11-27-2018 , 11:18 PM
Quote:In a recent conversation between Chrome developers, the intent was to change Chrome so that it would no longer render images or other file types located on an ftp:// URL directly in Chrome. Instead if you open a ftp:// URL, Chrome will download the file rather than opening it in the browser. For FTP directory indexes, though, Chrome will continue to display them.
"Rather than rendering resources requested via FTP, we should download them," stated the conversation. "We should continue to render directory listings, but we will not render anything else. That is, ftp://ftp.hp.com/ will render the same, exciting directory listing you see today; while ftp://ftp.hp.com/pub/test2/test2 will result in a `test2` file being downloaded.
FTP is a non-securable, legacy protocol. We've WONTFIXed FTP support on iOS, but its usage in Blink-based Chrome is high-enough that it seems difficult to remove all at once. This seems like a reasonable way of reducing its viability as an attack surface as a stepping stone to more complete removal."
Based on bug tickets and discussions read by BleepingComputer, Google developers have advocated for the removal of FTP support in Chrome for over 4 years due to its little usage and it adds an additional attack surface that Chrome cannot properly secure compared to offering the same files over a HTTPS connection.
READ FULL ARTICLE HERE