The writing has been on the wall for FTP for years now and while it’ll continue to serve an important role for the web behind the scenes, a browser isn’t the best way to interact with the protocol. Debian will give it the punt in a couple of months and now Google will soon flag FTP sites as “not secure”.
Mike West, part of Google’s security team, recently posted the following update to Chromium’s Security-dev group:
As part of our ongoing effort to accurately communicate the transport security status of a given page, we’re planning to label resources delivered over the FTP protocol as “Not secure”, beginning in Chrome 63 (sometime around December, 2017).
We didn’t include FTP in our original plan, but unfortunately its security properties are actually marginally worse than HTTP (delivered in plaintext without the potential of an HSTS-like upgrade).
The message goes on to say that last month, FTP made up a mere 0.0026 per cent of "top-level navigations over the last month". Not breaking any records there.
The change in real terms shouldn't affect the majority, while making those who do stumble onto an FTP site in Chrome more aware of the security risks.
PSA: 'ftp://' resources will be marked "Not Secure" [Google Groups, via The Register]