Firefox 90 won't handle FTP sites anymore

Mozilla announced today that Mozilla's Firefox web browser won't support the FTP protocol from Firefox 90 onward. It was clear that FTP support would be removed from the browser, but it was not clear until today when that would happen.

Rumors about the removal of FTP support in Firefox and Chrome emerged back in 2015, but it took Mozilla until 2018 to introduce a preference in the browser that would disable FTP support.

Confirmation that FTP support would be removed from Firefox came in 2020. Mozilla planned to remove support in Firefox 77 at the time, but postponed the removal. Meanwhile, Google did remove FTP support from its Chrome browser already.

Mozilla published a deprecation timeline on the organization's Addons blog. According to the information published there, FTP support will be turned off by default in Firefox 88.

firefox ftp support missing

Firefox displays a prompt when a user attempts to load an FTP address. Installed FTP programs are displayed in the list, but if there are none, the list will be empty. Firefox users who need to access FTP resources may want to check out WinSCP, and make it the default FTP handler in the browser.

Firefox 88 is scheduled for a release on April 19, 2021.

Restore FTP in Firefox 88 and 89

firefox enable ftp

FTP code is not removed in Firefox 88, and users may flip a preference to restore FTP support in Firefox 88 and 89. Mozilla will remove FTP entirely when Firefox 90 is released later this year.

  1. Load about:config in the Firefox address bar.
  2. Confirm that you will be careful.
  3. Search for network.ftp.enabled.
  4. Set the value to TRUE by double-clicking on the line, or with a left-click on the toggle icon.

Firefox will open FTP resources again when the value is set to TRUE. This works until Firefox 90, as FTP code will be disabled completely in that release.

Closing words

FTP support was not all that great in all browsers, as lots of functionality was missing. Browsers only supported the standard FTP protocol but not secure protocols such as FTPS. FTP programs were always the better choice, but it was still handy to browse FTP resources in the browser of choice.

With FTP support being removed, or already removed, browsers can not be used for that anymore.

Now You: do you access FTP resources regularly?

Summary
Firefox 90 won't handle FTP sites anymore
Article Name
Firefox 90 won't handle FTP sites anymore
Description
Mozilla announced today that Mozilla's Firefox web browser won't support the FTP protocol from Firefox 90 onward.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. beemeup5 said on April 16, 2021 at 5:20 pm
    Reply

    Over the years I’ve often obtained useful software resources on FTP sites. But I’m not “the majority” of users so the feature must be chucked… for reasons.

    Next thing you know Mozilla will be truncating the URL like in Chrome, because “most users” only care about the root domain anyway.

  2. Bobby Phoenix said on April 16, 2021 at 6:59 pm
    Reply

    Finally. To much of a risk it was.

    1. beemeup5 said on April 17, 2021 at 11:17 pm
      Reply

      If they actually cared about removing risks, they would remove the ability to open PDFs in-browser. There have been multiple cases of PDFs being used to carry exploits. Following their logic there are better programs for opening PDFs anyway, just remove the feature.

      1. Oriol said on April 18, 2021 at 7:09 pm
        Reply

        beemeup5, Firefox uses PDF.js to open PDFs (https://mozilla.github.io/pdf.js/).
        It’s fully built with HTML5, so a exploit should not only break through the PDF.js layer, but also through HTML5.
        And thus, it would probably be easier for a malicious agent to just exploit HTML5 with a normal webpage, rather than using a PDF.
        AFAIK PDFs with exploits don’t target Firefox, they target native PDF viewers outside the browser.

      2. beemeup5 said on April 19, 2021 at 7:25 pm
        Reply

        @Oriol
        Usually the ultimate target of exploits is the underlying host system. Whatever hurdles may exist for compromising a system through PDF.js is exponentially higher for some kind of arbitrary code execution through simply browsing an FTP site, which only enumerates directories and files. Few things can go wrong with FTP because FTP is extremely simple, the opposite of PDF and HTML5. In fact, HTML5 + CSS3 is Turing complete, making it possible to exploit and run arbitrary code.

        And to add to that, in the just now released Firefox 88, they added a huge potential hazard:
        – PDF forms support JavaScript embedded in PDF files.

        Even security neophytes understand what a huge risk it is to be handling any kind of file with embedded JavaScript!
        Adding this while removing FTP for “security reasons” is like removing a pile of old tires for being a “fire hazard” while replacing them with jugs of petrol.

    2. Glary said on April 18, 2021 at 3:53 pm
      Reply

      Hmm… maybe you should go back to the elementary school, and learn the difference between “too” & “to” before you start offering advice on cybersecurity…

      1. EffAllGrammarNazis said on April 19, 2021 at 1:20 am
        Reply

        So all security experts are English language experts too? * [Editor: removed, please stay polite]

  3. Max said on April 16, 2021 at 7:06 pm
    Reply

    I’m a regular user of FTP on Pale Moon + the FireFTP extension. No problems.

  4. Anonymous said on April 16, 2021 at 7:48 pm
    Reply

    Why even use Firefox anymore at this point? I might as well use Chrome.

    1. Anonymous said on April 17, 2021 at 12:30 pm
      Reply

      ignorant bitching just to throw shit at Firefox huh: it was removed in chrome in 88
      https://chromestatus.com/feature/6246151319715840
      https://developers.google.com/web/updates/2020/12/chrome-88-deps-rems

      1. Anonymous said on April 17, 2021 at 4:49 pm
        Reply

        I’m pretty sure the point was that since there’s less and less to differentiate Firefox from Chrome, you might as well use Chrome, which in many cases works better as well. Personally I still find plenty of reasons to use Firefox instead of Chrome, but it’s still a fair point.

    2. Anon7 said on April 17, 2021 at 8:30 pm
      Reply

      > Why even use Firefox anymore at this point? I might as well use Chrome.

      Go ahead then and join Googles FLoCK of sheep.

      FF Bad bad bad.

      Join Edge or chrome instead, Jesus Christ.

    3. Rammer said on April 17, 2021 at 9:53 pm
      Reply

      Because Firefox respects your privacy more than Chrome.

      1. Iron Heart said on April 18, 2021 at 11:45 am
        Reply

        @Rammer

        Firefox is not privacy-conscious by default:

        > It shares your location and download hashes with Google. it uses Google Analytics internally. It has a weak tracking blocker (using the shitty Disconnect lists). It allows most forms of prefetching. Fingerprinting defenses are inactive by default. It installs system level telemetry that spies on your default browser even if it isn’t Firefox. It has a backdoor that allows for remote code execution (called “Firefox Experiments” / Normandy). Its Sync requires E-Mail addresses. Leaks unique extension IDs via simple fetch requests. Connects speculatively to websites as you type addresses in the address bar. Uses Cloudflare for DoH (I am sure the DNS entries are safe in their hands!) etc.

        All myth, no substance. Privacy is a good buzzword for marketing.

      2. FFFTW said on April 19, 2021 at 1:22 am
        Reply

        Blah blah blah. All said and done FF is still miles better than that POS called Chrome.

  5. dartraiden said on April 16, 2021 at 8:00 pm
    Reply

    >> but not secure protocols such as SFTP

    SFTP is file transfer over SSH. It’s not FTP at all. Did you mean FTPS?

    Firefox does not support FTPS. Firefox does not support downloading folders via FTP. Only single files. Current FTP support is rudimentary and very old, code needs to be rewritten from scratch and implement all the missing features. But the demand for FTP is decreasing every year, this work is just a waste of energy on a half-dead protocol. BitTorrent and SSH (SFTP) are much more popular, Why we need to implement FTP support, and not these protocols?

    It is much more correct to implement support for such things in the form of extensions. If you need a torrent client – install extension. if you need a ftp client – install extension.

    1. Martin Brinkmann said on April 17, 2021 at 6:43 am
      Reply

      You are right, FTPS it is.

  6. Malik said on April 16, 2021 at 8:51 pm
    Reply

    Another feature got the axe.

    Surprising? No.

    1. FFFTW said on April 19, 2021 at 1:25 am
      Reply

      Ignorant knee jerk response with zero clue as to why the feature was removed actually (as dartraiden mentioned above).

  7. svim said on April 16, 2021 at 10:35 pm
    Reply

    I still rely upon ftp on a regular basis, it remains as the default to manually download security patches for various packages in my Slackware installs. That said, I’m fully aware that I’m in a minuscule subset of an insignificantly small minority for this issue. Most people aren’t even aware of what ‘ftp’ is, or care one way or the other. Also, I prefer to use Firefox ESR so there’s an extra amount of time before it catches up to version 90 of the main build. I’ll miss the convenience of having ftp support in the browser (if an appropriate extension isn’t an option) but just falling back to using wget isn’t a problem. This will be a bummer for me but I understand Mozilla’s intent. I tend to think this is not going to be a big deal, it’s a function that most Firefox users won’t miss or even notice its absence.

  8. Paul(us) said on April 17, 2021 at 12:30 am
    Reply

    Never with any browser.
    I like the free 20-year-old but still modernized FileZilla 64 Bit v. 3.53.1 (from ‘-21-03-26).
    Why put a strain on your browser I thought when I can get a free easy to handle program that can handle FTP so much better than all browsers together?

    Also, I have worked with the also free Filezilla server for Windows (0.9.60.2) software and I am going to install it again.

  9. Zelda said on April 17, 2021 at 1:09 am
    Reply

    This is to limit OUR FREEDOM to information that are in inside those FTPs! There are tons of data inside public FTP servers.

    We need urgently an open source Web Browser that:
    – is free software
    – does not open any auto-connections (because all of them are UNNECESSARY for a web browser to do its main job)
    – does not come with tons of useless “Features” that are only to make the project bigger and harder for individuals to maintain.

    One more thing: BE CAREFUL, the attack against the open and free Web by American state through its IT companies is VERY REAL!

    1. Neil said on April 18, 2021 at 8:40 am
      Reply

      I’m not sure if Zelda’s insane post is satire, I hope so. Anyway, just download an FTP client and stop freaking out, they are so much better than trying to use the crippled outdated ftp support in browsers anyway.

      1. FFFTW said on April 19, 2021 at 1:29 am
        Reply

        I lean towards insanity more than satire. Just how it is based on most commenters here.

  10. Anonymous said on April 17, 2021 at 4:06 am
    Reply

    Firefox 90 never did. :p

  11. Smitty said on April 17, 2021 at 4:39 am
    Reply

    This article could be greatly improved if it explained *why* they are deciding to remove FTP support.

    Personally, I find being able to quickly browse a FTP site via Firefox to be very handy. Also downloading a file here and there (especially readme files) is very nice. If they proceed with removing the code, I’ll definitely miss being able to do these things.

    I wonder why they are currently planning on removing the code. It works well, and regular old FTP hasn’t changed in any way that will prevent the code from continuing to work, so they don’t need to spend any money on development to keep the current useful functionality.

    Without understanding the reasoning involved (and none are provided in this article), it seems like a poor decision that will obviously reduce Firefox’s current functionality.

    1. Martin Brinkmann said on April 17, 2021 at 6:39 am
      Reply

      In short: FTP is insecure, too much work to add FTPs and little gain, better programs out there, therefore, bye bye.

      1. pwned said on April 17, 2021 at 1:28 pm
        Reply

        One of the best FTP/FTPS/SFTP standalone programs FlashFXP is no longer developed, because developer is serving 15+ years in prison, meaning FTPS is borked due to not supporting openssl newer than 1.1.0 it also doesnt support multitranfer and so on.

        Filezilla is a pita because it lacks modern features that FlashFXP supports,

        RushFTP is now being developed but it was rewritten and is full of bugs and doesn’t support basic things like it use to.

        So in sum FTP in general is dead because Browser makers cant be arsed to support anything related since there is no monetization possible from any FTP/FTPS/SFTP protocols.

        Were left to use standalone programs that are just insufficient and much software out there is still served over FTP/HTTP only, so if HTTP is insecure just like FTP why not just axe HTTP also, makes no sense to break only 30% of the web

      2. beemeup5 said on April 17, 2021 at 11:10 pm
        Reply

        FTP was designed to be a simple and quick way to publicly distribute binaries. It’s not secure because it doesn’t have to be. Anyone who extensively uses FTP already knows this. If they actually wanted security they’d use FTPS or SFTP. Different tools for different use cases.

        Plus I don’t buy the whole “we’re removing it for security” angle. They would remove a low risk factor (FTP) but still allow the browser to natively open PDFs (a high risk factor)?! There are better programs for opening PDFs so why not remove PDF compatibility “for security reasons”? Their logic falls apart because of this.

      3. FFFTW said on April 19, 2021 at 1:35 am
        Reply

        You keep repeating this point beemeup5, but what exactly in your opinion are these “better [i.e. more secure] programs for opening PDFs” that are guaranteed to be present on systems in addition to FF itself?

      4. beemeup5 said on April 19, 2021 at 6:25 pm
        Reply

        I made that point to mock the logic of those who removed FTP.

        What are these “better [i.e. more secure] programs for browsing FTP sites that are guaranteed to be present on systems in addition to FF itself? You see, I changed a few words and now it goes both ways.The excuses Mozilla makes for removing FTP don’t hold up to scrutiny.

        My main point of how FTP was designed to be public and unencrypted still stands. Security is not an issue. At most Mozilla could just disable the feature by default and leave it alone, but now they decide to remove it entirely, likely because Chrome did it earlier.

  12. Robert Wellock said on April 17, 2021 at 10:22 am
    Reply

    File Transfer Protocol (FTP) is an error-free, session-orientated protocol that uses TCP ports 20 and 21. Other similar protocols include TFTP (Trivial File Transfer Protocol) and SFTP (SSH File Transfer Protocol).

    The main reason standard FTP can be considered “insecure” is because it doesn’t encrypt usernames or passwords; it sends them in clear text, i.e. plain text thus authentication and does not use encryption.

    Someone who sniffs your mail server might read your private mail, but someone who sniffs your FTP password can deface your website, etc. The files themselves are uploaded or downloaded without any encryption at all. There are also other risks with the transferred data “straying”, etc.

    Data sent via FTP is vulnerable to sniffing, spoofing, and brute force attacks, among other basic attack methods. Files are not only sent in plain text they are also not protected against “modifications” such as Man-in-the-middle attack.

    FTP was NOT built to be secure.

    I’ll occasionally use SFTP, but it’s probably been around 10 years ago since I’ve had to use the FTP protocol.

    1. pwned said on April 17, 2021 at 1:37 pm
      Reply

      I fully agree with everything you said, also no one is working on the protocols anymore, so you could still implement secure credential transfer to the FTP protocol if it was worked on.

      Firefox never supported full FTP support in any case, and only someone that uses passwords like password or 12345678 uses FTP to manage any of their sites.

      in any case any data in flight is always vulnerable to any form of attack.

      Pint being there should be a simple way to download files from a ftp server without having to install a full desktop app anyway, no one on their right mind would use the browser to manage their sites via FTP either.
      that said, if you think of how stupid people are, then realize they are even more stupid than you first thought, so anything goes anyway.

  13. wert said on April 17, 2021 at 12:21 pm
    Reply

    Ftp in transit is just data, if the checksums pan out, its not needed to be encrypted, personalized and crammed with exploits due to eternally insecure by design effing crypto.

    heartbleed never affected ftp, but ssl. Ssl and derivatives collect insecurity and will always be exploitable.

    1. pwned said on April 17, 2021 at 1:46 pm
      Reply

      There is literally no technology being it hardware or software that is not exploitable, its impossible to design secure anything that cant be exploited in some way.

      The worst is that when exploits are found most manufacturers dont give a hoot so they wont fix their hardware or software, especially if its EOL.

      So not even encrypted data is secure. End of story, just read securiy news and look at the CVES that pile up by the dozens

  14. Loxia said on April 17, 2021 at 1:56 pm
    Reply

    I use ftp daily to download single Excel files from a science web site.

    1. Anonymous said on April 19, 2021 at 1:40 am
      Reply

      Plain ftp? Clearly the site is run by amateurs who know or care nothing about security.

      1. jobbautista9 said on April 21, 2021 at 4:03 pm
        Reply

        Anonymous, why would you need to encrypt an Excel file from a science website?

  15. Anonymous said on April 18, 2021 at 3:26 pm
    Reply

    It’s probably best to use relatively clean software instead of a Mozilla malware to do that anyway.

    1. FFFTW said on April 19, 2021 at 1:41 am
      Reply

      Preferable to other browser malware any day.

  16. name said on April 23, 2021 at 6:12 pm
    Reply

    Wrong decision. And for the ignorant hunter, Yes I read all. No I disagree.

  17. Muhammad Firza said on April 26, 2021 at 8:00 am
    Reply

    Mozilla continues to destroy FTP (alongside with other browsers not only in Firefox) making communities can’t miss them, in favor of against FTP alongside with FTPS/SFTP and other FTPs was very no sense to visit website with FTP-only.

  18. Dick Snippe said on April 26, 2021 at 5:39 pm
    Reply

    What seems to be missing here is a distinction between anonymous ftp and “authenticated” ftp. The latter (authenticated) is generally a bad idea indeed, because passwords are sent unencrypted over the network. However, anonymous ftp (the one you typically use when downloading something from a public repo) isn’t so bad. Yes, the protocol is ancient, yes firewalling is a bitch (because of the use of a separate ports for control and data streams). But in essence anonymous ftp is no different from http. I.e. a plaintext tcp protocol, well suited for transferring non-privacy-sensitive data. Perhaps this move from mozilla will force maintainers of ftp download sites to switch to http(s). In that case the end outcome could be good (eradication of the need for any form of ftp, both anonymous and authenticated). But in the mean time it is going to hurt somewhat for some people.

  19. Matthew Hill said on May 7, 2021 at 4:06 am
    Reply

    I just had to download filezilla on a laptop that I was refurbishing so I could download a driver from HP’s ftp site. Why should that even be necessary? can’t chrome/firefox just let me download a zip file?

    I give a flying F if the connection is encrypted or not.

    I’m a computer pro and think the whole “https everywhere” is overblown. I also give a flying F if someone eavesdropped my connection to a news site and saw I read a story about truck that fell off a bridge – who cares?

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.