Mozilla permanently ended support for the FTP protocol with the release of Firefox 90 to eliminate security issues associated with it, including the transfer of data in clear text.

Mozilla released Firefox 90 last week, effectively ending FTP connections through the browser. This news is not surprising since Mozilla has announced its intention to remove FTP support for several years. He did it step by step: first by disabling FTP by default in version 88, then removing the implementation in the latest version. Mozilla said this week that the decision was prompted by the need to make the browser more secure, including eliminating the highest security risk of FTP: the transfer of data in clear text.

FTP (File Transfer Protocol) is a way to connect two computers to facilitate the transfer of files between two or more points. To put it simply, this is the means by which files are shared between parties. According to Mozilla, although this standard protocol has been supported by all major browsers since its inception, today it is one of the oldest protocols still in use and at the same time suffers from a number of serious security. In a blog post on Tuesday, the company explained that this is one of the reasons behind its removal from Firefox.

She explained that the biggest security risk is that the FTP protocol transfers data in the clear, which allows cybercriminals to steal, spoof and even modify transmitted data. To date, many malware distribution campaigns launch their attacks by compromising FTP servers and downloading malware to an end user’s device using the FTP protocol. In addition, Mozilla’s position is supported by several names in the industry who agree that the FTP protocol was originally not designed to be secure.

It is generally considered an insecure protocol because it relies on clear user names and passwords for authentication and does not use encryption. Data sent over FTP is vulnerable to sniffing, spoofing, and brute force attacks, among other basic attack methods. In practice, there are several common approaches to overcome these challenges and secure the use of FTP. For example, the FTPS protocol (File Transfer Protocol Secure) is an extension / variant of the FTP protocol which allows connections to be encrypted at the request of the client.

Transport Layer Security (TLS), Secure Socket Layer (SSL), and SSH File Transfer Protocol (also known as Secure File Transfer Protocol or SFTP) are often used as more secure alternatives to FTP because they use encrypted connections. Thus, the high security risk, the old age of the protocol, and the existing alternatives have encouraged browser vendors such as Google and Mozilla to abandon its support. Mozilla confirmed its intention in March 2020, about a year after Google said it will remove Chrome 82’s FTP implementation.

For its part, Mozilla in April disabled the default FTP protocol in Firefox 88 and Firefox 90, released last week, no longer supports the FTP protocol. Mozilla explains if you are a Firefox user, you don’t have to do anything to benefit from this “breakthrough” in security. According to the Mozilla blog post, when Firefox automatically updates to version 90, users will be protected against attacks using the unsecured FTP protocol. These attacks are now rendered unnecessary since the FTP protocol is no longer supported.

Stopping FTP support in Mozilla Firefox 90_2

“In keeping with our intention to remove the unsecured HTTP protocol and increase the percentage of secure connections, we have decided, like other major web browsers, to no longer support the FTP protocol. Removing FTP brings us one step closer to a more secure web that is on the way to becoming HTTPS-only. Modern automatic upgrade mechanisms such as HSTS or Firefox’s HTTPS-Only mode, automatically upgrading any connection to become secure and encrypted, do not apply to FTP, ”Mozilla explains.

Moreover, if some have welcomed the news, Mozilla’s gesture does not seem to have won over all Firefox users. A commentary on the topic explains that browsers with FTP support are more useful and user-friendly than FPT clients. “FTP has been linked to browsing the web since the beginning of the web 31 years ago. For maybe a decade most of the web was on FTP servers – not just most software downloads, but most HTML pages as well, ”wrote one person who was not entirely thrilled with the news. deletion.

“Web browsers provide a much better interface to FTP servers than dedicated FTP clients, because you can click a link in an HTML page (either a statically generated directory, possibly on the FTP server itself, or a web page). dynamically generated search results) and get the file from the FTP server, ”he added. According to him, the FTP client of your choice is absolutely useless if it cannot render the HTML and the ftp: // link points to an HTML file. For him, rather than removing FTP support, he had to consider ways to secure it.

“The basic idea of ​​the Web was actually to provide a universal and uniform interface to all information on the Internet, regardless of the protocol. The abandonment of Gopher might have been reasonable, there just aren’t that many Gopher servers, but FTP is still a widely used protocol. In other words, it is a compromise between the traditional view of the Web as a vast library, in which human knowledge accumulates over time and becomes accessible to all, and the view of the Web as a way to sell people things they don’t need ”.

“This approach is like burning a wing of the library (or, at least, its card catalog) because it was not profitable enough. Or because people keep getting mugged there, I guess. This kind of intentional feature regression is precisely the sort of thing I use free software to avoid, ”he added. He is supported by another who expresses himself in these terms: “I would just like to add to this that FTP is a relatively simple protocol, not particularly complicated to implement”. Removing FTP support from Firefox was also a “bad” idea, he said.

“This is not a constantly fluctuating standard that requires a team of 50 developers to keep pace. Support for FTP is not a big technical challenge. The code has been in the Firefox code base for almost 20 years and works flawlessly. All you need to do to continue supporting FTP is nothing at all. If having the small amount of code for the FTP support makes your job really difficult, it seems to me that you are not very good at your job, ”said the latter.

“I also find the alarmist language to be incredibly vague and nonspecific ‘but security!’ is pretty hyperbolic, a repeat of the borderline lies that Mozilla peddled when they decided to drop XUL for web extensions, ”he added. One person who thinks Mozilla’s gesture is entirely justified responded to the previous comment by stating, “Some parts are, sure, but others are an absolutely horrible sight (the client opens a port, then the server reconnects), text conversion and binary modes which are based on ASCII, different list formats, etc. “.

“It’s not great. Worse, it doesn’t support good things like implicit TLS extensions. Continuing to support the FTP protocol means continuing to defend an attack surface that is implemented in 20 year old code, to provide functionality that will not be used by the majority of people in 2021. This is a cost analysis. profit. I want Mozilla to do more. If they think removing the FTP support allows them to do more, I totally agree, ”he added.