mco...@gmail.com
unread,Sep 14, 2017, 1:36:22 PM9/14/17Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Security-dev, mk...@chromium.org, est...@chromium.org, emilysc...@chromium.org
Please *do* get rid of all FTP support in CHROME... that will allow the FTP-CLIENT and FTP-SERVER software that I create, to be sold more. (
builtbp.com)
:P
It's false to assume that FTP|FTPS is *not* used anymore. While smaller than web-traffic, it's still a staple of file transfers. Besides, is this really a fair comparison?
FTPS is a completely viable and secure protocol, while stateful and difficult to code, it's just as secure as HTTPS. Chrome *is* a web-browser, so I understand the need to only support what it's intended.
SFTP is another story, one in which browsers should never support IMHO.
On Thursday, September 14, 2017 at 10:27:16 AM UTC-7, Chris Palmer wrote:
> Because FTP usage is so low, we've thrown around the idea of removing FTP support entirely over the years. In addition to not being a secure transport, it's also additional attack surface, and it currently runs in the browser process. (Do we have any fuzzers for it?)
>
>
> I would much rather remove FTP support for these reasons.
>
>
> On Thu, Sep 14, 2017 at 1:19 AM, Mike West <
mk...@chromium.org> wrote:
>
> BCCing blink-dev@ for visibility.
>
>
> Hello, security-dev!
>
>
> As part of our ongoing effort to accurately communicate the transport security status of a given page, we're planning to label resources delivered over the FTP protocol as "Not secure", beginning in Chrome 63 (sometime around December, 2017).
>
>
>
>
>
>
> We didn't include FTP in our original plan, but unfortunately its security properties are actually marginally worse than HTTP (delivered in plaintext without the potential of an HSTS-like upgrade). Given that FTP's usage is hovering around 0.0026% of top-level navigations over the last month, and the real risk to users presented by non-secure transport, labeling it as such seems appropriate.
>
>
> We'd encourage developers to follow the example of the linux kernel archives by migrating public-facing downloads (especially executables!) from FTP to HTTPS.
>
>
> Thanks!
>
>
>
> -mike
>
>
>
>
>
>
> --
>
> You received this message because you are subscribed to the Google Groups "Security-dev" group.
>
> To unsubscribe from this group and stop receiving emails from it, send an email to
security-dev...@chromium.org.