Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Mozilla to Remove Support for FTP in Firefox

Mozilla is getting ready to remove support for the File Transfer Protocol (FTP) from the Firefox web browser due to security concerns.

Mozilla is getting ready to remove support for the File Transfer Protocol (FTP) from the Firefox web browser due to security concerns.

FTP has been around for nearly five decades, allowing for the transfer of files between computers. The protocol is built on a client-server model architecture and has been considered insecure, being secured with SSL/TLS (FTPS) or replaced with SSH File Transfer Protocol (SFTP).

For a couple of years, Google has been marking FTP resources as insecure in Chrome, and the company deprecated the protocol in Chrome 80, which was released last month. The Internet giant aims to completely remove support for FTP in Chrome 82.

Mozilla too is considering removing support for the FTP protocol from its browser, Mozilla developer Michal Novotny revealed this week in a post on the mozilla.dev.platform list.

According to Novotny, FTP will be turned off by default in Firefox 77, although it would be enabled by default in version 78 ESR. Furthermore, the developer said, the code will be completely removed from Firefox at the beginning of 2021.

“We’re doing this for security reasons. FTP is an insecure protocol and there are no reasons to prefer it over HTTPS for downloading resources,” Novotny said.

The developer also highlights the fact that part of the FTP code is very old and unsafe, and that maintaining it is a difficult task. Moreover, it is riddled with lots of security bugs, he says.

Advertisement. Scroll to continue reading.

“After disabling FTP in our code, the protocol will be handled by external application, so people can still use it to download resources if they really want to. However, it won’t be possible to view and browse directory listings,” Novotny explains.

The plan to remove support for the insecure protocol is not surprising, given Mozilla’s focus on keeping its users secure, including by enabling DNS-over-HTTPS by default for users in the United States.

Related: Firefox 74 Patches Vulnerabilities, Disables TLS 1.0 and 1.1

Related: Firefox Gets DNS-over-HTTPS as Default in U.S.

Related: Chrome 80 Released With 56 Security Fixes

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.