FTP is insecure? OH NO! The sky is falling! The end is nigh! Run for your lives! Say what now?*
*delete as applicable
Google's Chrome browser will soon label file transfer protocol (FTP) services insecure. Google employee and Chrome security team member Mike West yesterday announced the plan on the Chromium.org security-dev mailing list. “As part of our ongoing effort to accurately communicate the transport security status of a given page, …
It's all good and well that insecure services are flagged as such, but can we please start to make that OPTIONAL?
For a start, FTP is still perfectly fine for downloading public files or documents or images or PDFs. As long as they're not used on a Windows platform even a MITM attack won't make much of a difference and we already know the username, it's "anonymous"* so it's not going to give away major secrets.
If, however, you have an internal resource (read: FTP based but not exposed to the big evil Internet gremlins) all this f*cking nannying seriously get in the way like a cert error gets in the way of actually finding out what is going on until you have waded through multiple menus.
I'm perfectly OK (and even welcome) a warning that something is amiss, but I would really prefer that after the warning the browser can be set in a sort of advanced mode that allows me to get on with what I want anyway.
It makes me wonder why Google is so hell-bent to make it hard to use. Maybe because they don't offer it because it's not easy to track people with it?
* In the early years of the Internet we once rigged a site to require "miscellaneous" as login, based on the principle that that ought to teach people to spell that correctly too :)
"For a start, FTP is still perfectly fine for downloading public files or documents or images or PDFs."
More generally, both FTP and HTTP are the preferred choice (over their encrypted relatives) for anything that is digitally signed, because the plain-text protocols are amenable to caching whereas the encrypted ones are not.
The actual worry of MITM in the FTP case is not getting username/passwords but modifying the files to include nasty payloads on the fly.
There are simple tools which will add your malware to EXE's on the fly as a client downloads them on the same network as you and the same can be done for PDF's with the latest exploits. It's not just nation states with this capability but the Snowden leaks opened everyone's eyes to what is possible. This probably has something to do with the decision too.
SSL stripping is less of a thing these days but still possible and I suspect FTPS is harder to harden.
There are simple tools which will add your malware to EXE's on the fly as a client downloads them on the same network as you and the same can be done for PDF's with the latest exploits
Yes, I did exclude the use of Windows in my MITM statement for that exact reason. Other platforms are somewhat harder to subvert that way.
...then SFTP should be fine.
In fact, since some of the graphical FTP clients offer it as an alternative to various flavours of FTP, HTTP, etc, its the obvious replacement. As a bonus, no extra software is needed on servers offering SSH support via the standard sshd server.
"...then SFTP should be fine."
FTP and SFTP are entirely different protocols. SFTP may be more secure than FTP, but is not secure FTP. FTPS is the "secure" version of FTP (ad carries its own risks and challenges). SFTP is a file transfer over secure shell.
Sometimes the detail makes a difference and its the use case that's important. </pedant>
FTPS is not insecure if used with a proper dedicated FTP client, especially something like Flashfxp where you can set the lowest HMAC handshakes and algorithms you will accept for the connection.
It's default state maybe less secure but for it's small share of browsing, I can see why the Chrome developers do not want to spend time adding better support to the browser.
The FXP function of FTP will always have a special place in my heart though!
The problem is that that kicks Internet interoperability in the shins.
FTP is accessible from any command line, as is SCP these days. For FTPS and SFTP you are venturing into less standardised avenues to get data. Sure, FileZilla (for instance) handles it all and is available on any platform, but if you want to script it you have to pull in all sorts of extra entertainment which means you attract maintenance and a dependency on external software.
When it comes to the Net, Keep It Simple, Stupid is not a bad maxim to abide by.
> The problem is that that kicks Internet interoperability in the shins.
> FTP is accessible from any command line
And? You're not going to tell me that you cannot type your own X.509 on the command line from memory now, can you?
Kids these days, etc., etc.
All 3 still be around at the end of civilization.
No amount of trying to kill them off seems to work.
I fail to see why an anonymous FTP site is any less secure than an unauthenticated http or https site. Its not as if the credential used to log in is any use to anyone - username anonymous, password - supposedly and e-mail address or spam@spam.com in many cases.
Obviously its very different if ftp is used for supposedly secure information due to the cleartext nature of it, but just moaning about the file transfer mechanism of something that is probably equally insecure end-to-end probably won't do much good either. In my experience, most most ftp's are system to system and they will look at response messages and nobody will look at it whilst its still working. The second group are managers - who will by definition never log into an ftp server to see the "problem" either.
This will achieve nothing.
If you don't own that address at spam.com, don't use it. It doesn't belong to you. Instead, use spam@example.com (,net, .org) ... we invented the example.com domain for a reason. Technically, spam@127.0.0.1 (root@, etc.) is both correct, and truthful, but most servers incorrectly reject dotted quad email addresses these days.
If you don't own that address at spam.com, don't use it. It doesn't belong to you.
Really, @jake? You really think that people here need reminding that it's an example? So, if I use president@whitehouse.gov I will risk black helicopters landing now?
Go work for the government. You evidently have a degree in nannying.
You honestly think that using somebody else's email address, and advocating other folks also use that address, when filling out random online forms is OK? Really? If you're all that certain that it's a good idea, why not post your own email address so we can all use it?
What do you mean, you're not going to do that? Hypocrite.
(Same offer & resulting epithet for my "thumbs down" and your "thumbs up" (but otherwise silently and cowardly anonymous) voters.)
You honestly think that using somebody else's email address, and advocating other folks also use that address, when filling out random online forms is OK?
Yes. "spam@uce.gov" is a spectacularly useful email address to use if you don't trust the online entity attempting to extract data from you :)
a) If I cared about security, it's unlikely I'd be using Chrome.
b) If I want to ftp, with whatever security implications that might have, my first thought is to use command-line ftp or wget, not a browser that takes 10 times longer to get started and then requires me to click-and-drool.