back to article Chrome to label FTP sites insecure

Google's Chrome browser will soon label file transfer protocol (FTP) services insecure. Google employee and Chrome security team member Mike West yesterday announced the plan on the Chromium.org security-dev mailing list. “As part of our ongoing effort to accurately communicate the transport security status of a given page, …

  1. Haku

    FTP is insecure? OH NO! The sky is falling! The end is nigh! Run for your lives! Say what now?*

    *delete as applicable

  2. jake Silver badge

    ::shrugs:: A great sage once opined "Tools is tools".

    Use the appropriate tool for the job, always mindful that the safety of the tool lies in the hands of the wielder.

  3. sitta_europea Silver badge

    The trouble with this labelling stuff as insecure thing is that it will tend to make sheeple think that the things that are not marked as insecure are -- well -- secure.

    Which, obviously, is bollocks.

    1. tiggity Silver badge

      How about

      An insecure warning for all sites that use JavaScript?

      A lot more risk of attempted virus / trojan installs from "rogue" JS on sites not labelled as "insecure" than from FTP site that Google flags insecure

    2. Anonymous Coward
      Anonymous Coward

      things that are not marked as insecure are -- well -- secure.

      See also: War on Drugs ...

  4. Anonymous Coward
    Anonymous Coward

    FFS, stop the nannying

    It's all good and well that insecure services are flagged as such, but can we please start to make that OPTIONAL?

    For a start, FTP is still perfectly fine for downloading public files or documents or images or PDFs. As long as they're not used on a Windows platform even a MITM attack won't make much of a difference and we already know the username, it's "anonymous"* so it's not going to give away major secrets.

    If, however, you have an internal resource (read: FTP based but not exposed to the big evil Internet gremlins) all this f*cking nannying seriously get in the way like a cert error gets in the way of actually finding out what is going on until you have waded through multiple menus.

    I'm perfectly OK (and even welcome) a warning that something is amiss, but I would really prefer that after the warning the browser can be set in a sort of advanced mode that allows me to get on with what I want anyway.

    It makes me wonder why Google is so hell-bent to make it hard to use. Maybe because they don't offer it because it's not easy to track people with it?

    * In the early years of the Internet we once rigged a site to require "miscellaneous" as login, based on the principle that that ought to teach people to spell that correctly too :)

    1. Haku

      Re: FFS, stop the nannying

      I'd like it if instead of all the nannying, every time you open up a browser a little popup window says:

      Welcome to the internet.

      Here be dragons.

      1. Cynical Observer
        Alert

        Re: FFS, stop the nannying

        Here be Dragons

        First seen courtesy of Firefox - and better than the relatively boring tongue in cheek US locale message "This might void your warranty"

    2. DontFeedTheTrolls
      Thumb Up

      Re: FFS, stop the nannying

      Have an upvote just for the "miscellaneous"

    3. Steve the Cynic

      Re: FFS, stop the nannying

      > we already know the username, it's "anonymous"*

      Just to be difficult, and because it's easier to type, I usually use "ftp". I have yet to find an FTP server that didn't treat it as a synonym of "anonymous".

      1. Anonymous Coward
        Anonymous Coward

        Re: FFS, stop the nannying

        > Just to be difficult, and because it's easier to type, I usually use "ftp".

        Don't forget to send your email address as the password.

        (One remembers when HTTP requests had a "Mail:" header with one's email address in it)

    4. Ken Hagan Gold badge

      Re: FFS, stop the nannying

      "For a start, FTP is still perfectly fine for downloading public files or documents or images or PDFs."

      More generally, both FTP and HTTP are the preferred choice (over their encrypted relatives) for anything that is digitally signed, because the plain-text protocols are amenable to caching whereas the encrypted ones are not.

    5. NonSSL-Login

      Re: FFS, stop the nannying

      The actual worry of MITM in the FTP case is not getting username/passwords but modifying the files to include nasty payloads on the fly.

      There are simple tools which will add your malware to EXE's on the fly as a client downloads them on the same network as you and the same can be done for PDF's with the latest exploits. It's not just nation states with this capability but the Snowden leaks opened everyone's eyes to what is possible. This probably has something to do with the decision too.

      SSL stripping is less of a thing these days but still possible and I suspect FTPS is harder to harden.

      1. Anonymous Coward
        Anonymous Coward

        Re: FFS, stop the nannying

        > There are simple tools which will add your malware to EXE's on the fly as a client downloads them on the same network

        The bastards! How did they get hold of my malware?

      2. Anonymous Coward
        Anonymous Coward

        Re: FFS, stop the nannying

        There are simple tools which will add your malware to EXE's on the fly as a client downloads them on the same network as you and the same can be done for PDF's with the latest exploits

        Yes, I did exclude the use of Windows in my MITM statement for that exact reason. Other platforms are somewhat harder to subvert that way.

  5. EnviableOne Silver badge

    if FTP is insecure

    So should we be using SFTP FTPS? or SCP or even HTTPS get

    *let debate ensue

    1. Martin Gregorie Silver badge

      Re: if FTP is insecure

      ...then SFTP should be fine.

      In fact, since some of the graphical FTP clients offer it as an alternative to various flavours of FTP, HTTP, etc, its the obvious replacement. As a bonus, no extra software is needed on servers offering SSH support via the standard sshd server.

      1. DontFeedTheTrolls
        Headmaster

        Re: if FTP is insecure

        "...then SFTP should be fine."

        FTP and SFTP are entirely different protocols. SFTP may be more secure than FTP, but is not secure FTP. FTPS is the "secure" version of FTP (ad carries its own risks and challenges). SFTP is a file transfer over secure shell.

        Sometimes the detail makes a difference and its the use case that's important. </pedant>

  6. NonSSL-Login
    Pirate

    FTP can use certificates too

    FTPS is not insecure if used with a proper dedicated FTP client, especially something like Flashfxp where you can set the lowest HMAC handshakes and algorithms you will accept for the connection.

    It's default state maybe less secure but for it's small share of browsing, I can see why the Chrome developers do not want to spend time adding better support to the browser.

    The FXP function of FTP will always have a special place in my heart though!

    1. Anonymous Coward
      Anonymous Coward

      Re: FTP can use certificates too

      The problem is that that kicks Internet interoperability in the shins.

      FTP is accessible from any command line, as is SCP these days. For FTPS and SFTP you are venturing into less standardised avenues to get data. Sure, FileZilla (for instance) handles it all and is available on any platform, but if you want to script it you have to pull in all sorts of extra entertainment which means you attract maintenance and a dependency on external software.

      When it comes to the Net, Keep It Simple, Stupid is not a bad maxim to abide by.

      1. Anonymous Coward
        Anonymous Coward

        Re: FTP can use certificates too

        > The problem is that that kicks Internet interoperability in the shins.

        > FTP is accessible from any command line

        And? You're not going to tell me that you cannot type your own X.509 on the command line from memory now, can you?

        Kids these days, etc., etc.

        1. Anonymous Coward
          Anonymous Coward

          Re: FTP can use certificates too

          Oh, in my DOS days I used to write software by COPY CON PROGRAM.COM, but I'm getting old.

          Thanks for the reminder :)

        2. arctic_haze

          X.509

          Correct me if I';m wrong but it seems to me that no protocol starting with X. was ever successful on the Internet.

          1. Anonymous Coward
            Anonymous Coward

            Re: X.509

            > Correct me if I';m wrong but it seems to me that no protocol starting with X. was ever successful on the Internet.

            Successful no, popular yes.

  7. Dwarf Silver badge

    FTP, rats and cockroaches

    All 3 still be around at the end of civilization.

    No amount of trying to kill them off seems to work.

    I fail to see why an anonymous FTP site is any less secure than an unauthenticated http or https site. Its not as if the credential used to log in is any use to anyone - username anonymous, password - supposedly and e-mail address or spam@spam.com in many cases.

    Obviously its very different if ftp is used for supposedly secure information due to the cleartext nature of it, but just moaning about the file transfer mechanism of something that is probably equally insecure end-to-end probably won't do much good either. In my experience, most most ftp's are system to system and they will look at response messages and nobody will look at it whilst its still working. The second group are managers - who will by definition never log into an ftp server to see the "problem" either.

    This will achieve nothing.

    1. jake Silver badge

      Re: FTP, rats and cockroaches

      If you don't own that address at spam.com, don't use it. It doesn't belong to you. Instead, use spam@example.com (,net, .org) ... we invented the example.com domain for a reason. Technically, spam@127.0.0.1 (root@, etc.) is both correct, and truthful, but most servers incorrectly reject dotted quad email addresses these days.

      1. Anonymous Coward
        Anonymous Coward

        Re: FTP, rats and cockroaches

        If you don't own that address at spam.com, don't use it. It doesn't belong to you.

        Really, @jake? You really think that people here need reminding that it's an example? So, if I use president@whitehouse.gov I will risk black helicopters landing now?

        Go work for the government. You evidently have a degree in nannying.

        1. jake Silver badge

          Re: FTP, rats and cockroaches

          You honestly think that using somebody else's email address, and advocating other folks also use that address, when filling out random online forms is OK? Really? If you're all that certain that it's a good idea, why not post your own email address so we can all use it?

          What do you mean, you're not going to do that? Hypocrite.

          (Same offer & resulting epithet for my "thumbs down" and your "thumbs up" (but otherwise silently and cowardly anonymous) voters.)

          1. Anonymous Coward
            Anonymous Coward

            Re: FTP, rats and cockroaches

            You honestly think that using somebody else's email address, and advocating other folks also use that address, when filling out random online forms is OK?

            Yes. "spam@uce.gov" is a spectacularly useful email address to use if you don't trust the online entity attempting to extract data from you :)

  8. bobajob12
    Trollface

    Phew!

    For a moment I thought they were going to prise TFTP from my cold, dead hands.

  9. Adrian 4 Silver badge
    Facepalm

    Who cares ?

    a) If I cared about security, it's unlikely I'd be using Chrome.

    b) If I want to ftp, with whatever security implications that might have, my first thought is to use command-line ftp or wget, not a browser that takes 10 times longer to get started and then requires me to click-and-drool.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022