back to article Firefox to burn FTP out of its browser, starting slowly in version 77 due in April

Firefox has decided it’s time to burn the browser’s FTP connections. In a March 19 post on the mozilla.dev.platform list, developer Michal Novotny announced “We plan to remove FTP protocol implementation from our code.” But the change will be slow. The unencrypted protocol will remain in place but be turned off by default for …

  1. LDS Silver badge

    "FTP is an insecure protocol and there are no reasons to prefer it over HTTPS"

    There are many reasons to get rid of half-baked FTP features from a browser and leave them to a real FTP client, but that's not the right one.

    Sure, FTP is as much insecure as HTTP. So add an S to it to just you did to HTTP and it becomes as secure as well. One reason to prefer it over HTTP is that is much easier to manage remote files with FTP than with HTTP - and WebDAV is not exactly a solution - plus not every machine and his e-dog runs a web server.

    But I'm sure Firefox "consumer-oriented developers" meant "downloads" only, what they think everybody does only. Just they should tell it.

    PS: there also reason to give some people a FTP access only and not a SSH ones to some machines. The former doesn't give you a shell into a remote machine.

    1. Giovani Tapini Silver badge

      Re: "FTP is an insecure protocol and there are no reasons to prefer it over HTTPS"

      So its just an operationally difficult to manage, dual port connection protocol, that on some platforms uses an extremely wide number of random ports and if you look at available comments, even without shell, can do nice amount of reconnaissance on the target file system. Add to this even file transfers themselves are not assured delivery unless your tool of choice adds this on.. putting an S on it does not change any of these aspects.

      Addressing this as just an "insecure" protocol substantially under-represents its deficiencies, and there are alternatives …

    2. DrXym Silver badge

      Re: "FTP is an insecure protocol and there are no reasons to prefer it over HTTPS"

      "One reason to prefer it over HTTP is that is much easier to manage remote files with FTP than with HTTP - and WebDAV is not exactly a solution - plus not every machine and his e-dog runs a web server."

      It has never been easy to manage remote files through any browser. Some allowed you to drag and drop files up over ftp but most were one-way, download only. And no renaming, deleting etc.

      And despite its name sftp is a new protocol over a SSH transport layer with remote management functionality. You can't just slap some TLS on the existing ftp protocol to implement it - it is a substantial thing to implement in its own right.

      If you want to manage a remote server you should be using a dedicated client. Either the console or something like Filezilla which supports ftp, sftp and scp. Chances are that anyone doing stuff over ftp was already doing that to begin with.

      1. Luke McCarthy

        Re: "FTP is an insecure protocol and there are no reasons to prefer it over HTTPS"

        >You can't just slap some TLS on the existing ftp protocol to implement it

        https://en.wikipedia.org/wiki/FTPS

        1. DrXym Silver badge

          Re: "FTP is an insecure protocol and there are no reasons to prefer it over HTTPS"

          FTPS is an explicit elevation of FTP, it's not the same as starting off on a negotiated secure transport.

          1. overunder Silver badge

            Re: "FTP is an insecure protocol and there are no reasons to prefer it over HTTPS"

            from link...

            FTPS includes full support for the TLS and SSL cryptographic protocols, including the use of server-side public key authentication certificates and client-side authorization certificates. It also supports compatible ciphers, including AES, RC4, RC2, Triple DES, and DES. It further supports hash functions SHA, MD5, MD4, and MD2.

            1. Peter Gathercole Silver badge

              Re: "FTP is an insecure protocol and there are no reasons to prefer it over HTTPS"

              And on top of this, many FTP implementations include a chroot jail actually in the server.

              And even it it isn't, it's been very common practice (for about 30 years or so) to set up a chrooted environment for ftp explicitly.

              The exceptionally low overheads of ftp have often kept it a as an option in bandwidth constrained environments. But it's time will end eventually.

    3. a_yank_lurker Silver badge

      Re: "FTP is an insecure protocol and there are no reasons to prefer it over HTTPS"

      A question occurs, is how often do people actually use FTP over other protocols/methods of downloading files? I haven't used FTP knowingly in years and even then usually used a FTP client not a browser. When I have checked my downloads it has been HTTPS for the last several years. So is this a case of Mozilla noticing FTP is used so sparingly that trying to maintain a problematic feature is a waste of time as there are alternatives for the few who actually use FTP.

      1. DougMac

        Re: "FTP is an insecure protocol and there are no reasons to prefer it over HTTPS"

        I use FTP all the time in a variety of forms (if you want to call sftp doing FTP, but also use FTPS quite often).

        Granted, I _never use_ a web browser to do FTP, I have a dedicated FTP client on the various platforms I use. It is extremely handy to move files in and out of disparate environments.

        I wouldn't care if Firefox drops FTP support, if you want to use FTP, use a dedicated client.

        1. A.P. Veening Silver badge

          Re: "FTP is an insecure protocol and there are no reasons to prefer it over HTTPS"

          if you want to use FTP, use a dedicated client

          Or the command line. If you know what you are doing, FTP is a very convenient way to transfer files between an AS/400 and a PC and even more convenient between two AS/400s. Of course, if it is a regular occurrence it pays to set up proper infrastructure, but for ad hoc stuff it is the perfect solution.

          1. Phil O'Sophical Silver badge
            Coat

            Re: "FTP is an insecure protocol and there are no reasons to prefer it over HTTPS"

            but for ad hoc stuff it is the perfect solution.

            What's wrong with Kermit?

            1. Peter Gathercole Silver badge

              Re: "FTP is an insecure protocol and there are no reasons to prefer it over HTTPS"

              Goodness, do people still use Kermit? It's main use, I seem to remember, was as a fie transfer tool on things that only appeared to use a CLI terminal connection. I mean, I know that it worked over a network, but there were much better tools.

              The last time I used it was to transfer files from a DEC mini to a BBC Microcomputer.

              Next you'll suggest people use xmodem!

    4. Annihilator Silver badge

      Re: "FTP is an insecure protocol and there are no reasons to prefer it over HTTPS"

      "Sure, FTP is as much insecure as HTTP. So add an S to it to just you did to HTTP and it becomes as secure as well."

      You say that - but do you mean SFTP or FTPS? Two very different things.

      1. LDS Silver badge

        "You say that - but do you mean SFTP or FTPS?"

        I know they are different things. FTPS does work well enough when SFTP is not a choice.

    5. rcxb Bronze badge

      Re: "FTP is an insecure protocol and there are no reasons to prefer it over HTTPS"

      Bolting GOOD encryption, integrity and authentication onto FTP is extremely difficult due to the design of the protocol. You have multiple channels, multiple modes, bidirectional connection establishment, and so much more.

      Why would anybody put the effort into bolting, when SFTP and HTTPS both exist, and both can do the same job, if desired.

    6. kmedcalf

      Re: "FTP is an insecure protocol and there are no reasons to prefer it over HTTPS"

      FTP is not an insecure protocol. It works exactly as designed and has done so for half a century.

      The only reason that FTP is being deprecated from the browser is because the 50 lines of code required to implement FTP have not been changed in half-a-century. Since there is no "fiddle-faddling" the module has been marked as "does not provide meaningful work for code diddlers" and therefore why not delete it?

  2. Joe Drunk
    Trollface

    "FTP is an insecure protocol..."

    http://ftp.mozilla.org/pub/

    1. DrXym Silver badge

      Re: "FTP is an insecure protocol..."

      The clue is in the http://. Presumably somebody couldn't be bothered to change the subdomain name.

  3. This post has been deleted by its author

  4. Pascal Monett Silver badge

    Does that mean that hosted servers are not going to use FTP anymore ?

    I have two hosted servers and I need FTP to update the files and check the local versions. I am, obviously, using a dedicated FTP client to do that, but if everyone is throwing FTP to the dogs, I do hope someone is going to think of a solution because managing my hosted files via a browser would be, I believe, a pain in the neck.

    I rather like LDS's idea of an FTPS. Is there a good reason not to do that ?

    1. Nick Ryan Silver badge

      Re: Does that mean that hosted servers are not going to use FTP anymore ?

      FTP in browsers is download only.

      This doesn't stop a website from generating a directory listing of files allowing them to be downloaded using the browser (non-FTP) or applying whatever management functions they want to these files, including uploading new or updated files.

      FTPS already exists, as does SFTP. I suspect that LDS was suggesting that rather calling the protocol insecure, compared to HTTP, they could just support secure FTP.

    2. Jamie Jones Silver badge

      Re: Does that mean that hosted servers are not going to use FTP anymore ?

      It's already being done - FTPS already exists.

      However, if you are using an upload/download "file-manager" type FTP client, I'd suggest switching to an SFTP client instead of FTPS. The front ends are basically the same, but use sftp underneath. (If your servers ssh doesn't have sftp-server then most clients can emulate it to some extend using scp under the hood, but you shouldn't have that issue)

      EDIT: Nick got in there before me!

    3. DrXym Silver badge

      Re: Does that mean that hosted servers are not going to use FTP anymore ?

      SFTP, FTPS, FTP over SSH, SCP. It's a mess but there are options. SFTP seems to be the most common secure mechanism because it runs over port 22 and is handled by the SSH server.

      Filezilla would be the most common UI client for doing this although its not the only one. I use it to upload files to a GoDaddy hosted server this way.

  5. David Pearce

    Use a real FTP client

    Filezilla is my go-to opensource FTP client

    https://filezilla-project.org/

    Actively maintained and still generating a stream of bug fixes to cope with all of those "not quite right" servers

    I can see why pulling an afterthought FTP function from a browser is a good idea.

    It supports FTPS and SFTP as well

    1. Twanky Bronze badge
      Pirate

      Re: Use a real FTP client

      Yep - Use the right tool for the job.

      Also, if you object strongly to FF binning FTP use a different browser. Now get off my lawn.

      1. Anonymous Coward
        Anonymous Coward

        Re: Use a real FTP client

        Also, if you object strongly to FF binning FTP use a different browser. Now get off my lawn lan.

        FTFY

    2. Yes Me Silver badge
      Headmaster

      Re: Use a real FTP client

      "I can see why pulling an afterthought FTP function from a browser is a good idea."

      It was not an afterthought. I don't recall for MOSAIC, too long ago, but the code was already in Netscape and I expect that's the origin of the code in Firefox. The ftp: schema is as old as http:. The full set of schemas defined in RFC1630 in June 1994 was:

      http Hypertext Transfer Protocol (examples)

      ftp File Transfer protocol

      gopher Gopher protocol

      mailto Electronic mail address

      news Usenet news

      telnet, rlogin and tn3270 Reference to interactive sessions

      wais Wide Area Information Servers

      file Local file access

  6. jelabarre59 Silver badge

    Add-in

    I suppose if you *really* needed it, there are plenty of FTP extensions for Firefox out there...

    Oh, wait, Mozilla BROKE the extensions API... Never mind.

    (personally, though, a separate application is so much nicer, and more flexible as well)

  7. Claverhouse Silver badge
    Pirate

    Has A Little Blue Seahorse Logo As Well

    I always liked the FireFTP extension by Mime Čuvalo on old Firefox.

    Still use it occasionally.

  8. uro

    No need for ftp in a browser.

    I haven't had the need to use FTP within a browser for a very long time, if Moz can bin the protocol I dare say no end-users would notice and it would free up Moz engineers for other projects.

    I use WinSCP ( https://winscp.net ) for all my SCP/FTP/FTPS/SFTP/S3/WebDav needs, it's open source (GPL-3.0, https://github.com/winscp/winscp ) and is much more user friendly than FileZilla's terribad GUI.

    For example if I log into an SFTP account with WinSCP and then need SSH terminal access I can open a PuTTY instance and login with one click from WinSCP's GUI, whereas FileZilla would mean opening a seperate terminal in PuTTy and then logging in there.

    There's a bunch more QoL stuff WinSCP has which FileZilla skipped a beat on, such as master passwords to lock the application and encrypt stored credentials.

    1. Paul Crawford Silver badge
      Facepalm

      Re: No need for ftp in a browser.

      it would free up Moz engineers for other projects

      Really? Just how much time do you think they spend on ftp-related code?

  9. Smartypantz

    Because of MS we are still stuck in the 70's

    The FTP protocol sucks!

    It should not be allowed on the modern Internet.

    The only reason sftp hasn't replaced it, is windows servers. Only way to transfer files to a vanilla Windows box is through this ancient relic of a bullshit protocol (NO, cant install crap on customers server to transfer files! One option: explorer).

    The people who invented this crap should be fined!

    ftps is just as sucky, or even more as no one seems to be able to agree on one way of doing it, AND it depends on the stupid, snakeoil, security of commercial certificate rubberstampers.

    ftp and its insane mess of active/passive transfer, port range bullshit and cleartxt everything, can go to hell, as soon as possible, thanks

    1. katrinab Silver badge
      Windows

      Re: Because of MS we are still stuck in the 70's

      If you install the ssh server feature, then scp works on Windows. It is not part of the default install on Windows, but then, it isn't part of the default install on Debian either.

    2. kmedcalf

      Re: Because of MS we are still stuck in the 70's

      Windows does not and never has had RFC compliant FTP, and especially not FTP Server support (which is 50 lines of code embeded in the 400 GB of Ijit Information Services).

  10. Sandtitz Silver badge
    Facepalm

    TFTFY

    Novotny’s explanation for HTTP’s removal is that “HTTP is an insecure protocol and there are no reasons to prefer it over HTTPS for downloading resources.”

    “Also, a part of the HTTP code is very old, unsafe and hard to maintain and we found a lot of security bugs in it in the past.”

    1. doublelayer Silver badge

      Re: TFTFY

      Except that, as browsers go, there isn't much reason to use FTP from a browser but there are a few reasons for HTTP. FTP can only do downloads from a browser, unless the browser has implemented a client for you, but a standard FTP client can better handle the protocol and offer all the options of that protocol to you. HTTP doesn't do uploads or directory management on its own and is mainly useful for web servers. FTP is unneeded for downloads but can potentially be useful for uploads (and if you're using it for uploads, it can provide some downloads while you're at it). HTTP is needed for downloads of webpages from things like routers which will likely not secure their internal pages (and if they do they'll use a self-signed certificate because there's potential that you can access that page but cannot access the internet). I don't think the protocols are similarly worrisome.

      1. bazza Silver badge

        Re: TFTFY

        And to add to that, once the ‘S’ part of HTTPS is set up, it’s just ‘HTTP’ inside. So that part of the code base has to be maintained anyway, so it may as well be available for the use cases you’ve outlined too.

  11. Anonymous Coward
    Anonymous Coward

    Graphical FTP is for n00bs. Real Beardies (tm) still use the command line FTP client at 2400 baud.

    1. Goobertee

      Real Beardies

      The REAL Beardies do their command line stuff in hex--on the fly.

      1. harmjschoonhoven

        Re: Real Beardies

        The REAL Beardies do their command line stuff in hex--on the fly as root. FTFY.

      2. Anonymous Coward
        Anonymous Coward

        Re: Real Beardies

        Shirley the REAL Beardies use butterflies, no?

      3. Lunatic Looking For Asylum

        Re: Real Beardies

        Yeah, but us smart clean shaven dudes use rsync.

    2. bazza Silver badge

      Of course we use a 2400baud terminal, if we’re in a hurry. No sense things happening fast; what you need is for one command to run for the time it takes to get to the pub and back.

      1. Anonymous Coward
        Anonymous Coward

        Brew our own, surely.

  12. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020