Mozilla Stops FTP Support in Firefox 90 (mozilla.org) 158
A post on Mozilla's security blog calls FTP "by now one of the oldest protocols still in use" — and it's suffering from "a number of serious security issues."
The biggest security risk is that FTP transfers data in cleartext, allowing attackers to steal, spoof and even modify the data transmitted. To date, many malware distribution campaigns launch their attacks by compromising FTP servers and downloading malware on an end user's device using the FTP protocol.
Aligning with our intent to deprecate non-secure HTTP and increase the percentage of secure connections, we, as well as other major web browsers, decided to discontinue support of the FTP protocol. Removing FTP brings us closer to a fully-secure web which is on a path to becoming HTTPS only and any modern automated upgrading mechanisms such as HSTS or also Firefox's HTTPS-Only Mode, which automatically upgrade any connection to become secure and encrypted do not apply to FTP.
The FTP protocol itself has been disabled by default since version 88 and now the time has come to end an era and discontinue the support for this outdated and insecure protocol — Firefox 90 will no longer support the FTP protocol.
Aligning with our intent to deprecate non-secure HTTP and increase the percentage of secure connections, we, as well as other major web browsers, decided to discontinue support of the FTP protocol. Removing FTP brings us closer to a fully-secure web which is on a path to becoming HTTPS only and any modern automated upgrading mechanisms such as HSTS or also Firefox's HTTPS-Only Mode, which automatically upgrade any connection to become secure and encrypted do not apply to FTP.
The FTP protocol itself has been disabled by default since version 88 and now the time has come to end an era and discontinue the support for this outdated and insecure protocol — Firefox 90 will no longer support the FTP protocol.
removing (Score:3, Insightful)
Removing useful features because some Operating Systems cannot handle security.
Many fun static web pages will be lost because of this.
Re: (Score:3)
Many fun static web pages will be lost because of this.
And more will die when they remove unencrypted http.
Re: (Score:2, Interesting)
The end of Encrypted HTTP is the end of the open web. You will no longer be able to publish a web page without buying an expensive SSL certificate for your website, which will eventually restrict having your own website to sizable businesses; forcing everyone else to just have a profile page on Facebook for their personal blog or website.
Currently... websites can get a free one from LetsEncrypt, but there is singularly 1 CA with that property, and the certs are only good for a short time - I imagine tha
Re: removing (Score:2)
Ok but here is 2023 headline.
"Letsencrypt used to encrypt connections from right wing extremists"
Followed by 100 "+5 Insightful" posts saying Why This Is Good Actually, once https is locked down to correct opinions and http is banned by all common browsers.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
DANE [wikipedia.org] was created to authenticate certificates without needing a third party. Unfortunately it has not gained much interest so far.
Re:removing (Score:5, Insightful)
Many fun static web pages will be lost because of this.
Can you point to one?
Re: (Score:2)
I like how a ton of nerds are losing their shit over a feature that they haven't actually used in years.
Re: (Score:2)
Re: (Score:2)
It's about the community spirit. If you only care about the features you're using, you're creating division. I should defend your liberties and you should defend mine - otherwise none of us will get any.
This is a fair point. It does have a limit though, one can't support everything.
Also, one of firefox's main goal is to keep it's (mostly nontechincal) users as safe as reasonably practical. Unencrypted transfers are increasingly more of a problem, not just from privacy but resistance against MITM attacks.
I'm
Re: removing (Score:2)
Firefox probably lost or will soon lose all is non technical users.
The only people who still bother using Firefox are people like us who understand that our privacy and diversity of browser engine is worth dealing with FF's numerous issues.
And grandmas whose grandchild installed them a linux with FF.
Mozilla should get is had out from the sand, acknowledge they will never be able to compete for mainstream users against google and ms and just focus on the users it still has and so are sensible to what Firefox
Re: (Score:2)
Unencrypted static pages are subject to injection attacks .. that can be used to inject a browser exploit or redirect.
Re: (Score:3)
The dilemma is that for old systems you might only have FTP as file transfer protocol.
When you kill old protocols you might make work a lot harder for some people.
Not that FTP is a very good protocol, but it is there.
Heck - I have even used Xmodem not too long ago, and also TFTP.
Re: (Score:2)
Re: (Score:2)
I'm sure if you rely on FTP you have a dedicated program just for that and are not using Firefox for it.
At this point, FTP should be strictly for LAN use only or just not at all.
Re: removing (Score:2)
Re: (Score:2)
FTP is Fine. The articles claims about FTP being a bad protocol are patently false - a huge error at best, and malicious misinformation at worst.
Of course the FTP protocol supports secure connections. There is TLS transport, And you can select secure transport of both the control connection AND the data payload.
If there is any limitation in regards to security, then it would be an issue with Mozilla's software being a poor implementation.. Nothing wrong with nor obsolete about the FTP protocol itself.
F
Re: removing (Score:2)
HTTP has supported range since version 1.1 . This allows for file resumption.
Re: (Score:2)
No, HTTP(S) has file upload support in the form of the PUT request and has done since at least HTTP/1.0 in 1996: https://datatracker.ietf.org/d... [ietf.org]
The reason FTP is rarely used with TLS is because of the prevalence of NAT. With unencrypted FTP, the NAT gateway can intercept the traffic and modify the PORT commands to handle the address translation. Once you encrypt the control connection, that no longer works because the gateway is unable to see the actual traffic, so the server receives a PORT command with
Re: (Score:2)
Don't worry, the Chrome and Firefox teams are both working on deprecating http as well.
I hope they don't do this (Score:2)
to SeaMonkey
Re: (Score:3)
Mozilla doesn't want anything to do with SeaMonkey, which, is stuck mostly on Gecko 56 with about 9000 backports with a branch on Gecko 60 IIRC, which seems about as far as the developers want to go in that direction.
Mozilla has really jumped the shark in the last few years. The problem is all the web sites that expect the latest or latest-1 versions of the main browsers, which does not include SM.
FTP is far from dead in industrial applications (Score:5, Informative)
In movie theatres, the primary way to transfer digital movies (DCP's) from one auditorium/projector setup to another or from a library server to a venue is FTP. That's how the firmware works with every brand of cinema server.
I'm sure other industries do something similar to get data from here to there in their plants and factories. Need a file from server X? You can probably download it with FTP.
Note that almost none of this is stuff that goes over the internet at large. It's just data transfers from one side of the building to another, or from the top gadget in the rack to the one at the bottom.
Re: (Score:2)
Its not like FTP itself is going away.
Re:FTP is far from dead in industrial applications (Score:5, Insightful)
Note that almost none of this is stuff that goes over the internet at large. It's just data transfers from one side of the building to another, or from the top gadget in the rack to the one at the bottom.
In that case, why are we concerned that a web browser is depreciating the protocol, when dozens of other programs more tuned for file transfers, will continue to support this?
And if you were downloading files from servers via FTP today, then there's a good chance you can do it with SFTP, HTTPS, or SSH tomorrow.
You're right. FTP is far from dead. That doesn't mean it shouldn't be.
Re:FTP is far from dead in industrial applications (Score:5, Informative)
depreciating the protocol
depreciate: to lower the price or estimated value of. "the pound is expected to depreciate against the dollar"
deprecate: [3] to withdraw official support for or discourage the use of (something, such as a software product) in favor of a newer or better alternative. the Google Drive app for PC and Mac is officially being deprecated and the company's developers announced in a blog post that it will no longer be supported starting December 11.
Re: (Score:2)
The browser is depreciating support for an outdated protocol.
browsers are breaking the internet by creating dead links of otherwise valid URLs.
Re: (Score:2)
The browser is depreciating support for an outdated protocol.
browsers are breaking the internet by creating dead links of otherwise valid URLs.
Companies are still serving up files using an outdated insecure protocol that has been superseded by several different options. Time to not only grow up, but wise up.
A browser, is merely a tool. Stop feeding it shit, and you won't have to wash it off with a depreciation hose.
Re: (Score:2)
1. FTPS is secure
2. Publicly available files do not need authentication credentials to access. And for security reasons it is preferable to sign binaries rather than rely on transport encryption.
A browser, is merely a tool.
Indeed, the World Wide Web is the actual innovation of important. The browser only exists to enable it. The problem we face is too many self-described "experts" know little of the original design intent of the WWW. We should consider carefully when we cut of sections of information, just because someone decided it i
Re: (Score:3)
1. FTPS is secure
A great protocol not supported by a browser thanks to the browsers half baked implementation and yet another good reason why FTP should be handled by a dedicated program.
2. Publicly available files do not need authentication credentials to access.
Whether something is public or not does not determine whether and end user is persecuted for accessing it.
Re: (Score:2)
Whether something is public or not does not determine whether and end user is persecuted for accessing it.
Sounds like a political problem. And given the amount of cookies in our browsers, it's not a problem that any modern technology is trying to address.
Re: (Score:2)
browsers are breaking the internet by creating dead links of otherwise valid URLs.
No they aren't. Browsers simply treat ftp like any other unsupported URI and hand it off to the OS to identify the default app to handle. My browser doesn't have a built in bittorrent client, that doesn't mean magnet:// links don't work for me. It doesn't have a mail client that doesn't mean mailto: links don't work for me.
Re: (Score:2)
Maybe it's time to upgrade? Or else, when someone gets on your network and injects pr0n into the movie stream you'll have only yourself to blame. Besides, you can't hold the world back because of edge scenarios that have workarounds.
Re:FTP is far from dead in industrial applications (Score:5, Insightful)
SMTP is a great way of sending email that keeps the world running, that doesn't mean the protocol should be supported in a browser.
There are countless FTP clients out there, and 100% of them including the shitty default ftp.exe which shipped with windows does a better job of it than browsers ever did.
What next, you expect an embedded bittorrent client in the browser to handle the magnet: URI?
Re: (Score:2)
My browser supports SMTP, POP3, IMAP, NNTP as well as the usual HTTP, HTTPS and FTP. I believe there is an extension out there for bittorrent, yep, https://addons.thunderbird.net... [thunderbird.net]
Re: (Score:2)
So what you're saying is that these should be optional extensions and removed from the browser? I fully agree with you.
Re: (Score:2)
No, I'm saying that I chose a browser that includes stuff I use. Since I don't use bittorrent, it doesn't matter. I just referenced it as you brought it up as a possibility.
As for having this stuff as extensions, that would be fine if Firefox etc allowed it. Note that the bittorrent extension I referenced only works with Firefox 56 and previous due to changes Mozilla made, to quote,
Re: (Score:2)
I can't imagine wanting bittorrent as an extension. Just yesterday I used a magnet link in Firefox 90. It loaded transmission perfectly and I downloaded what I needed.
Re: (Score:2)
You would think that movie theaters would be using SFTP and not FTP to transfer their files to movie theaters. Sending them unencrypted almost seems like putting out a welcome mat for pirates with packet capture software.
Re: (Score:3)
Re:FTP is far from dead in industrial applications (Score:4, Informative)
Most movies are encrypted.
Wikipedia has a pretty good description of how it's done:
QUOTE:
The distributor can choose to encrypt the media (MXF) files with AES encryption to stop unauthorised access. The symmetric AES keys used to encrypt the content essence must be carefully protected, so they are never distributed directly. Instead the AES keys are themselves encrypted using asymmetric 2048 bit RSA. Each playback system has its own unique public/private key pair. The private key is never shared and is buried in the playback systems within secure hardware meeting FIPS-140 security standards. The matching public key is shared with the distributor, who can then create Key Delivery Messages (KDMs) which control access to the encrypted content for each playback system. KDMs are XML files containing the RSA encrypted AES keys that can be decrypted only by the private key within the destination device. A KDM is associated to the particular compositions (CPLs) which may include multiple encrypted picture, sound and subtitle assets, and each playback system requires a uniquely generated KDM. KDMs also provide the ability to define date/time windows within which the KDM is valid. Playback systems will not allow playback outside of this validity window, allowing distributors to ensure that content cannot be unlocked prior to release date and to enforce the rental agreement period agreed with the exhibitor.
END OF QUOTE
You can steal a CRU drive right out of my projection room (or off the courier's truck) and it won't do you any good at all since you need a key to play it and they keys are unique to each movie and unique to each cinema server.
Re: (Score:3)
Re: (Score:2)
Sometimes it is. I keep content like policy trailers ("turn off your cell phone", "our feature attraction", etc.) on my computer and put them on the cinema server when they're needed.
There will always be FTP clients (Score:2)
So, losing FTP from the browser is no biggie. S
If there is demand to have FTP in the browser itself, sooner rather than latter there will be an FTP PPAPI plugin for all browsers.
In the meantime, this reduces attack surface and complexity in the browser by removing all that old code that supported FTP.
Having said that, one can only hope they re/moved more junk from the browser to extensions and Plug-ins (even if those extensions and plug-ins ship pre-installed in the browser), like that dreaded pocket stuff.
Another stupid decision by Mozialla (Score:2)
Warning people? Yes. But removing things that have valid applications and are in use? Stupid.
Re: (Score:2)
Don't beg the question. FTP is far from "in use". I bet you didn't even notice that Mozilla disabled FTP several releases back. If you want to use the FTP protocol then at least give it enough respect to use a client which actually supports it properly. The browser implementation is not only half baked, but leaves out most of the ingredients as well.
This makes no sense (Score:2)
To date, many malware distribution campaigns launch their attacks by compromising FTP servers and downloading malware on an end user's device using the FTP protocol.
OK, but you can just as easily compromise an HTTP server. The protocol is not the weak point here.
Re: (Score:2)
Are you suggesting it's good security practice to leave depreciated unused code rotting in your codebase?
FTP is practically unused. FTP was never implemented properly in a browsers. Why should the client be in the browser? I mean we come across magnet:// links online more than ftp:// [ftp] so maybe Firefox should include a fully featured bittorrent client instead. Or how about all those mailto: URIs Really why doesn't Firefox include an internal email client?
Re: (Score:2)
Or did you mean deprecated?
I probably meant depreciated. English is my 4th language so it's far from perfect.
What I am suggesting is that this particular excuse for removing FTP is a very dumb reason.
What I'm suggesting is, it's not. FTP is basically unused for the modern web. It has never been properly implemented in any browser in the first place. The most popular browser on the market disabled FTP a year ago, and the browser should hand off to a proper client like it does with any other protocol.
Unused code *especially code used to access other networks* should be removed, and there's very good technical reasons for tha
The web was bootstrapped from ftp (Score:3)
Re: The web was bootstrapped from ftp (Score:5, Funny)
So? My great-grandpa moved to town in a horse drawn carriage. Does it mean I should have a horse shitting in my garage?
Re: (Score:2)
Yes, because as everybody knows, natural is better, and the shit is more natural than the chemicals in the rubber and steel.
Re: (Score:2)
You should have the choice, or are you saying no one should be able to have a horse since you don't have a use for one.
Re: (Score:2)
Re: (Score:2)
Before Windows 95 came with a built in a browser you needed to download a browser over ftp or hope someone gave you a floppy with on on it.
If you were still using an OS prior to Windows 95 you'd have a very valid criticism. Right now I'm just wondering how bored you must have been to make that post. Note: I actively enjoy arguing with people online so consider this post here comparatively very worthwhile.
Re: (Score:2)
I just booted to OS/2, which came with a browser, called WebExplorer, mostly implemented as a DLL so other programs could use it to display HTML in 1994.
Firefox news... (Score:2)
Firefox: "Hey guys, we did something, even if it's for the worse... Make it a news item to let the world know we're still doing stuff."
Also, "full secured HTTPS internet", middlemanned by companies like Cloudflare and Akamai. Who are they trying to fool?
shit act (Score:2)
Re: (Score:2)
If you have a scenario for using ftp then you should not be using a browser. The implementation was always half baked and didn't support much of the protocol in the first place. Enterprises and factories will be just fine, heck they may even benefit from this as the ftp:// [ftp] URI will have to be handed over to something, and even the damn windows explorer does a better job of this than any browser ever did.
But if you truly care and truly use it, then fire you IT staff and hire some that actually understand cli
Removing features because of percieved security... (Score:2)
...issues? Why don't they start with _real_ security issues like Javascript?
Re: (Score:2)
...issues? Why don't they start with _real_ security issues like Javascript?
I'm willing to bet you more people use javascript than FTP. I'm also willing to bet people who use want to use FTP actually have an FTP client (or 4 installed on their machine). It's 4 for me because I use Filezilla, but then I also have the console ftp.exe, windows explorer which supports ftp, and a windows explorer replacement which also supports ftp. The last thing I need is some stupid half baked implementation in the browser.
Re: (Score:2)
I'm willing to bet you more people use javascript than FTP
That just makes it an even bigger problem, jackass! Meanwhile you think you can pretend that ftp is the big bad monster thats going to eat your fucking future "one and only love" just so that you die a sad lonely death....
... FOR FUCK SAKES
Do you even listen to yourself? You just tried to pretend that something far more insecure than ftp isnt a problem, because its so much more popular
Re: (Score:2)
That just makes it an even bigger problem, jackass!
What's with the name calling? If you want to get aggressive simply because someone points out your position is stupid then go see a psychiatrist. Cars are dangerous, your solution is to ban all cars ignoring the economic benefit they bring to the world.
To be clear I'm not calling you stupid. Just what you're saying is completely devoid of any rational thought and I highly recommend seeking professional help.
Do you even listen to yourself?
Yes, I suggest you listen to me too. Then I suggest you re-read TFS realise we're not having an overa
So what? Just use FileZilla (Score:2)
Re: (Score:2)
You mean the software that came bundled with adware/spyware?
Terrible idea based on a false premise. (Score:3)
A bunch of goofy nonsense. The percentage of people using ftp with login is paltry, and of those anything critical is probably unavailable in that fashion. However, huge tech concerns still link firmware, drivers, etc, using FTP, from their websites. Just the other day, I noticed that HP was delivering a file to me via FTP, when I requested a printer driver from their main support site. Anonymous FTP for software/file distribution is the use case for 99.9% of people’s use of FTP. They do it from the browser, and wouldn’t have a clue as to how to install an FTP client, not would having a dedicated client benefit them.
These geniuses at Mozilla are going to create support issues where they don’t currently exist, and cause time, effort, and money to be spent where it yields no benefit. It’s like the removal of Gopher was a trial run. That wasn’t hurting anyone, either. I feel like I’m watching a group of engineers from the NYS Department of Transportation. They’re solving problems that don’t exist, creating problems that didn’t exist, and patting themselves on the back while doing it.
In other news... (Score:2)
In other news, Mozilla has stopped support for computers, citing the increased security risks of using computers.
Firefux (Score:3)
I stopped using it because the company behind it decided that it knew better than me and removed features that I found myself needing, even when I rarely used them.
Of course, everyone will go "MEE TOO!" and do the same.
We will end up with a split browser market, one for the forever infantile users, and the other for people who know that a CD-ROM tray is not the cup holder.
Re:Good (Score:5, Insightful)
I dunno about you but when I utilize FTP I'm using a client, not a browser.
Re: (Score:2)
"I dunno about you but when I utilize FTP I'm using a client, not a browser."
The kids don't even use a client for email.
Re: (Score:2)
What do you think the email app on your phone is?
Re: Good (Score:2)
That's so 2008. The current iMail/GMail mobile apps are absolutely IMAP clients.
Re: (Score:2)
You can load images and such from FTP servers, this can be convenient for e.g. embedding images served from appliances like trail cameras rather than having an interim cache step. But in practice this really doesn't matter much any more, it's not going to break many sites or anything.
On the other hand, I still feel like something is being lost. It's nice to be able to download from FTP sites from a browser, and not need an external client.
Re: (Score:2)
I do agree with you: I can't see why I need it but I did have a vague feeling of loss. Maybe it feels like the old days of the internet are finally fading into nothing.
Re: (Score:2)
Personally, for navigating strange FTP sites, I prefer a browser. It shows the directory structure as a tree. And displays a lot of the file types and the ones it doesn't display internally, it will launch an app for them.
For FTP sites that I use more and know my way around, I use ncftp, same with uploading, which works much better over ftp then https if your internet connection is not perfect, and most aren't for uploads, even doing resume.
Re: (Score:2)
Who is relying on FTP that is using Firefox for it and not something like FileZilla or CuteFTP?
Re: (Score:2)
It's sometimes convenient when downloading files instead of having to fire up a different program.
Re: (Score:2)
One more reason to ditch Mozilla Firefox for good.
FTP hasn't been disabled in Firefox for a couple of versions now. I bet you didn't even notice.
No wonder why they keep lagging in market share
The browser with the largest market share ditched FTP over a year ago. No one cared.
Re: (Score:2)
Re: (Score:2)
SeaMonkey?
Re: (Score:2)
They aren't going to remove HTML, but they are planning on removing HTTP.
Re: (Score:2)
That's cool. I guess this will be the point at which I stop updating Firefox. Removal of FTP support is quite annoying already, but if Firefox stops working with HTTP, I stop using it.
Re: (Score:2)
They aren't going to remove HTML, but they are planning on removing HTTP.
Great. How do I configure my home router?
Re: (Score:2)
Not to mention Javascript and CSS. Heck CSS is just a malware module.
Re: (Score:2)
FTP and HTTP should be banned. Anyone who disagrees does not understand security, it is as simple as that.
Do you even know how to program?
Re:Ftp (Score:4)
Your opinion is heavy in emotion short on fact. You're probably feeling angry just reading this post.
Re: (Score:2)
You have obviously never worked with legacy systems where old protocol knowledge and availability is essential. Xmodem is still an option in some cases and might even be the only option.
Re: Ftp (Score:2)
FTP and HTTP should be banned It's my LAN and I'll run insecure protocols if I want!
Re: Ftp (Score:3, Informative)
Re: (Score:2)
Yep, someone is going to get on my 192.168.0.x network and inject stuff in between my phone and desktop. Far more likely to get a fake certificate and inject stuff into HTTPS. Perhaps for security that should be banned too. Can't be too safe.
Re: (Score:2)
What certificate should a router, printer, or NAS on my home LAN be using for HTTPS? The major web browsers trust a finite set of certificate authorities (CAs). Per the CA/Browser Forum's Baseline Requirements, all of these CAs have a policy against issuing certificates for private IP addresses (such as 192.168/16 or 10/8) or for private top-level domains (such as .local used by mDNS). Should everyone who owns one of these devices need to buy a domain name under which to obtain a certificate from Let's Encr
Re: (Score:2)
FTP and HTTP should be banned. Anyone who disagrees does not
understand security
*Unencrypted* FTP and HTTP are bad.
HTTPS uses TLS to encrypt HTTP, so, if you have HTTPS, you also have HTTP.
Similarly, there are SFTP and FTPS. SFTP uses SSH and FTPS uses (spoiler alert) TLS.
Both are encrypted versions of FTP.
Unencrypted use of application protocols should not be done.
Use encrypted protocols or at least TLS. These provide
end-to-end encryption. And consider defense in layers: also using node-to-node encryption,
like IPSEC, will provide another layer of defense.
Re: (Score:2)
"If the biggest security risk is the unencrypted transmission"
Unencrypted transmission is not a credible security risk.
Re: (Score:2)
Re: (Score:2)
Why though? Why implement a fancy new feature no one uses for a protocol that never should have been in the browser in the first place. You're talking about a solution so half baked it doesn't even include directory traversal.
FTP should have been removed from the browser years ago. Even the bloody windows explorer implements support better than any browser ... to say nothing of proper FTP clients.
Re: (Score:2)
FTP is a control and negotiation protocol. The data protocol is the same one that has been used for BILLIONS of years: open the pipe and send the data. It is probably just not complicated enough for the kiddies these days -- after all, it has no JavaScript.
Re: (Score:2)
FTP over TLS is also a control and negotiation protocol. Its corresponding data protocol is open a TLS pipe and send the data. Its advantage is some level of assurance that neither the control and negotiation metadata nor the data is modified between the client and a server authorized to speak for a particular domain name.
Re: (Score:2)
Gopher was also well supported by Mozilla/Firefox up until fairly recently, with a similar weak justification. It seems like they're more looking for excuses to kill off protocols they'd rather not continue supporting rather than keep them limping along. If that's the reasoning, they should just be upfront about it instead of trying to come up with some nonsense excuse. Why should I care about FTP security in a private network, or if I'm downloading a large image from a public repository that's provided alo
Re: (Score:2)
FTP is not insecure. FTP is secure. It works exactly as designed.
Working as designed does not make something secure (unless of course the design requires inherent security). That's like saying your house is secure because you removed the front door and left everything open for everyone and therefore there are no locks to pick.
Words have meanings, please use them correctly.