PSA: `ftp://` resources will be marked "Not Secure"

[Mike West]

BCCing blink-dev@ for visibility.

Hello, security-dev!

As part of our ongoing effort to accurately communicate the transport security status of a given page, we're planning to label resources delivered over the FTP protocol as "Not secure", beginning in Chrome 63 (sometime around December, 2017).

We didn't include FTP in our original plan, but unfortunately its security properties are actually marginally worse than HTTP (delivered in plaintext without the potential of an HSTS-like upgrade). Given that FTP's usage is hovering around 0.0026% of top-level navigations over the last month, and the real risk to users presented by non-secure transport, labeling it as such seems appropriate.

We'd encourage developers to follow the example of the linux kernel archives by migrating public-facing downloads (especially executables!) from FTP to HTTPS.

Thanks!

-mike

[Matthew Menke]

Is there any security badging for FTP downloads, as opposed to FTP directory listings or rendered resources?

[Matthew Menke]

Sorry, that should be "is there any planned security badging"?