Firefox 90 won't handle FTP sites anymore
Mozilla announced today that Mozilla's Firefox web browser won't support the FTP protocol from Firefox 90 onward. It was clear that FTP support would be removed from the browser, but it was not clear until today when that would happen.
Rumors about the removal of FTP support in Firefox and Chrome emerged back in 2015, but it took Mozilla until 2018 to introduce a preference in the browser that would disable FTP support.
Confirmation that FTP support would be removed from Firefox came in 2020. Mozilla planned to remove support in Firefox 77 at the time, but postponed the removal. Meanwhile, Google did remove FTP support from its Chrome browser already.
Mozilla published a deprecation timeline on the organization's Addons blog. According to the information published there, FTP support will be turned off by default in Firefox 88.
Firefox displays a prompt when a user attempts to load an FTP address. Installed FTP programs are displayed in the list, but if there are none, the list will be empty. Firefox users who need to access FTP resources may want to check out WinSCP, and make it the default FTP handler in the browser.
Firefox 88 is scheduled for a release on April 19, 2021.
Restore FTP in Firefox 88 and 89
FTP code is not removed in Firefox 88, and users may flip a preference to restore FTP support in Firefox 88 and 89. Mozilla will remove FTP entirely when Firefox 90 is released later this year.
- Load about:config in the Firefox address bar.
- Confirm that you will be careful.
- Search for network.ftp.enabled.
- Set the value to TRUE by double-clicking on the line, or with a left-click on the toggle icon.
Firefox will open FTP resources again when the value is set to TRUE. This works until Firefox 90, as FTP code will be disabled completely in that release.
Closing words
FTP support was not all that great in all browsers, as lots of functionality was missing. Browsers only supported the standard FTP protocol but not secure protocols such as FTPS. FTP programs were always the better choice, but it was still handy to browse FTP resources in the browser of choice.
With FTP support being removed, or already removed, browsers can not be used for that anymore.
Now You: do you access FTP resources regularly?
FTP in Firefox works fine here if I just delete the “FTP” in the adress bar
Excellent, now downloads don’t work on sites that use FTP for them.
Truly brilliant. Now I need to open Chromium and copy and paste those links into it for every FTP download.
Such a strange thing to fully deprecate… I’d somewhat understand deprecating the browsing of FTP directories, but they straight up deprecated even downloading a single file from one.
Lynx works fine XD
Firefox is just Chrome at this point.
I always use ftp whenever I have to transfer files between my phone and laptop. I do that regularly.
I just had to download filezilla on a laptop that I was refurbishing so I could download a driver from HP’s ftp site. Why should that even be necessary? can’t chrome/firefox just let me download a zip file?
I give a flying F if the connection is encrypted or not.
I’m a computer pro and think the whole “https everywhere” is overblown. I also give a flying F if someone eavesdropped my connection to a news site and saw I read a story about truck that fell off a bridge – who cares?
What seems to be missing here is a distinction between anonymous ftp and “authenticated” ftp. The latter (authenticated) is generally a bad idea indeed, because passwords are sent unencrypted over the network. However, anonymous ftp (the one you typically use when downloading something from a public repo) isn’t so bad. Yes, the protocol is ancient, yes firewalling is a bitch (because of the use of a separate ports for control and data streams). But in essence anonymous ftp is no different from http. I.e. a plaintext tcp protocol, well suited for transferring non-privacy-sensitive data. Perhaps this move from mozilla will force maintainers of ftp download sites to switch to http(s). In that case the end outcome could be good (eradication of the need for any form of ftp, both anonymous and authenticated). But in the mean time it is going to hurt somewhat for some people.
Mozilla continues to destroy FTP (alongside with other browsers not only in Firefox) making communities can’t miss them, in favor of against FTP alongside with FTPS/SFTP and other FTPs was very no sense to visit website with FTP-only.
Wrong decision. And for the ignorant hunter, Yes I read all. No I disagree.
It’s probably best to use relatively clean software instead of a Mozilla malware to do that anyway.
Preferable to other browser malware any day.
I use ftp daily to download single Excel files from a science web site.
Plain ftp? Clearly the site is run by amateurs who know or care nothing about security.
“Security”?? What in the world are you talking about?
Anonymous, why would you need to encrypt an Excel file from a science website?
Ftp in transit is just data, if the checksums pan out, its not needed to be encrypted, personalized and crammed with exploits due to eternally insecure by design effing crypto.
heartbleed never affected ftp, but ssl. Ssl and derivatives collect insecurity and will always be exploitable.
There is literally no technology being it hardware or software that is not exploitable, its impossible to design secure anything that cant be exploited in some way.
The worst is that when exploits are found most manufacturers dont give a hoot so they wont fix their hardware or software, especially if its EOL.
So not even encrypted data is secure. End of story, just read securiy news and look at the CVES that pile up by the dozens
File Transfer Protocol (FTP) is an error-free, session-orientated protocol that uses TCP ports 20 and 21. Other similar protocols include TFTP (Trivial File Transfer Protocol) and SFTP (SSH File Transfer Protocol).
The main reason standard FTP can be considered “insecure” is because it doesn’t encrypt usernames or passwords; it sends them in clear text, i.e. plain text thus authentication and does not use encryption.
Someone who sniffs your mail server might read your private mail, but someone who sniffs your FTP password can deface your website, etc. The files themselves are uploaded or downloaded without any encryption at all. There are also other risks with the transferred data “straying”, etc.
Data sent via FTP is vulnerable to sniffing, spoofing, and brute force attacks, among other basic attack methods. Files are not only sent in plain text they are also not protected against “modifications†such as Man-in-the-middle attack.
FTP was NOT built to be secure.
I’ll occasionally use SFTP, but it’s probably been around 10 years ago since I’ve had to use the FTP protocol.
I fully agree with everything you said, also no one is working on the protocols anymore, so you could still implement secure credential transfer to the FTP protocol if it was worked on.
Firefox never supported full FTP support in any case, and only someone that uses passwords like password or 12345678 uses FTP to manage any of their sites.
in any case any data in flight is always vulnerable to any form of attack.
Pint being there should be a simple way to download files from a ftp server without having to install a full desktop app anyway, no one on their right mind would use the browser to manage their sites via FTP either.
that said, if you think of how stupid people are, then realize they are even more stupid than you first thought, so anything goes anyway.
This article could be greatly improved if it explained *why* they are deciding to remove FTP support.
Personally, I find being able to quickly browse a FTP site via Firefox to be very handy. Also downloading a file here and there (especially readme files) is very nice. If they proceed with removing the code, I’ll definitely miss being able to do these things.
I wonder why they are currently planning on removing the code. It works well, and regular old FTP hasn’t changed in any way that will prevent the code from continuing to work, so they don’t need to spend any money on development to keep the current useful functionality.
Without understanding the reasoning involved (and none are provided in this article), it seems like a poor decision that will obviously reduce Firefox’s current functionality.
In short: FTP is insecure, too much work to add FTPs and little gain, better programs out there, therefore, bye bye.
FTP was designed to be a simple and quick way to publicly distribute binaries. It’s not secure because it doesn’t have to be. Anyone who extensively uses FTP already knows this. If they actually wanted security they’d use FTPS or SFTP. Different tools for different use cases.
Plus I don’t buy the whole “we’re removing it for security” angle. They would remove a low risk factor (FTP) but still allow the browser to natively open PDFs (a high risk factor)?! There are better programs for opening PDFs so why not remove PDF compatibility “for security reasons”? Their logic falls apart because of this.
You keep repeating this point beemeup5, but what exactly in your opinion are these “better [i.e. more secure] programs for opening PDFs” that are guaranteed to be present on systems in addition to FF itself?
I made that point to mock the logic of those who removed FTP.
What are these “better [i.e. more secure] programs for browsing FTP sites that are guaranteed to be present on systems in addition to FF itself? You see, I changed a few words and now it goes both ways.The excuses Mozilla makes for removing FTP don’t hold up to scrutiny.
My main point of how FTP was designed to be public and unencrypted still stands. Security is not an issue. At most Mozilla could just disable the feature by default and leave it alone, but now they decide to remove it entirely, likely because Chrome did it earlier.
One of the best FTP/FTPS/SFTP standalone programs FlashFXP is no longer developed, because developer is serving 15+ years in prison, meaning FTPS is borked due to not supporting openssl newer than 1.1.0 it also doesnt support multitranfer and so on.
Filezilla is a pita because it lacks modern features that FlashFXP supports,
RushFTP is now being developed but it was rewritten and is full of bugs and doesn’t support basic things like it use to.
So in sum FTP in general is dead because Browser makers cant be arsed to support anything related since there is no monetization possible from any FTP/FTPS/SFTP protocols.
Were left to use standalone programs that are just insufficient and much software out there is still served over FTP/HTTP only, so if HTTP is insecure just like FTP why not just axe HTTP also, makes no sense to break only 30% of the web
Firefox 90 never did. :p
This is to limit OUR FREEDOM to information that are in inside those FTPs! There are tons of data inside public FTP servers.
We need urgently an open source Web Browser that:
– is free software
– does not open any auto-connections (because all of them are UNNECESSARY for a web browser to do its main job)
– does not come with tons of useless “Features” that are only to make the project bigger and harder for individuals to maintain.
One more thing: BE CAREFUL, the attack against the open and free Web by American state through its IT companies is VERY REAL!
I’m not sure if Zelda’s insane post is satire, I hope so. Anyway, just download an FTP client and stop freaking out, they are so much better than trying to use the crippled outdated ftp support in browsers anyway.
I lean towards insanity more than satire. Just how it is based on most commenters here.
Never with any browser.
I like the free 20-year-old but still modernized FileZilla 64 Bit v. 3.53.1 (from ‘-21-03-26).
Why put a strain on your browser I thought when I can get a free easy to handle program that can handle FTP so much better than all browsers together?
Also, I have worked with the also free Filezilla server for Windows (0.9.60.2) software and I am going to install it again.
I still rely upon ftp on a regular basis, it remains as the default to manually download security patches for various packages in my Slackware installs. That said, I’m fully aware that I’m in a minuscule subset of an insignificantly small minority for this issue. Most people aren’t even aware of what ‘ftp’ is, or care one way or the other. Also, I prefer to use Firefox ESR so there’s an extra amount of time before it catches up to version 90 of the main build. I’ll miss the convenience of having ftp support in the browser (if an appropriate extension isn’t an option) but just falling back to using wget isn’t a problem. This will be a bummer for me but I understand Mozilla’s intent. I tend to think this is not going to be a big deal, it’s a function that most Firefox users won’t miss or even notice its absence.
Another feature got the axe.
Surprising? No.
Ignorant knee jerk response with zero clue as to why the feature was removed actually (as dartraiden mentioned above).
>> but not secure protocols such as SFTP
SFTP is file transfer over SSH. It’s not FTP at all. Did you mean FTPS?
Firefox does not support FTPS. Firefox does not support downloading folders via FTP. Only single files. Current FTP support is rudimentary and very old, code needs to be rewritten from scratch and implement all the missing features. But the demand for FTP is decreasing every year, this work is just a waste of energy on a half-dead protocol. BitTorrent and SSH (SFTP) are much more popular, Why we need to implement FTP support, and not these protocols?
It is much more correct to implement support for such things in the form of extensions. If you need a torrent client – install extension. if you need a ftp client – install extension.
You are right, FTPS it is.
Why even use Firefox anymore at this point? I might as well use Chrome.
Because Firefox respects your privacy more than Chrome.
@Rammer
Firefox is not privacy-conscious by default:
> It shares your location and download hashes with Google. it uses Google Analytics internally. It has a weak tracking blocker (using the shitty Disconnect lists). It allows most forms of prefetching. Fingerprinting defenses are inactive by default. It installs system level telemetry that spies on your default browser even if it isn’t Firefox. It has a backdoor that allows for remote code execution (called “Firefox Experiments†/ Normandy). Its Sync requires E-Mail addresses. Leaks unique extension IDs via simple fetch requests. Connects speculatively to websites as you type addresses in the address bar. Uses Cloudflare for DoH (I am sure the DNS entries are safe in their hands!) etc.
All myth, no substance. Privacy is a good buzzword for marketing.
Blah blah blah. All said and done FF is still miles better than that POS called Chrome.
> Why even use Firefox anymore at this point? I might as well use Chrome.
Go ahead then and join Googles FLoCK of sheep.
FF Bad bad bad.
Join Edge or chrome instead, Jesus Christ.
ignorant bitching just to throw shit at Firefox huh: it was removed in chrome in 88
– https://chromestatus.com/feature/6246151319715840
– https://developers.google.com/web/updates/2020/12/chrome-88-deps-rems
I’m pretty sure the point was that since there’s less and less to differentiate Firefox from Chrome, you might as well use Chrome, which in many cases works better as well. Personally I still find plenty of reasons to use Firefox instead of Chrome, but it’s still a fair point.
I’m a regular user of FTP on Pale Moon + the FireFTP extension. No problems.
Finally. To much of a risk it was.
Really? if u’re so concerned about safety why are u here in the web? it’s soooo unsafe!~If u can’t handle risks don’t use anything in the web. Others who can handle that are getting shit from the so called safety aware devs , who simply are too stupid to program correct interfacesbecause all they know is how to build something from ready made libs
Hmm… maybe you should go back to the elementary school, and learn the difference between “too” & “to” before you start offering advice on cybersecurity…
So all security experts are English language experts too? * [Editor: removed, please stay polite]
If they actually cared about removing risks, they would remove the ability to open PDFs in-browser. There have been multiple cases of PDFs being used to carry exploits. Following their logic there are better programs for opening PDFs anyway, just remove the feature.
beemeup5, Firefox uses PDF.js to open PDFs (https://mozilla.github.io/pdf.js/).
It’s fully built with HTML5, so a exploit should not only break through the PDF.js layer, but also through HTML5.
And thus, it would probably be easier for a malicious agent to just exploit HTML5 with a normal webpage, rather than using a PDF.
AFAIK PDFs with exploits don’t target Firefox, they target native PDF viewers outside the browser.
@Oriol
Usually the ultimate target of exploits is the underlying host system. Whatever hurdles may exist for compromising a system through PDF.js is exponentially higher for some kind of arbitrary code execution through simply browsing an FTP site, which only enumerates directories and files. Few things can go wrong with FTP because FTP is extremely simple, the opposite of PDF and HTML5. In fact, HTML5 + CSS3 is Turing complete, making it possible to exploit and run arbitrary code.
And to add to that, in the just now released Firefox 88, they added a huge potential hazard:
– PDF forms support JavaScript embedded in PDF files.
Even security neophytes understand what a huge risk it is to be handling any kind of file with embedded JavaScript!
Adding this while removing FTP for “security reasons” is like removing a pile of old tires for being a “fire hazard” while replacing them with jugs of petrol.
Hear Hear!
Over the years I’ve often obtained useful software resources on FTP sites. But I’m not “the majority” of users so the feature must be chucked… for reasons.
Next thing you know Mozilla will be truncating the URL like in Chrome, because “most users” only care about the root domain anyway.