"The main reason why FTP is being removed is that it is considered insecure but Google's decision to remove support from Chrome certainly played a role in Mozilla's decision to remove support as well."
Plaintext passwords over the net. Also, it's somewhat painful for NAT because it opens up a second port that isn't a named one, the client sends that port number to the server, then the server opens a connection to the client.
That's for active FTP, which basically nobody uses anymore (since it's incompatible with most firewalls).
Most clients use the passive FTP extension, in which the server sends the client a host/port pair to connect to for the data connection. Still painful, but slightly less so.
I'm sure the majority of people that still use FTP aren't relying on a browser for access but people still use it. Why not just deprecate standard FTP and only support FTPS and SFTP?
Because that'd amount to the same result as removing FTP. The "installed base" of web-accessible FTPS and SFTP resources is essentially zero, and that's unlikely to change -- if a web site was previously using FTP, they're probably going to move those resources to HTTP/S, not to another protocol which has limited browser support.
> The "installed base" of web-accessible FTPS and SFTP resources is essentially zero
Well that's true of SFTP, browsers don't support that protocol but I think they should. But FTP is still ubiquitous on the internet and most browsers like FF already support FTPS. To me it would make more sense to deprecate FTP like HTTP and warn users when their logging in over an insecure protocol than just kill the feature all together, especially if one of the primary reasons is because "Google did it". FTPS uses the same URI as FTP (ftp://). FTPS is common now, most people don't even realize they're using it. There are those of us that still need to deal with FTP and being able to click on a link in the browser rather than use a separate FTP client is just convenient. Just make it an optional feature and disable it by default.
> Well that's true of SFTP, browsers don't support that protocol but I think they should.
They should not. SSH -- which is used as the transport for SFTP -- is a rather large and complex protocol. Implementing it in browsers would significantly increase their network attack surface, while providing few (if any) new capabilities. (What does SFTP provide to the browser that isn't possible with HTTPS?)
> FTPS is common now, most people don't even realize they're using it.
Can you give an example? There are no major web browsers which currently support FTPS -- it is not present in Chrome, Mozilla, nor Internet Explorer.
A MITM attack occurs when an eavesdropper inserts herself between two people trying to communicate securely. e.g. Alice and Bob may think they're talking to each other over an encrypted link, but they're both talking to Eve. Eve's just taking everything Alice sends, decoding it, copying it, re-encoding it, and sending it on to Bob. A MITM attack is not necessarily the result of bad encryption, but of a failure in authentication. Eve's ability to fool Alice into thinking she is actually Bob is key.
An unencrypted connection (such as plain old FTP) is effectively a broadcast. No attack, MITM or otherwise, is required. Eve just has to listen.
"Mozilla could have opted for implementing support for secure FTP in Firefox; a bug was filed 19 years ago to introduce support for SFTP in Firefox but nothing ever came out of it."
Never happened because there was no use case for it.
FTP made some sense to have in a browser because it supported unauthenticated downloads.
SFTP, as a protocol which runs over SSH, basically requires authentication. (You could conceivably set up an SSH server to allow authentication against a "guest" user, but that gives security folks the heebie-jeebies.) So it doesn't really make sense to link to an SFTP resource in a web context, making it very low value to support in a browser.
Having said that: nowadays it isn’t uncommon to say “FTP server” for a server running SFTP, its secure replacement, so it isn’t clear to me what exactly is being removed from Firefox.
SFTP is SFTP -- a protocol which runs over SSH -- and Firefox doesn't support that. It wouldn't really make sense for it to do so, either; SFTP more or less requires SSH authentication, making it a poor fit for a web browser.
There is FTPS (FTP + SSL/TLS), which Mozilla might support -- but that's rather rare.
Looking at those changes, it's clear that there has been very little substantive modifications to the FTP code itself, as opposed to keeping up with style guide changes, mass renamings, and API changes. So either you believe this 15 year old code is really rock-solid, stable, high-quality code, or you believe that it's a massive pile of bugs and security holes that no one's examined too closely. I know which one I believe.
If I'm reading the telemetry correctly (https://mzl.la/3bq5oFZ), there are ~6k people who used FTP to download a file in the past week or so. That's not enough users to really justify spending manpower rewriting it.
im suggesting that everyone i know and thier mother intentionally spoofs any telemetry or analytics they can rather than block it. nothing atypical about it, it is very distinctive to comepletely block fingerprinting analytics telemetry. it is much better to spoof the content rather than block it.
The gist talks about disabling telemetry, not spoofing it, and reading the prefs it sets makes it clear that it is actually disabling it.
The github search reports a single repository last updated three years ago, and doesn't appear to even be related to Firefox telemetry at all, as the telemetry appears to be spacecraft telemetry.
I never seen a distro that didn't have a http mirror for those things myself. Even the ones that offer ftp.debian.org for example are accessibly over http as well.
Yeah, this. I suppose the closest substitute will be to configure directory listings at the http server, although I suspect UX people will get their hooks in to make it pretty instead of efficient. (Ever tried to find something specific but not currently promoted on Dell's site?)
Dell's site is a nightmare. Shopping for monitors has been one of the most inexplicably complex affairs I've ever seen. It also doesn't help that any link to their US site redirects to the dell.ca front page, making it extremely difficult to follow links from forums, google searches, etc.
There are some areas where FTP is still used and an easy options. Like datafeeds of affiliate platforms. Having support for accessing those in Firefox was super useful.
Some files from Adobe are available on their ftp server, it's kind simple to get them through clicking a link than copying the path, opening up an FTP client, connecting, etc.
I would genuinely be surprised if even 5% of users used FTP in the last year. But damn do I wish they kept the feature in; Firefox should distinguish itself as the tech worker's browser, sorta like a forensics live CD that has every imaginable tool you need for deep work.
Flagging a problem doesn't mean you're required to provide a solution.
Mozilla has been cutting useful features from Firefox at an increasing rate, and there are no real alternatives out there.
The whole point of having multiple implementations is that they are different, and Firefox is quickly turning into Chrome with a new logo just like Internet Explorer.
He is suggesting by removing this feature to keep pace with chrome firefox is acting as the younger brother or junior partner.
Probably true in this case. I'm a little disapppinted but if I really cared I would fork the repo remove those changes and spend my life trying to manually keep things in sync. Or just use a different browser.
I love discussions about browsers on Hacker News! They're amazing. Half the people ranting how some insanely complicated technical decision is going to ruin the world, the other half yelling at them that this is necessary, others ranting about how the vendor is evil for some reason, etc. Just lovely!
I can't believe they have a dysfunctional captcha (doesn't display a captcha at all). That's hilarious considering how critical n-gate is about useless tech.
They're working on it. It has and will continue to be deprecated with ever increasing security warnings.
But the reason why FTP got pulled and HTTP hasn't is simply usage. The FTP client in browsers is terrible, and anyone using FTP professionally is using a better client (e.g. multiple connection modes, resume downloads, concurrent streams, etc) or has already migrated to FTPS or SFTP.
FTP just adds attack surface and maintenance cost.
> The FTP client in browsers is terrible, and anyone using FTP professionally is using a better client (e.g. multiple connection modes, resume downloads, concurrent streams, etc)
That would be just as true for SFTP or FTPS. Those mitigate the security problems, but don't address the fact that FTP-like protocols would continue to be a second class citizen in browsers and better handled by bespoke clients.
I think FTP isn't a very good protocol anyways. HTTP and Gopher are better. (HTTP does support most of the features, including authentication, uploads, etc. The thing HTTP doesn't have is proper directory listings; I wrote a document suggesting how this could be done, calling it "httpdirlist" specification; it is a new MIME type, and then each record is a list of records (formatted like a list of HTTP headers) separated by blank lines.)
Has anything outside of some incredibly archaic library system even used Gopher in the last 20 years? To me its one of those protocols that I only remember because I hope to use it to answer some trivia question someday. Right up there with Archie and Veronica.
Yes; Gopher is still in use, although not much. You could probably find a few Gopher servers still in use (I have found a few). I have my own Gopher server, too.
I can see many tech ppl switching over to a chromium browser because they might possibly use ftp in the future and just want to install one browser. It's those ppl that install (or even know about) FF, generally.
Other than a part time dev and some testing, it's hard to see the costs of supporting ftp.
It's a string of decision-making like this that has made FF drop off the list of "supported" browsers in many organizations and may lead to a 2 engine Internet. This is bad for everyone, IMO.
Mozilla board: Look at your browser share: you need to replace the management team immediately - we need FF.
Chrome is also deprecating FTP so I don’t think that’ll happen.
Plus Mozilla isn’t an organisation the size of Google. They have to prioritise what they’re going to support and it makes total sense to ditch FTP support. I’m a professional web developer and I’d never choose which browser I use based on whether it supports FTP. I barely ever use it, and when I do I just use FileZilla or something similar that makes much more sense for FTP.
This was an old version of FileZilla from 2016 from a relatively short-lived experiment when a previous incarnation of SourceForge was helping open source projects 'monetize'. There was no malware and no infection. It was an online downloader with bundleware.
FileZilla is solid software and every version has been clean. I know because I scan every release in dozens of antivirus engines via VirusTotal as part of packaging FileZilla Portable for PortableApps.com.
It's not obvious to me that Mozilla is doing anything very wrong, except for not having enough money to keep their browser experience as polished as Chrome's, and most importantly, they aren't marketing like Google.
Google doesn't need their browser to make money, and Google advertises their browser in ways that Mozilla can't match. It's surprising that Mozilla can even be half-healthy.
Mozilla is already maintaining and improving Firefox while exploring other things like Rust, but they're not winning the war against Google. And improvement is relative -- to Google. Maintaining is losing, esp. while Google isn't just competing on browsers but also ecosystem.
Otherwise I'm sure Microsoft would like to be the winner.
And there are new users everyday. It makes sense that some of those new experiences are the system defaults, like Safari or Edge. It also makes sense that some of those experiences would be Chrome if you're in the Google ecosystem. But why Firefox? Privacy? I don't think that's bad, I just don't think it's enough vs Google.
85 comments
[ 5.4 ms ] story [ 213 ms ] thread"The main reason why FTP is being removed is that it is considered insecure but Google's decision to remove support from Chrome certainly played a role in Mozilla's decision to remove support as well."
Most clients use the passive FTP extension, in which the server sends the client a host/port pair to connect to for the data connection. Still painful, but slightly less so.
Well that's true of SFTP, browsers don't support that protocol but I think they should. But FTP is still ubiquitous on the internet and most browsers like FF already support FTPS. To me it would make more sense to deprecate FTP like HTTP and warn users when their logging in over an insecure protocol than just kill the feature all together, especially if one of the primary reasons is because "Google did it". FTPS uses the same URI as FTP (ftp://). FTPS is common now, most people don't even realize they're using it. There are those of us that still need to deal with FTP and being able to click on a link in the browser rather than use a separate FTP client is just convenient. Just make it an optional feature and disable it by default.
They should not. SSH -- which is used as the transport for SFTP -- is a rather large and complex protocol. Implementing it in browsers would significantly increase their network attack surface, while providing few (if any) new capabilities. (What does SFTP provide to the browser that isn't possible with HTTPS?)
> FTPS is common now, most people don't even realize they're using it.
Can you give an example? There are no major web browsers which currently support FTPS -- it is not present in Chrome, Mozilla, nor Internet Explorer.
An unencrypted connection (such as plain old FTP) is effectively a broadcast. No attack, MITM or otherwise, is required. Eve just has to listen.
"Mozilla could have opted for implementing support for secure FTP in Firefox; a bug was filed 19 years ago to introduce support for SFTP in Firefox but nothing ever came out of it."
FTP made some sense to have in a browser because it supported unauthenticated downloads.
SFTP, as a protocol which runs over SSH, basically requires authentication. (You could conceivably set up an SSH server to allow authentication against a "guest" user, but that gives security folks the heebie-jeebies.) So it doesn't really make sense to link to an SFTP resource in a web context, making it very low value to support in a browser.
That almost always happens over the git protocol or git+http, not git+ssh.
Having said that: nowadays it isn’t uncommon to say “FTP server” for a server running SFTP, its secure replacement, so it isn’t clear to me what exactly is being removed from Firefox.
SFTP is SFTP -- a protocol which runs over SSH -- and Firefox doesn't support that. It wouldn't really make sense for it to do so, either; SFTP more or less requires SSH authentication, making it a poor fit for a web browser.
There is FTPS (FTP + SSL/TLS), which Mozilla might support -- but that's rather rare.
There's more changes on nsFtpConnectionThread.cpp: https://hg.mozilla.org/mozilla-central/log/tip/netwerk/proto...
Looking at those changes, it's clear that there has been very little substantive modifications to the FTP code itself, as opposed to keeping up with style guide changes, mass renamings, and API changes. So either you believe this 15 year old code is really rock-solid, stable, high-quality code, or you believe that it's a massive pile of bugs and security holes that no one's examined too closely. I know which one I believe.
the breadcrumbs start here:
https://gist.github.com/MrYar/751e0e5f3f1430db7ec5a8c8aa237b...
https://github.com/search?q=spoof+telemetry
if you know how to do a web search do that. if you cant then sorry about the luck.
The github search reports a single repository last updated three years ago, and doesn't appear to even be related to Firefox telemetry at all, as the telemetry appears to be spacecraft telemetry.
Given that such downloads should be authenticated using ftp is non-ideal though, I guess.
source: biased developer :-)
Mozilla has been cutting useful features from Firefox at an increasing rate, and there are no real alternatives out there.
The whole point of having multiple implementations is that they are different, and Firefox is quickly turning into Chrome with a new logo just like Internet Explorer.
Probably true in this case. I'm a little disapppinted but if I really cared I would fork the repo remove those changes and spend my life trying to manually keep things in sync. Or just use a different browser.
To be honest i like Seamonkey :) Maybe i am too old.
fun fact, Windows has a built in FTP client in Explorer. Just enter an FTP address into the address bar and then right click to login.
They're working on it. It has and will continue to be deprecated with ever increasing security warnings.
But the reason why FTP got pulled and HTTP hasn't is simply usage. The FTP client in browsers is terrible, and anyone using FTP professionally is using a better client (e.g. multiple connection modes, resume downloads, concurrent streams, etc) or has already migrated to FTPS or SFTP.
FTP just adds attack surface and maintenance cost.
network.ftp.enabled: false
set since it was introduced in Firefox 60 (over a year ago). I've had a total of one link broken in that time.
> The FTP client in browsers is terrible, and anyone using FTP professionally is using a better client (e.g. multiple connection modes, resume downloads, concurrent streams, etc)
That would be just as true for SFTP or FTPS. Those mitigate the security problems, but don't address the fact that FTP-like protocols would continue to be a second class citizen in browsers and better handled by bespoke clients.
Has anything outside of some incredibly archaic library system even used Gopher in the last 20 years? To me its one of those protocols that I only remember because I hope to use it to answer some trivia question someday. Right up there with Archie and Veronica.
there is even an FTP indexer:
https://www.securitynewspaper.com/2018/12/10/list-of-all-ope...
https://www.searchftps.net/
Other than a part time dev and some testing, it's hard to see the costs of supporting ftp.
It's a string of decision-making like this that has made FF drop off the list of "supported" browsers in many organizations and may lead to a 2 engine Internet. This is bad for everyone, IMO.
Mozilla board: Look at your browser share: you need to replace the management team immediately - we need FF.
Plus Mozilla isn’t an organisation the size of Google. They have to prioritise what they’re going to support and it makes total sense to ditch FTP support. I’m a professional web developer and I’d never choose which browser I use based on whether it supports FTP. I barely ever use it, and when I do I just use FileZilla or something similar that makes much more sense for FTP.
Mozilla just does a browser (at least they should only do one) so 500MM USD /year or whatever their budget is should suffice, right? [0]
I would be careful with FZ:
https://www.reddit.com/r/technology/comments/8pdubg/filezill...
[0] https://www.computerworld.com/article/3322912/mozillas-2017-...
FileZilla is solid software and every version has been clean. I know because I scan every release in dozens of antivirus engines via VirusTotal as part of packaging FileZilla Portable for PortableApps.com.
Google doesn't need their browser to make money, and Google advertises their browser in ways that Mozilla can't match. It's surprising that Mozilla can even be half-healthy.
https://www.computerworld.com/article/3322912/mozillas-2017-...
Otherwise I'm sure Microsoft would like to be the winner.
And there are new users everyday. It makes sense that some of those new experiences are the system defaults, like Safari or Edge. It also makes sense that some of those experiences would be Chrome if you're in the Google ecosystem. But why Firefox? Privacy? I don't think that's bad, I just don't think it's enough vs Google.