A MITM attack occurs when an eavesdropper inserts herself between two people trying to communicate securely. e.g. Alice and Bob may think they're talking to each other over an encrypted link, but they're both talking to Eve. Eve's just taking everything Alice sends, decoding it, copying it, re-encoding it, and sending it on to Bob. A MITM attack is not necessarily the result of bad encryption, but of a failure in authentication. Eve's ability to fool Alice into thinking she is actually Bob is key.
An unencrypted connection (such as plain old FTP) is effectively a broadcast. No attack, MITM or otherwise, is required. Eve just has to listen.
I'm sure the majority of people that still use FTP aren't relying on a browser for access but people still use it. Why not just deprecate standard FTP and only support FTPS and SFTP?
Because that'd amount to the same result as removing FTP. The "installed base" of web-accessible FTPS and SFTP resources is essentially zero, and that's unlikely to change -- if a web site was previously using FTP, they're probably going to move those resources to HTTP/S, not to another protocol which has limited browser support.
> The "installed base" of web-accessible FTPS and SFTP resources is essentially zero
Well that's true of SFTP, browsers don't support that protocol but I think they should. But FTP is still ubiquitous on the internet and most browsers like FF already support FTPS. To me it would make more sense to deprecate FTP like HTTP and warn users when their logging in over an insecure protocol than just kill the feature all together, especially if one of the primary reasons is because "Google did it". FTPS uses the same URI as FTP (ftp://). FTPS is common now, most people don't even realize they're using it. There are those of us that still need to deal with FTP and being able to click on a link in the browser rather than use a separate FTP client is just convenient. Just make it an optional feature and disable it by default.
> Well that's true of SFTP, browsers don't support that protocol but I think they should.
They should not. SSH -- which is used as the transport for SFTP -- is a rather large and complex protocol. Implementing it in browsers would significantly increase their network attack surface, while providing few (if any) new capabilities. (What does SFTP provide to the browser that isn't possible with HTTPS?)
> FTPS is common now, most people don't even realize they're using it.
Can you give an example? There are no major web browsers which currently support FTPS -- it is not present in Chrome, Mozilla, nor Internet Explorer.
An unencrypted connection (such as plain old FTP) is effectively a broadcast. No attack, MITM or otherwise, is required. Eve just has to listen.