Firefox 60 with new preference to disable FTP

Martin Brinkmann
Feb 20, 2018
Updated • Feb 20, 2018
Firefox
|
34

Mozilla plans to release Firefox 60 with a new preference to disable support for the FTP protocol. The preference is disabled by default so that FTP sites can still be accessed in Firefox 60.

FTP, just like HTTP, is on its way out. Browser makers, site operators and hosting companies move to newer protocols that support encryption among other things to better protect user data against spying and manipulation.

The next step in the migration from HTTP to HTTPS is the flagging of HTTP sites as insecure in browsers. Google Chrome will do so in Chrome 68, and Mozilla plans to launch it in the Firefox private browsing mode when Firefox 60 is released.

FTPS, also known as FTP Secure, or FTP over SSL, is an extension to the FTP protocol.While most browsers support the FTP protocol, the same cannot be said for FTPS support.

Mozilla, for instance, never implemented the functionality officially in Firefox. In fact, the organization put the FTP protocol on life support more than 2 years ago when it began to resolve security issues exclusively.

Mozilla employe Patric McManus highlighted as much two years ago on Mozilla's official bug tracking site.

We are in a period where ftp is clearly deprecated and in general, making changes to the code is riskier than letting it ride unless there is a patch and reviewer available to make a good judgment about it. So I'm going to wontfix ftp bugs related to enhancements, interop errors, etc.. We will be better off putting our energy into including a different js based ftp stack.

We ran a story back in 2015 that Google and Mozilla might drop support for the FTP protocol in the future.

While Mozilla has not set a date for the removal of the protocol yet, it is a given that Firefox will stop supporting the protocol at one point in time.

The first step towards the goal is the introduction of a new Firefox preference to disable the FTP protocol in the browser. The preference network.ftp.enabled is set to true which means that it has no effect on protocol support at this point in time. Firefox users and administrators who want to disable FTP can do so by setting it to false.

  1. Make sure you run Firefox 60 or newer.
  2. Load about:config?=network.ftp.enabled in the Firefox address bar.
  3. Double-click on the preference to set it to false. This disables the FTP protocol in Firefox.

You can reset the preference at any time by double-clicking on it or right-clicking on it and selecting "reset" in the context menu.

Firefox redirects any attempt to load a FTP resource to the default search engine if the FTP protocol is disabled.

Closing Words

I'm worried about sites that do get left behind once browser makers decide to block HTTP or FTP. Not all sites or servers will be migrated, abandoned sites may not for instance, and it is unclear to me whether there will still be options to access these resources in future versions of the browsers.

Granted, it will take years before Mozilla, Firefox or Microsoft pull the plug but as it stands now, that day will come.

Now You: What's your take on this? (via Sören)

Related articles

Summary
Article Name
Firefox 60 with new preference to disable FTP
Description
Mozilla plans to release Firefox 60 with a new preference to disable support for the FTP protocol. The preference is disabled by default so that FTP sites can still be accessed in Firefox 60.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Clairvaux said on February 22, 2018 at 10:36 pm
    Reply

    Funny we don’t hear those arguments against X-Foxes here very much :

    https://www.howtogeek.com/335712/update-why-you-shouldnt-use-waterfox-pale-moon-or-basilisk/

    1. Kossan Nyx said on February 24, 2018 at 4:28 pm
      Reply

      And speaking about tolerance:

      Welcome Mozilla to the fascist side of the spectrum!

      https://twitter.com/mozilla/status/966029134001557504

    2. John Fenderson said on February 24, 2018 at 12:31 am
      Reply

      @Clairvaux

      That’s a pretty poor set of arguments against the forks.

      1. Kossan Nyx said on February 24, 2018 at 3:47 pm
        Reply

        @John Fenderson

        As said.. buzzwords.

        How to silent unwanted opinions and finding an argument for restricting the features and enforcing a branding/corporate design and corporate identity philosophy onto your project?

        Something Mozilla has NO right at all to enforce, as it is against ALL philosophical and moral aspects of Open Source in general!

        Simple… enter a CoC (code of conduct) and scream:

        “Security!”

        or

        “Our users are too stupid to handle this!”

        and.. the most powerful one…

        “Telemetry!”

        as it is happening now with userchrome.css

        Only totally corrupted and commercialized Open Source developers would do something like that. Btw. there are some Linux flavors too who fall into the list of to the very core of commercialized corrupted one’s.

    3. Kossan Nyx said on February 23, 2018 at 12:37 pm
      Reply

      Hmm.. oh that choice.. so called “unsecure” forks like Brave Browser, Otter-Browser, Vivaldi, Pale Moon, Basilisk – and on the other side a cheap concept-clone of another browser called Firefox.

      Well, the choice is simple, never had a security incident since 2013 with Pale Moon or Vivaldi as secondary browser. So Mozilla can go to hell with their Chrome addiction fetish!

      As usual security is used in typical buzz-word argument ways to justify the usage of a pathetic pseudo-Open-Source browser, which developers are is self-centered, only interested in competing with Chrome no matter what – number focused instead of quality focused – anti-choice, anti-customization – and only interested in their new reputation/branding/corporate design/corporate identity vision. Also known as: “Hands off our UI, it is a recognizable trademark, you shall not be allowed to modify it in any way”

      A vision which next future target will be userchrome.css

      Mozilla are just pure moronic idiot devs!

  2. o_O said on February 21, 2018 at 8:21 pm
    Reply

    Sad! It is not bad to have FTP support, this is lame move to reduce basic functionality.

  3. Kossan Nyx said on February 20, 2018 at 11:09 pm
    Reply

    Google Chrome plans to do something first, Mozilla, Google’s willing moronic pet will follow.

    First their crusade against UI customization because of branding reasons and now the war about old good protocols.

    That guys have seriously lost their minds. Moronic bunch of numb-nuts…

    There is nothing much left of the once user and user-needs centered Mozilla. Oh, not true. They are still user-centered… Google Chrome-user centered :D

    1. Pls said on February 21, 2018 at 10:40 am
      Reply

      Dropping support for FTP in years from now is like dropping support for Windows XP. Everyone’s gonna do it, it’s not a Google/Mozilla issue, the move has actually started already.

      I swear, anything will do to draw shitty conclusions in a terrible display of confirmation bias.

      1. Paul's Dad. said on February 21, 2018 at 5:35 pm
        Reply

        Not when that confirmation has been given time and again for the last 10 years.

      2. Kossan Nyx said on February 21, 2018 at 4:42 pm
        Reply

        Mozilla does react only because Google does it first. FTP is neither outdated or bad, same like IRC is not outdated and not bad.

        Only simple users can’t understand the meaning of terms like that. And because Mozilla is simple users only these days, everything complex does indeed have no place in their new vision of how things should be.

        So, indeed Mozilla is a lame Google follower… or minion.. or pathetic shill – Earlier Mozilla – if they still would exist – would have been proudly acknowleding the concept of more power to the user instead of what today’s Mozilla is after – more conformity to the user.

        Mozilla today is the worst offender who is dragging the concept of Open Source into the dirt. The corpse smells already worse than simply being rotten.

        Mozilla of today is anti-choice, anti-customization – and only their reputation/branding/corporate design/corporate identity madness is of value.

        Mozilla of today are self-centered assholes who only are living to compete with Google Chrome for the users instead of valuing and honoring their power users who they are willingly abandoning for their new “greater goal”

  4. Richard Moore said on February 20, 2018 at 3:31 pm
    Reply

    “Browser makers, site operators and hosting companies move to newer protocols that support encryption among other things to better protect user data against spying and manipulation.”

    You can use NSA-grade encryption, but the people will be always fooled with scam sites and phishing. It’s not about encryption, it’s about the low IQ from users. You can not protect users from themselves with RSA-4096.

    1. Anonymous said on February 20, 2018 at 9:30 pm
      Reply

      Those low IQ users yeah, like these Belgacom engineers who were hacked by GCHQ with a fake LinkedIn.

      1. John Fenderson said on February 21, 2018 at 11:02 pm
        Reply

        As Scott Adams once observed: all of us, without exception, are complete idiots in the right circumstances.

  5. AnorKnee Merce said on February 20, 2018 at 2:28 pm
    Reply

    From Wikipedia; … “FTP is built on a client-server model architecture and uses separate control and data connections between the client and the server.
    FTP users may authenticate themselves with a clear-text sign-in protocol, normally in the form of a username and password, but can connect anonymously if the server is configured to allow it.
    For secure transmission that protects the username and password, and encrypts the content, FTP is often secured with SSL/TLS (FTPS). SSH File Transfer Protocol (SFTP) is sometimes also used instead; it is technologically different.”
    .
    .
    Every once in awhile, I need to download a free Linux ISO file from the Linux distro’s server through FTP, anonymously without any username and password.
    ……. AFAIK, in my case, an MITM attack, eg to insert malware, can only be done by a hacker on my Home network = quite impossible to happen.
    ……. But in the case of a public Wifi network or company Internet network or Cloud network, an MITM attack by a hacker on the same network is quite possible over FTP = such networks should be secured.

    Usually, it is the downloading and use of paid(= non-free) web-based software programs, eg Office 365, iTunes, iCloud and online games, that require username, password and a secure FTP Internet connection.

    Secure FTP, eg FTPS, will complicate certain use-cases, eg using the Command-line to install free programs from the Internet.
    ……. This is similar to Newbies who foolishly use Disk encryption, later something goes wrong and could not recover their data(= did not do data backups) except to do an OS reinstall. Imagine OS tech companies imposing Full Disk encryption for everybody in the name of security = Nanny-companies or Big Brother.

    It is foolish for tech companies to ban or abolish FTP. Some users and web-servers have no need for secure FTP. Others can opt for secure FTP, eg FTPS. There should be freedom of choice for the users = optional.

    1. AnorKnee Merce said on February 20, 2018 at 7:05 pm
      Reply

      AFAIK, a secure or encrypted Internet protocol is needed for usernames/passwords(= to login), financial credentials(eg credit cards) and against MITM attacks from within a vulnerable network. Otherwise, it is not needed, eg a website that only offers news, information, tutorials, blogs, download of free programs/ISO files, etc.

      Encryption slows down data flow and increases the size of the data files = users have to buy more expensive computers or servers and Internet bandwidth.

      1. Jessica said on February 20, 2018 at 8:21 pm
        Reply

        > Otherwise, it is not needed, eg a website that only offers news, information, tutorials, blogs, download of free programs/ISO files, etc.

        https://www.troyhunt.com/dont-take-security-advice-from-seo-experts-or-psychics-neil-patel/

        > Encryption slows down data flow and increases the size of the data files = users have to buy more expensive computers or servers and Internet bandwidth.

        https://istlsfastyet.com/

        Just demystifying HTTPS here :)

      2. AnorKnee Merce said on February 20, 2018 at 10:02 pm
        Reply

        @ Jessica

        Quoting from your istisfastyet link …

        “The process of establishing and communicating over an encrypted channel introduces additional computational costs. First, there is the asymmetric (public key) encryption used during the TLS handshake. Then, once a shared secret is established, symmetric encryption takes over.”
        .

        Quoting from mozdotcom …

        ” There are 2 areas of TLS that can harbor performance problems:

        Encrypting the data. Data sent back and forth between visiting web browsers and your web server must be encrypted and decrypted. If not configured properly, your page load times can become much slower than unencrypted traffic.
        Establishing a secure connection. There are several steps that must occur before a browser establishes a secured connection to your website: identities must be confirmed, algorithms must be selected, and keys must be exchanged. This is known as the TLS Handshake, and it can have a significant impact on your site performance.
        _ _ _ _ _ _ _

        Even though advances in modern high-end computer hardware has made the use of TLS encryption on the Internet non-prohibitive, there is no necessity to use such encryption when not needed. Similarly, Disk encryption is not needed for some home-desktop-users.

        Mahatma Ghandi said, “A nation’s greatness is measured by how it treats its weakest members.” = “… how it treats its low-end computer users”.

      3. Jessica said on February 20, 2018 at 11:30 pm
        Reply

        Regarding the “Is TLS Fast Yet?” quote, I’ll refer you to their paragraph immediately afterwards.

        As to Moz, you fell into the trap of following security advice from so-called SEO experts, which is what my first link is warning about!

        Yes, there can be performance issues if a server is not properly configured but that has nothing to do with HTTPS as there are a myriad of other possible causes for those problems.

        Encryption is needed everywhere, your ISP is able to inject (and some already are doing so) JavaScript onto every nonsecure HTTP site you visit just because it can.

      4. AnorKnee Merce said on February 21, 2018 at 9:11 am
        Reply

        @ Jessica

        No. Encryption is not needed everywhere.

        Fyi, even M$ uses “insecure” HTTP to download and install updates through Windows Update and Update Catalog.

        Fyi, even HTTPS is also vulnerable to malware injection through Javascript.

        Fyi, nothing can prevent foolish users from infecting themselves with malware through being phished, scammed, MITM-attacked, torrenting pirated contents, etc. This includes security updates, AV programs, HTTPS, FTPS, Disk encryption, Secure Boot, Win 10 S, iOS(= Jennifer Lawrence’s leaked nude pics), etc.

        It should be left as a user-choice whether they want to use the above protection methods for their computer security, and not forced on the users by dictatorial tech companies.

      5. Jessica said on February 21, 2018 at 11:32 am
        Reply

        HTTPS being imperfect is not a valid reason against using it. Nothing is perfect but security is a multi-layered process.

  6. Anonymous said on February 20, 2018 at 2:07 pm
    Reply

    Mozilla employe […] “We are in a period where ftp is clearly deprecated and in general,”etc…
    JMHO […] “We are in a period where Firefox is clearly deprecated (data collecting, telemetry, customization, apicaca etc) and in general, each year regularly losing more users”.

    1. Anonymous said on February 20, 2018 at 9:27 pm
      Reply
  7. Faust said on February 20, 2018 at 1:56 pm
    Reply

    Tomorrow: Mozilla releases new version of Firefox, now you can’t go on any website, but you’ll click one of these 20 buttons to access Facebook/Twitter/Instagram/Whatsapp and some others social media, and nothing more (because we detect the vast majority of users just enter on trendy social sites).

    1. Paul's Dad. said on February 20, 2018 at 5:28 pm
      Reply

      Mozilla representative quoted as saying “We felt disabling access to websites that are used by less than 1% of our users was better, both in terms of security and performance, and we feel our browser and our users will benefit in the long run”.

      1. John Fenderson said on February 20, 2018 at 6:49 pm
        Reply

        I have to admit — that Mozilla feels fine with disabling access to internet service just because they aren’t widely used is a bit disturbing. Not surprising, given that Mozilla has apparently decided that it’s their role to enforce what people can and can’t do on the internet, but disturbing.

        This whole trend bothers me greatly. I’ve been a huge supporter of Mozilla since the beginning, both in terms of evangelizing and in terms of giving money to them. However, this paternalistic streak that they’ve acquired is making me increasingly question my support of them. Not in terms of the browser — I’ve already pretty much given up on that — but in terms of the organization as whole.

      2. Anonymous said on February 20, 2018 at 9:25 pm
        Reply

        *Everyone is deprecating FTP, your lens is way too narrowly focused.

      3. Anonymous said on February 21, 2018 at 10:36 am
        Reply

        It’s like complaining about a software that removes support for Windows XP.

  8. Xahid said on February 20, 2018 at 1:19 pm
    Reply

    But Why?
    I can understand about HTTP fuss, but FTP?
    if some one created non secure ftp server, its usually not for public or even if shared with public usually have limited access (ie download only)
    even tho, there are lot of ftp clients but removing the basic feature from browser is negative point IMO.

    1. John Fenderson said on February 20, 2018 at 5:06 pm
      Reply

      While not as bad as the venerable Telnet, FTP is not secure and its continued use is discouraged. Even if an FTP site is set up with limited access, there remains security problems that include privilege escalation. It is possible to set up an FTP server in a way that reduces the risk (in a chroot jail, for instance), but it’s better to simply not use it — particularly since there are a number of better options.

      To be clear, the security risk is on the server side, not the client side.

  9. Sören Hentzschel said on February 20, 2018 at 10:23 am
    Reply

    Hi Martin,

    > FTPS, also known as FTP Secure, FTP over SSL, or SFTP, is an extension to the FTP protocol.While most browsers support the FTP protocol, the same cannot be said for FTPS support.

    This sentence sounds like FTPS and SFTP is the same, but FTPS and SFTP are different things. SFTP is based on SSH, FTPS is not. ;)

    1. Martin Brinkmann said on February 20, 2018 at 12:32 pm
      Reply

      Sören you are right of course, not sure how that slipped in there.

  10. jupe said on February 20, 2018 at 10:09 am
    Reply

    FTP support in a browser I don’t think I have used for years, so if they want to remove it I am not fussed, also I don’t see a need for all this marking sites as unsecure if they are HTTP, if the site doesn’t require a login etc. what does it matter…it doesn’t to me at least.

    1. Jessica said on February 20, 2018 at 5:11 pm
      Reply

      HTTPS encrypts the data in transit, it has nothing to do with personal data itself but with preserving the integrity of the data exchanges between the client and the origin server, assuming such a connection is direct like that, which is not always the case either as many sites today use edge servers in between for things like CDNs so the connection might only be encrypted between the client and the edge server.

      It is inherently secure but not inherently safe.

  11. Stefan said on February 20, 2018 at 9:51 am
    Reply

    With everything good removed we soon will have browsers that won’t let us go online anymore…. (sarcasm)

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.