least it's not providing a false sense of security, unlike several other protocols (those with an 's' on the end) that allow any fraudulent certificate authority to issue certificates for any domain they feel like.
