Security Experts:

Mozilla to Remove Support for FTP in Firefox

Mozilla is getting ready to remove support for the File Transfer Protocol (FTP) from the Firefox web browser due to security concerns.

FTP has been around for nearly five decades, allowing for the transfer of files between computers. The protocol is built on a client-server model architecture and has been considered insecure, being secured with SSL/TLS (FTPS) or replaced with SSH File Transfer Protocol (SFTP).

For a couple of years, Google has been marking FTP resources as insecure in Chrome, and the company deprecated the protocol in Chrome 80, which was released last month. The Internet giant aims to completely remove support for FTP in Chrome 82.

Mozilla too is considering removing support for the FTP protocol from its browser, Mozilla developer Michal Novotny revealed this week in a post on the mozilla.dev.platform list.

According to Novotny, FTP will be turned off by default in Firefox 77, although it would be enabled by default in version 78 ESR. Furthermore, the developer said, the code will be completely removed from Firefox at the beginning of 2021.

“We're doing this for security reasons. FTP is an insecure protocol and there are no reasons to prefer it over HTTPS for downloading resources,” Novotny said.

The developer also highlights the fact that part of the FTP code is very old and unsafe, and that maintaining it is a difficult task. Moreover, it is riddled with lots of security bugs, he says.

“After disabling FTP in our code, the protocol will be handled by external application, so people can still use it to download resources if they really want to. However, it won't be possible to view and browse directory listings,” Novotny explains.

The plan to remove support for the insecure protocol is not surprising, given Mozilla’s focus on keeping its users secure, including by enabling DNS-over-HTTPS by default for users in the United States.

Related: Firefox 74 Patches Vulnerabilities, Disables TLS 1.0 and 1.1

Related: Firefox Gets DNS-over-HTTPS as Default in U.S.

Related: Chrome 80 Released With 56 Security Fixes

view counter