Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Firefox Mozilla

Mozilla Stops FTP Support in Firefox 90 (mozilla.org) 158

A post on Mozilla's security blog calls FTP "by now one of the oldest protocols still in use" — and it's suffering from "a number of serious security issues." The biggest security risk is that FTP transfers data in cleartext, allowing attackers to steal, spoof and even modify the data transmitted. To date, many malware distribution campaigns launch their attacks by compromising FTP servers and downloading malware on an end user's device using the FTP protocol.

Aligning with our intent to deprecate non-secure HTTP and increase the percentage of secure connections, we, as well as other major web browsers, decided to discontinue support of the FTP protocol. Removing FTP brings us closer to a fully-secure web which is on a path to becoming HTTPS only and any modern automated upgrading mechanisms such as HSTS or also Firefox's HTTPS-Only Mode, which automatically upgrade any connection to become secure and encrypted do not apply to FTP.

The FTP protocol itself has been disabled by default since version 88 and now the time has come to end an era and discontinue the support for this outdated and insecure protocol — Firefox 90 will no longer support the FTP protocol.

This discussion has been archived. No new comments can be posted.

Mozilla Stops FTP Support in Firefox 90

Comments Filter:
  • removing (Score:3, Insightful)

    by jmccue ( 834797 ) on Saturday July 24, 2021 @01:42PM (#61616241) Homepage

    Removing useful features because some Operating Systems cannot handle security.

    Many fun static web pages will be lost because of this.

    • Many fun static web pages will be lost because of this.

      And more will die when they remove unencrypted http.

      • Re: (Score:2, Interesting)

        by mysidia ( 191772 )

        The end of Encrypted HTTP is the end of the open web. You will no longer be able to publish a web page without buying an expensive SSL certificate for your website, which will eventually restrict having your own website to sizable businesses; forcing everyone else to just have a profile page on Facebook for their personal blog or website.

        Currently... websites can get a free one from LetsEncrypt, but there is singularly 1 CA with that property, and the certs are only good for a short time - I imagine tha

        • Ok but here is 2023 headline.
          "Letsencrypt used to encrypt connections from right wing extremists"

          Followed by 100 "+5 Insightful" posts saying Why This Is Good Actually, once https is locked down to correct opinions and http is banned by all common browsers.

        • by imidan ( 559239 )
          It's too bad self-signed certs are such a pain to use. If I run a web site, shouldn't I be able to self-sign an SSL cert and browsers would accept it? Why is a cert signed by some big business better? It's not like they check up on the content I'm serving... I just pay them a bunch of money and they give me a cert. If my users trust my site well enough to enter their personal information into it, shouldn't my cert be trustable as well?
    • Re:removing (Score:5, Insightful)

      by Known Nutter ( 988758 ) on Saturday July 24, 2021 @02:20PM (#61616373)

      Many fun static web pages will be lost because of this.

      Can you point to one?

      • I like how a ton of nerds are losing their shit over a feature that they haven't actually used in years.

        • I think most nerds sit squarely between "well, it's about time" and "it should never have been added to the browser in the first place."
    • Unencrypted static pages are subject to injection attacks .. that can be used to inject a browser exploit or redirect.

    • by dryeo ( 100693 )

      Mozilla doesn't want anything to do with SeaMonkey, which, is stuck mostly on Gecko 56 with about 9000 backports with a branch on Gecko 60 IIRC, which seems about as far as the developers want to go in that direction.
      Mozilla has really jumped the shark in the last few years. The problem is all the web sites that expect the latest or latest-1 versions of the main browsers, which does not include SM.

  • by innocent_white_lamb ( 151825 ) on Saturday July 24, 2021 @01:43PM (#61616245)

    In movie theatres, the primary way to transfer digital movies (DCP's) from one auditorium/projector setup to another or from a library server to a venue is FTP. That's how the firmware works with every brand of cinema server.

    I'm sure other industries do something similar to get data from here to there in their plants and factories. Need a file from server X? You can probably download it with FTP.

    Note that almost none of this is stuff that goes over the internet at large. It's just data transfers from one side of the building to another, or from the top gadget in the rack to the one at the bottom.

    • Its not like FTP itself is going away.

    • by geekmux ( 1040042 ) on Saturday July 24, 2021 @02:16PM (#61616363)

      Note that almost none of this is stuff that goes over the internet at large. It's just data transfers from one side of the building to another, or from the top gadget in the rack to the one at the bottom.

      In that case, why are we concerned that a web browser is depreciating the protocol, when dozens of other programs more tuned for file transfers, will continue to support this?

      And if you were downloading files from servers via FTP today, then there's a good chance you can do it with SFTP, HTTPS, or SSH tomorrow.

      You're right. FTP is far from dead. That doesn't mean it shouldn't be.

      • by Known Nutter ( 988758 ) on Saturday July 24, 2021 @03:46PM (#61616643)

        depreciating the protocol

        depreciate: to lower the price or estimated value of. "the pound is expected to depreciate against the dollar"

        deprecate: [3] to withdraw official support for or discourage the use of (something, such as a software product) in favor of a newer or better alternative. the Google Drive app for PC and Mac is officially being deprecated and the company's developers announced in a blog post that it will no longer be supported starting December 11.

    • Maybe it's time to upgrade? Or else, when someone gets on your network and injects pr0n into the movie stream you'll have only yourself to blame. Besides, you can't hold the world back because of edge scenarios that have workarounds.

    • by thegarbz ( 1787294 ) on Saturday July 24, 2021 @03:27PM (#61616587)

      SMTP is a great way of sending email that keeps the world running, that doesn't mean the protocol should be supported in a browser.

      There are countless FTP clients out there, and 100% of them including the shitty default ftp.exe which shipped with windows does a better job of it than browsers ever did.

      What next, you expect an embedded bittorrent client in the browser to handle the magnet: URI?

      • by dryeo ( 100693 )

        My browser supports SMTP, POP3, IMAP, NNTP as well as the usual HTTP, HTTPS and FTP. I believe there is an extension out there for bittorrent, yep, https://addons.thunderbird.net... [thunderbird.net]

        • So what you're saying is that these should be optional extensions and removed from the browser? I fully agree with you.

          • by dryeo ( 100693 )

            No, I'm saying that I chose a browser that includes stuff I use. Since I don't use bittorrent, it doesn't matter. I just referenced it as you brought it up as a possibility.
            As for having this stuff as extensions, that would be fine if Firefox etc allowed it. Note that the bittorrent extension I referenced only works with Firefox 56 and previous due to changes Mozilla made, to quote,

            Unfortunately, WebExtensions (the new API for Firefox 57+) does not have the functionality for the correct operation of this ad

        • by gmack ( 197796 )

          I can't imagine wanting bittorrent as an extension. Just yesterday I used a magnet link in Firefox 90. It loaded transmission perfectly and I downloaded what I needed.

    • You would think that movie theaters would be using SFTP and not FTP to transfer their files to movie theaters. Sending them unencrypted almost seems like putting out a welcome mat for pirates with packet capture software.

      • The performance of SFTP is horrible when compared with FTP. So much faster to encrypt the data offline and send it using FTP than to use SFTP.
      • by innocent_white_lamb ( 151825 ) on Saturday July 24, 2021 @11:26PM (#61617629)

        Most movies are encrypted.

        Wikipedia has a pretty good description of how it's done:
        QUOTE:
        The distributor can choose to encrypt the media (MXF) files with AES encryption to stop unauthorised access. The symmetric AES keys used to encrypt the content essence must be carefully protected, so they are never distributed directly. Instead the AES keys are themselves encrypted using asymmetric 2048 bit RSA. Each playback system has its own unique public/private key pair. The private key is never shared and is buried in the playback systems within secure hardware meeting FIPS-140 security standards. The matching public key is shared with the distributor, who can then create Key Delivery Messages (KDMs) which control access to the encrypted content for each playback system. KDMs are XML files containing the RSA encrypted AES keys that can be decrypted only by the private key within the destination device. A KDM is associated to the particular compositions (CPLs) which may include multiple encrypted picture, sound and subtitle assets, and each playback system requires a uniquely generated KDM. KDMs also provide the ability to define date/time windows within which the KDM is valid. Playback systems will not allow playback outside of this validity window, allowing distributors to ensure that content cannot be unlocked prior to release date and to enforce the rental agreement period agreed with the exhibitor.
        END OF QUOTE

        You can steal a CRU drive right out of my projection room (or off the courier's truck) and it won't do you any good at all since you need a key to play it and they keys are unique to each movie and unique to each cinema server.

    • This is true. There are a lot of embedded controllers which need networked communication but are not able to run drivers that get updated or do encrypted protocols like https. Most of them are safe because they are isolated from the greater internet but you do need to be able to hook a computer up to them directly to do comms to do configuration and collect data. If PC's and general purpose apps drop these protocols then it will be a giant PITA to deal with these things that were actually very convenient
  • So, losing FTP from the browser is no biggie. S

    If there is demand to have FTP in the browser itself, sooner rather than latter there will be an FTP PPAPI plugin for all browsers.

    In the meantime, this reduces attack surface and complexity in the browser by removing all that old code that supported FTP.

    Having said that, one can only hope they re/moved more junk from the browser to extensions and Plug-ins (even if those extensions and plug-ins ship pre-installed in the browser), like that dreaded pocket stuff.

  • Warning people? Yes. But removing things that have valid applications and are in use? Stupid.

    • Don't beg the question. FTP is far from "in use". I bet you didn't even notice that Mozilla disabled FTP several releases back. If you want to use the FTP protocol then at least give it enough respect to use a client which actually supports it properly. The browser implementation is not only half baked, but leaves out most of the ingredients as well.

  • To date, many malware distribution campaigns launch their attacks by compromising FTP servers and downloading malware on an end user's device using the FTP protocol.

    OK, but you can just as easily compromise an HTTP server. The protocol is not the weak point here.

    • Are you suggesting it's good security practice to leave depreciated unused code rotting in your codebase?

      FTP is practically unused. FTP was never implemented properly in a browsers. Why should the client be in the browser? I mean we come across magnet:// links online more than ftp:// [ftp] so maybe Firefox should include a fully featured bittorrent client instead. Or how about all those mailto: URIs Really why doesn't Firefox include an internal email client?

  • by xack ( 5304745 ) on Saturday July 24, 2021 @02:18PM (#61616371)
    Before Windows 95 came with a built in a browser you needed to download a browser over ftp or hope someone gave you a floppy with on on it.
    • by backslashdot ( 95548 ) on Saturday July 24, 2021 @02:28PM (#61616397)

      So? My great-grandpa moved to town in a horse drawn carriage. Does it mean I should have a horse shitting in my garage?

      • Yes, because as everybody knows, natural is better, and the shit is more natural than the chemicals in the rubber and steel.

      • by dryeo ( 100693 )

        You should have the choice, or are you saying no one should be able to have a horse since you don't have a use for one.

    • Before Windows 95 came with a built in a browser you needed to download a browser over ftp or hope someone gave you a floppy with on on it.

      If you were still using an OS prior to Windows 95 you'd have a very valid criticism. Right now I'm just wondering how bored you must have been to make that post. Note: I actively enjoy arguing with people online so consider this post here comparatively very worthwhile.

    • by dryeo ( 100693 )

      I just booted to OS/2, which came with a browser, called WebExplorer, mostly implemented as a DLL so other programs could use it to display HTML in 1994.

  • Firefox: "Hey guys, we did something, even if it's for the worse... Make it a news item to let the world know we're still doing stuff."

    Also, "full secured HTTPS internet", middlemanned by companies like Cloudflare and Akamai. Who are they trying to fool?

  • It may be dead on the web, but in various internal scenarios in enterprises and factories it is far from dead. Why the fuck would they remove it, they know it is in use, it is disabled by default so only those that actually need it would be turning it on anyway.
    • If you have a scenario for using ftp then you should not be using a browser. The implementation was always half baked and didn't support much of the protocol in the first place. Enterprises and factories will be just fine, heck they may even benefit from this as the ftp:// [ftp] URI will have to be handed over to something, and even the damn windows explorer does a better job of this than any browser ever did.

      But if you truly care and truly use it, then fire you IT staff and hire some that actually understand cli

  • ...issues? Why don't they start with _real_ security issues like Javascript?

    • ...issues? Why don't they start with _real_ security issues like Javascript?

      I'm willing to bet you more people use javascript than FTP. I'm also willing to bet people who use want to use FTP actually have an FTP client (or 4 installed on their machine). It's 4 for me because I use Filezilla, but then I also have the console ftp.exe, windows explorer which supports ftp, and a windows explorer replacement which also supports ftp. The last thing I need is some stupid half baked implementation in the browser.

      • I'm willing to bet you more people use javascript than FTP

        That just makes it an even bigger problem, jackass! Meanwhile you think you can pretend that ftp is the big bad monster thats going to eat your fucking future "one and only love" just so that you die a sad lonely death....

        Do you even listen to yourself? You just tried to pretend that something far more insecure than ftp isnt a problem, because its so much more popular ... FOR FUCK SAKES

        • That just makes it an even bigger problem, jackass!

          What's with the name calling? If you want to get aggressive simply because someone points out your position is stupid then go see a psychiatrist. Cars are dangerous, your solution is to ban all cars ignoring the economic benefit they bring to the world.

          To be clear I'm not calling you stupid. Just what you're saying is completely devoid of any rational thought and I highly recommend seeking professional help.

          Do you even listen to yourself?

          Yes, I suggest you listen to me too. Then I suggest you re-read TFS realise we're not having an overa

  • Just use FileZilla.
  • by Vidar Leathershod ( 41663 ) on Sunday July 25, 2021 @10:19AM (#61618543)

    A bunch of goofy nonsense. The percentage of people using ftp with login is paltry, and of those anything critical is probably unavailable in that fashion. However, huge tech concerns still link firmware, drivers, etc, using FTP, from their websites. Just the other day, I noticed that HP was delivering a file to me via FTP, when I requested a printer driver from their main support site. Anonymous FTP for software/file distribution is the use case for 99.9% of people’s use of FTP. They do it from the browser, and wouldn’t have a clue as to how to install an FTP client, not would having a dedicated client benefit them.

    These geniuses at Mozilla are going to create support issues where they don’t currently exist, and cause time, effort, and money to be spent where it yields no benefit. It’s like the removal of Gopher was a trial run. That wasn’t hurting anyone, either. I feel like I’m watching a group of engineers from the NYS Department of Transportation. They’re solving problems that don’t exist, creating problems that didn’t exist, and patting themselves on the back while doing it.

  • In other news, Mozilla has stopped support for computers, citing the increased security risks of using computers.

  • by Malays2 bowman ( 6656916 ) on Sunday July 25, 2021 @01:27PM (#61619059)

    I stopped using it because the company behind it decided that it knew better than me and removed features that I found myself needing, even when I rarely used them.

    Of course, everyone will go "MEE TOO!" and do the same.

      We will end up with a split browser market, one for the forever infantile users, and the other for people who know that a CD-ROM tray is not the cup holder.

Ocean: A body of water occupying about two-thirds of a world made for man -- who has no gills. -- Ambrose Bierce

Working...