Stopping FTP support in Firefox 90(blog.mozilla.org) |
Stopping FTP support in Firefox 90(blog.mozilla.org) |
the sheer lack of awareness here sometimes, I swear.
Firefox can't be everything. It should focus on being a great browser and not a great browser and also great FTP client, or a great browser and also a great feed reader, or a great browser and also a great mail client. People using FTP can use a dedicated client, of which there are plenty on every platform, and people who don't use FTP (i.e. the vast, vast majority of web browser users) won't even notice.
A modern web browser is probably some of the most complex software humanity has invented yet, besides a full-scale OS. Taking a maintenance burden that's unrelated to the core browser product of a struggling NFP should be welcomed with a sigh of relief.
There are a few people commenting with nonsense like this:
> You can configure Firefox to open "ftp://" links with the client of your choice. This is a non-issue.
That's absolutely useless if the client of your choice can't render HTML and the ftp:// link is to an HTML file.
The fundamental idea of the WWW project was that it provided a universal, uniform interface to all the information on the internet, regardless of protocol. This move amounts to Firefox abandoning that vision. Abandoning Gopher was maybe reasonable—there just aren't that many Gopher servers out there—but FTP is still a widely used protocol.
More broadly, this is a tradeoff between the traditional vision of the WWW as a vast library, in which human knowledge accumulates over time and becomes accessible to all, and the strip-mall vision of the WWW as a means to sell people things they don't need. This move amounts to burning down a wing of the library (or, at least, its card catalog) because it wasn't profitable enough. Or because people keep getting mugged there, I guess.
This kind of intentional functionality regression is precisely the kind of thing I use free software to avoid.
I also find the incredibly vague and nonspecific "but security!" scaremongering language to be quite hyperbolic, a repeat of the borderline lies mozilla peddled when they decided to dump xul for webextensions.
It seems to me that the removal of features like this amounts to "I don't use/understand it, therefore I'm going to assume it's not useful to anybody".
Of course, Mozilla being out of touch with its user base is hardly news, so this comes as no surprise at all to me.
(While I'm talking about browsers and particularly mozilla, I'd just like to take a moment to congratulate them on finally getting their market share down below that of edge. They've been working hard at driving firefox into the ground for a long time now, and I'm sure they must be feeling very proud to have finally achieved this important milestone in their seemingly unending quest to achieve that holy grail of 0 users. So I'd just like to say: Nice work, Mozilla!)
I cannot for the life of me remember the last time I landed on a page with FTP or had to use FTP in any way. Even lists of file downloads are http pages where I just click on the file.
> More broadly, this is a tradeoff between the traditional vision of the WWW as a vast library, in which human knowledge accumulates over time and becomes accessible to all, and the strip-mall vision of the WWW as a means to sell people things they don't need.
I don't get this at all.
* Are you saying FTP is a fundamentally better protocol to download files than HTTP?
* Are you saying that it would be easier to run a FTP server than a HTTP server?
* Do you think that FTP-only-sites generally depend on HTML-over-FTP for browsing? Because that's something I've never seen AFAIK, either they use HTTP-only or HTML-over-HTTP for browsing and FTP for download.
I get the "strip-mall vision of the WWW as a means to sell people things they don't need" complaint, but that does not seem related to the protocol discussion of HTTP and FTP at all.
Browsers removing support are breaking part of the web that was working fine.
Your web browser doesn't need to support FTP. It just needs to support the web. Everything else is a bonus, unless it's a security liability. Then it has no business being in there.
It's an edge case these days though as more are moving to https:// links so I can understand the browser vendors wanting to make the code base smaller. They have enough to do. Especially for Mozilla given what they charge for us to use their product.
> Now they're [...] removing [...], and people are still complaining?
It's different people.
It is a shorthand but it always seems like it's designed as a "gotcha". I haven't thought enough about it to figure out what fallacy it entails, just enough to ignore it anytime I see an argument that uses it.
Even Apache 1 can expose dirs over http instead of ftp, there is literally no reason for FTP unless you want uploads. In which case: no you don't, you want sftp at the very least, because you care about the fact that you want data that gets uploaded to be your data, not the data that a MITM trivially changed it to. Which FTP fully allows.
FTP is used often in my field. The removal of FTP from both Chrome and FireFox has been very inconvenient. I tried a few free FTP clients with GUI. They are huge and clumsy in comparison to browsers. For example, cyberduck zip is as large as firefox and I couldn't copy-paste a ftp:// URL in FileZilla. I wonder why these FTP clients don't adopt a browser-like interface. It would be more friendly. Now I mostly use command-line lftp, which is better than the GUI clients I have tried but still not as convenient as browsers.
You should be able to paste a full ftp://server.tld/path into the host field and upon connection it'll drop you right into that folder.
As for why the GUIs aren't that great I think it's precisely because FTP was made with CLI in mind and by the time good GUIs came around there were better protocols to plug into them.
There are times when HN seems to become very negative to a particular topic. In the past I’ve seen it with Kubernetes, systemd or GCP/AWS. I feel it’s that way with Mozilla/Firefox. More often than not, comments on Mozilla/Firefox are very negative then create a feedback loop of negativity. Obviously subjective, but just what I see
When Google or MS does something shitty with their browsers I pretty much expect it from them and I'm partially insulated from their bad behaviors since I avoid using those browsers. When Mozilla acts badly though I'm often personally impacted.
I'm actually okay with them getting rid of FTP support (although I think leaving it there, but disabled by default was a better way to go - FTP links are pretty common out there) but I'm not at all surprised by the backlash.
Please elaborate. In excruciating detail.
> A modern web browser is probably some of the most complex software humanity has invented yet, besides a full-scale OS.
And whose fault is that, if not WHATWG?
Embrance. Extend. Extinguish.
--------------------- ^ [The web is here]
People bitched when Firefox added a stupid non-standard thing, yes. Now, the few who still use Firefox, will bitch because they have arbitrarily removed a standard thing.
That said some functionality has been included in bookmarks such as clicking favorite button saves directly in unsorted, clicking twice opens a menu where tags can be added, and can see all bookmarks through menu. A secondary bookmarks tree can be added with extra features being read status, and simple status change and deletion from menu without requiring right click. Kinda like Chrome did it.
Browsers never had decent ftp support, true. They just allow you to list directories and download stuff. But on the other hand, the FTP support doesn't cost anything. Don't know much about Pocket to be honest, but this form of integration is much worse than to support a protocol.
Aside from that, maybe using http for downloads is the better alternative today.
The epitome of corporate speak: "we're taking away a feature of this software. You're welcome."
I expect that kind of talk from Google; hearing it from Mozilla makes me a little sad.
Show me an example of actual FTP MITM hack in the wild.
Sure loading FTP resources from HTTP(S) context is not a good idea (as would be downloading executables over FTP), but did they actually make any effort to inform the public and owners of FTP servers? I do not think so, I haven't seen it.
Mozilla these days has very weird priorities. Their decisions should not feel so unilateral or "because Chrome does it". There should be more emphasis on widely understood infrastructure even at the cost of "soft" projects/campaigns [1] - these could be served by the EFF after all. I can't understand why shedding MDN was a good idea in their heads.
[1] Like this one: https://foundation.mozilla.org/pl/blog/mozilla-investigation...
I agree. The attempts to be more and more like Chrome are especially confusing to me. Maybe they just want to copy what's popular but the thing they seem to miss is that if people wanted a browser that was just like chrome they'd probably just use chrome. The removal of choice, customization, and control over Firefox is what's going to drive people away. Those are the features that attracted most of us to Firefox in the first place.
Then they can use an FTP client which will perform better anyways. This is Mozilla removing it from their web browser, not L3 black holing port 21 traffic.
Why do you need to use a web browser?
Just yesterday I found a link to FTP while researching something. Was pretty annoying to go get another FTP client up and running to get it.
Anyway, the movement away from unencrypted protocols to TLS-only is moving us closer to a fully censored internet. Sure, an unencrypted internet did not have any integrity guarantees, and thus was easy to censor (and worse) by totalitarian nation states.
However, a TLS-only internet is very easily censorable by our new global central planners (FAANG). This way, they'll have much more control than was available to the common MITMing nation state.
Malware vector, really? When was the last time FTP was a major malware distribution channel as opposed to, you know, plain http? And I don't buy the "save programming resources" argument either. FTP is an old, simple and stable protocol, it's not like there's much need to touch that code.
We would have encrypted communication with privileged government access. I think it is actually competition that keeps TLS trustworthy.
FTP is a horrible kludge that needs to be depreciated. SFTP is better. The number of ports needed, holes punched in firewalls, everything sent in plain-text, inability to traverse NAT without more kludge and hacky work-arounds. We only tolerate it because it was the only thing that worked.
There are better/newer methods that should be embraced.
We don't bemoan the death of Gopher, or Finger do we? Hell no. FTP does have it's uses, but I'd dare wager that every-single-instance could be upgraded to SFTP and the world would move on.
Legacy, ancient apps that haven't been touched in 40 years; will break. Let them.
It's sad, but not surprising.
That barrier seems pretty porous these days. Being that you can access serial ports via JS, for example :)
Yes.. well, they can do the same by compromising servers that offer the payload via HTTP(S). At least when the payload is ftp, it stands out and you can catch it in your gateway/firewall devices.
With https you now need https inspection at the border in order to be able to do that. These MITM devices do tend to cause a lot of trouble.
explorer: right click "my computer" -> map network drive. (or just ctrl+L and type an FTP url.)
finder: go -> connect to server
nautilus/dolphin: network -> connect to server (or just ctrl+L and type an FTP url.)
One can argue that servers should upgrade, and that’s valid. But they don’t and they likely won’t do this just harms Firefox’s user base and is one more reason I no longer recommend Firefox. They just don’t seem user friendly as they once were.
I would expect Mozilla to advocate for more FTP as a cheap way of distributing files.
I do use FTP every now and then, but I do so from the command line or file manager like mc (or far manager when I am on Windows). Even there, it has been declining steadily, though, because ssh/sftp works pretty well as a drop-in replacement, unless one of the endpoints is so low-end the encryption becomes a throughput bottleneck. But it's been many years since I've had that problem.
It also doesn't really do a good job of transferring files - the protocol is slow and is incompatible with lots of firewall setups.
This is why we can't have nice things and why the internet is going to become Chrome-first.
[0] Principle 6: The effectiveness of the internet as a public resource depends upon interoperability (protocols, data formats, content), innovation and decentralized participation worldwide. https://www.mozilla.org/en-US/about/manifesto/
Browser support is important here because those files are often not explored from command line etc, but rather the FTP links are placed on individual pages as a quick download. At least for me, it's much more convinient to click and wget, than reading a page then switch window to query from API/client...
And you aren't using Firefox anyway, it has never supported FTP uploads.
https doesn't let you also manage your files with the same protocol/daemon without other stuff on top of, or alongside, it.
For software project with size and age of Firefox, deleting obsolete or redundant code is universally good. It is hard but necessary task. I am okay with completely stop using FTP for that cause. Or eventually fire up Chrome FWIW.
Mozilla's explanation/justification here for removing ftp is quite flimsy. It presumes there could never, ever be any possible situation in which a user wants to use a browser for ftp. Whether now or in the future. It just does not add up. There are no specific references to ftp-based exploits, or other examples of how ftp is harmful. Who uses ftp for transfers of unencrypted files containing sensitive data over the open internet. ftp can be useful for stuff that is not sensitive and for transfers over the local network between devices (no internet connection required).
It makes sense to remove ftp if the web is just for advertising and sales. Why would any "consumer" need ftp.
Fortunately the text-only browser I use is probably not going to remove ftp. But any decline in ftp use that results from the decisions of these advertising-dependent organisations is concerning.
You can see here where the GUI didn't support FTP over SSL, and then eventually got marked WONTFIX because they decided to deprecate FTP entirely instead: https://bugzilla.mozilla.org/show_bug.cgi?id=85464
That's just how you do big changes these days. Especially if you're Mozilla.
Here's a step-by-step guide to how it works:
1. Decide that you want to drop something because it's not shiny anymore.
2. Scream "OMG WE NEED TO DO THIS FOR SECURITY!!!"
3. Watch while people commend you for taking such a brave stance for "teh security"
See also: webextensions.
This decision seems like a no-brainer, but I’ve found I’m always surprised how much use legacy features like this can have.
Luckily I could convince him to use ProFTPD with sftp http://proftpd.org/docs/contrib/mod_sftp.html . This is very neat as the service runs on their own ssh-alike port.
I remember back when the Spread Firefox campaign was still around - at the time, Firefox and Mozilla in general felt grassroots, fun, and human. Like a club anyone could join and that anyone would want their friends, family, coworkers, and even strangers or people they didn't like to get in on: an all-in-this-together effort for a better internet.
Anymore, Mozilla feels more and more corporate, more like a company - even as Google Chrome (and the many browsers built from Chromium) eats away more and of their market share and they move toward being "the little guy" again - and less and less like a group of people.
I think what I really miss is having a browser that made me care about it beyond just wanting alternatives.
That was long long time ago. I think something like early 00s when Firefox was just launched. Things changed. Mozilla is no longer the same.
But, hey, if you are not yet a FF user, here's where you can download it, in case you're looking for a browser that... lacks FTP support. Something many users are likely to be seeking out.
However, there is no need to characterizes FTP being dangerous by jumping from FTP is old and is in plaintext, to FTP servers are being exploited and used to distribute malware, to FUD-type statement implying that there are [unspecified] exploits now available to attack Firefox if FTP was enabled.
This is just plain disgusting and it leaves a bad taste in my mouth.
maintaining features is cost
I'm not saying there weren't good reasons to get rid of ftp support, but that doesn't seem like one.
What would happen if they rip it out?
What should be done is push for things like ftps or add big warnings around it.
That wasn't the decision. Maintaining this was.
Define "lots". Chrome dropped FTP support in late 2020 and basically nobody noticed. The vast majority of the remaining public FTP servers are also accessible over HTTP.
> I would expect Mozilla to advocate for more FTP as a cheap way of distributing files.
In what sense is FTP "cheap"? What makes it any different from HTTP in that regard?
Maybe people outside of the tech world failed to notice, but it was discussed here at the time:
a ton of government and scientific datasets are provided over FTP
It's one thing to have your password stolen, but another thing entirely to have your download and its shasum/md5sum/whatever sidecar file replaced in-flight
Sure, there might be a user that doesn't know how to get a good FTP tool. But how many FTP servers are they accessing? Probably not enough of those to justify the maintenance effort.
Now they have to be handled by an external protocol handler, and I'd bet most of us don't have one set up, so things will be a little bumpy for a bit
It removes a malware vector going through Firefox.
But seriously, who's serving FTP but doesn't serve HTTPS?
I've used FTP, fairly heavily back at an old job that required it, but I have an FTP client. They are a dime a dozen for every platform. But I haven't used FTP at all in at least a decade.
Mozilla should focus their efforts in their web browser on web browsing. If you need to FTP, Gopher, or torrent over the internet, you can grab a client that does those things.
Why are people still using ftp rather than http?
"But why wouldn't you use some other method to manage your files? Why combine the two?" I dunno, but WordPress is basically that (managing your blog's/site's appearance, content, and server-side plugins, over the same interface/protocol that serves the blog/site) but for blogs & websites, and it's damn near the most successful Web project ever, so there must be something to it unless that's not a big reason for its success (and I'm pretty sure it is).
I can certainly see the appeal if your main focus is serving files, or providing file-serving hosting to others (say, other departments, or to paying clients, or whatever). One daemon to configure for the whole task.
I tried chrome on an ftp:// uri, and it just does nothing. I suspect because it was the Windows default app for ftp uri's, then they dropped support, but that didn't change the mapping in Windows.
My choice has always been Firefox.
To address your concerns though: meter data is not ingested via FTP. That's done using other protocols. It's transferred b2b via FTP over private tunnels. And you're correct Firefox is not used for uploading data. If it were possible it wouldn't even be a good choice given the volume of data we deal with. It is, however, used heavily for accessing the uploaded data by Operations and other teams.
Edit: not sure why this is being downvoted... if you read the actual link, it says they intend to deprecate HTTP.
That's not two important services you've named, but only one, and at some point it will be destroyed; it's only temporary. Hopefully it will last a few decades.
Brewster Kahle, the founder of archive.org, has a saying:
Governments burn libraries.
I do not see the benefit of removing FTP. For security concerns, a big warning as with expired TLS certificates would be an acceptable compromise, IMHO.
But as someone who knows what FTP is and still uses it on occasion, I don't think FF dropping FTP support is going to impact me very much.
I don't think anyone who hasn't heard of FTP is seeking out a browser that specifically does not support it.
WebDAV lets you manage files over the same protocol (but.. why?)
We're in a thread concerning the removal of FTP from Firefox because having extra code around you don't strictly need is, the argument goes, expensive and dangerous. Given the context, I don't think any justification for extra complexity being, per se, something worth worrying about, is needed.
You may as well say, "why have embedded video on the web? Just open video links in VLC."
If you want to know what 02017 was like, you can ask pretty much anybody; most of them will remember pretty well. You may remember yourself. But if you want to know what 01997 was like, well, most people have pretty much forgotten. Did you know they didn't check your ID at the airport in 01997? People would resell non-refundable airline tickets in newspaper classified ads. Airlines wanted to stop this practice, but competition prevented them from instituting mandatory ID checks. Until 02001, when the US entered a permanent state of war on abstract concepts.
It's true that there are a lot of things that are true today that weren't true in 01997. But most of those things are not worth knowing, because they won't be true in 02045 either. In fact, a lot of them won't be true in 02022.
So, losing access to a web page from 02020 is bad, but losing access to one of the few remaining web pages from 01997 is much worse.
Why are there people who think otherwise? Because they never learned to think of the World Wide Web as the greatest library in human history, probably because they don't value libraries or learning; instead they think of it as a way to dunk on their political opponents and consume up-to-date memes from Instagram or Netflix.
It saves a lot of confused users at other government / scientific institutions, where the firewall blocks FTP.
Google found it a convincing enough argument to warrant re-enabling ftp support last year, in light of the pandemic: https://www.theregister.com/2020/04/15/ftp_chrome_deprecatio...
That doesn't mean I'm against deprecation completely. But you can't pretend it won't affect people
>There are no reason to continue using ancient protocol forever.
You undermine yourself with statements like this. I explicitly asked for excruciating detail. This response essentially sums up to "because I said so".
...and it's empirically incorrect, too: You can find a ton of reasons where people need FTP today if you look through this discussion. So many that I'm not going to bother repeating them here.
Also, while in theory SFTP can be as secure as FTPS, in practice it's not. How many people really check that the server public key signature it's the correct one? You know that annoying message that appears the first time you connect to a server and you have to say yes and if you don't it will not let you continue?
Not checking that give you the same security as having a HTTPS/FTPS server with a self signed certificate. You trust blindly the identity of the server, but there could be someone doing a man in the middle and stealing all your data. In that situation, FTPS is more secure, mainly because you need a valid TLS certificate that will give you some guarantee about the identity of the server.
This whole ordeal kind of reminds me of IE8. Whether good or bad, companies stuck to what they knew and what tools they used to carry out their day-to-day. I can easily see updates being avoided to keep FTP functionality at the expense of newer security issues being patched.
I don't really understand the argument that if everyone else drops support that Firefox should too. Firefox could champion themselves as continuing to support various protocols and live the principles they set out for themselves.
“Not on the internet IoT” is basically the domain of either large industrial/commercial entities who already pay engineers to design and operate their gear (and for whom there are a number of viable internal-PKI platforms) or hobbyist tech people who want to do fancy segmentation of their IoT gear (and for whom there are a host of open source PKI helpers).
The general human in 2021 who buys IoT gear puts it on their Wifi and goes back to other things.
Except then you have to find, install, and configure that program, which not everybody may be able or willing to do. We have trust browsers, for better or worse, and many people may not be comfortable identifying another trustworthy program to handle FTP downloads (due to malware/adware concerns), especially when they're trying to do something else. Having something in the browser saves users a trust decision.
Also, this feature has been so established that lots of stuff was designed expecting it to work that will now be broken. I also wouldn't be surprised if some FTP sites (say with old drivers) just get taken offline without being migrated, due to this.
The net security impact of dropping ftp support from the browser may well be negative.
A lot of sites, especially old ones, are build with the assumption that every browser can access FTP links as you would with HTTP. And so for example a download section is a link to a FTP server.
To me removing it is stupid. Is it a security concern? Not really. Also not having it in the browser will not make security better, a person that needs it will use it with another client. Will make the browser faster or smaller? Not really, a FTP client is something really simpler, and browser have them since ever.
And yes, if I have the URL I can use curl to download the file from FTP, even if downloading it from the browser would be easier. But most of the times there is a link to the server directory, with multiple files to select. Yes I can use Windows explorer and connect to the FTP server and browse it, but to be fair, or just open Internet Explorer and past the FTP link.
It's commercial infrastructure, not a fetish.
You saw the same arguments when the Python Cryptography library started adopting Rust to replace memory-unsafe C code in their C library. People running, like, DEC Alphas in their basements for sport were furious. It was on the front page of HN for several days. It blew over, because nobody really cares about those people in a durable, meaningful way.
Same situation with FTP. It's dead. Stick a fork in it.
For whatever it's worth: those industries should not be relying on FTP. FTP is bad. But I'm not advocating to ban it from the Internet; rather, I'm just saying, nobody should make software security compromises of any sort to continue supporting it.
Server identity keys can be checked using SSHFP DNS records signed with DNSSEC, but that is not really mainstream unfortunately.
I can't speak to WASM, but websockets are literally just a layer over HTTP in some regards -- a websocket connection is initiated by sending an HTTP request with the Upgrade header.
Obtaining a public certificate from a well-known registrar requires Internet connectivity for the ACME protocol, and that's at odds with the other best-security-practice of isolating internal systems like NAS devices well away from general Internet connectivity.
The problem is even worse for home routers. They need Internet connectivity to have a chance of obtaining a certificate, but since they provide that connectivity to a network they can't obtain the certificate until they're set up. But setup generally happens via a web browser and captive portal, so we're right in the middle of a bootstrapping problem.
https/TLS everywhere on the public Internet is a great thing, but it's not a reasonable expectation for private networks with private devices.
What, you're using old unsigned DNS and complaining about security? Or software so old that pinned certificates are outdated?
Getting rid of http or insecure-https support completely would render either them, or your browser, useless, and require that one or the other be replaced.
Your browser doesn't NEED to natively support .pdf but it does and you've probably used that feature. I mean you could have it launch an external .pdf viewer, which is a FAR more complex piece of software than the little FTP protocol code they're disabling here.
Your browser doesn't NEED to support TABs. Your OS is already equipped with the ability to run multiple instances.
Your browser doesn't NEED to sandbox anything, you could just run each instance in it's own VM.
Your browser doesn't NEED to play video, it could launch an external viewer.
A: Popularity.
[1] Because the default handler for ftp:// was originally Chrome on my system, which is pretty common. Chrome dropping it didn't change that mapping.
But wait, Windows does that since Vista, except like everything it's faulty.
OMG! Look, everyone: a telepath! ESP IS REAL!
Fallacy of the "general human" aside...how do you configure it? How do you configure your Wifi in the first place?
The app- and service-centric world that people have been forced into by the laziness of developers, the desire for surveillance data, and the deprecation of browser features, is the worst of all possible worlds.
Devices have full network connectivity, so that security camera you bought becomes part of a botnet, hacks your laptop, and installs ransomware or steals your financial info/bitcoin wallet. Companies control your house and your data, so when they disappear, or when Nest pushes out a bad firmware update, your devices (and your thermostat!) stop working.
Technology is realizing only a small fraction of its promise, and rather than empowering people, is acting as just another set of shackles that binds people to the whims of the powerful. The best instruments for changing that, namely web browsers and truly independent, user-owned devices, are being destroyed one small step at a time.
So, in 2021, the question stands, and you've made no attempt to answer it -- how is any device supposed to break out of this sinkhole and restore the power of technology, if browsers block local devices' UIs, and users can't even configure the device without the blessing of Google or Apple?
The answer I gave addressed that directly: there are commercial and open source tools for doing so (MSCA, Vault, EJBCA, smallstep, FreeIPA, to name a few). But the overwhelming majority of actual individual users do not desire to segment their IoT devices off the internet. That’s not a “fallacy”, that’s just a fact.
It’s clear that you have objections to the current state of general purpose computing, and desire that technology existed differently. But that’s a pretty far step away from the topic here.
Web pages that are profit-making ventures, with employees dedicated to working around the latest browser featurectomies, will have no trouble with this sort of constant change. Web pages that are just HTML files that someone uploaded to a server in 02003 will disappear into the memory hole. They're already hard to find, but now they'll be totally inaccessible.
FTP is a bad protocol. HTTP servers are generally easier to run than FTP servers, and especially to run in a secure fashion. None of that is relevant to whether we should break functionality that has been core to the WWW project for 31 years.
No, I mean that a lot of FTP servers by default want you to do password authentication (yes, in cleartext); by default they grant access to your whole filesystem; and a minimal FTP server is significantly more complicated than a minimal HTTP server, and so it's more likely to contain vulnerabilities. Also, by default, most FTP servers support writing to files, and HTTP servers don't. I'm not talking about eavesdropping on the protocol itself or packet spoofing, which I agree are equally easy with FTP and unencrypted HTTP.
This HTTP server I wrote is, I think, 324 instructions of machine code, and it doesn't use any libraries: http://canonical.org/~kragen/sw/dev3/server.s. I think it's plausible that it contains no security vulnerabilities, other than a DoS by flooding it with connections. I have a fair bit of confidence that it doesn't have an exploitable RCE vulnerability. I'm not sure if there's ever been an FTP server we could say that about.
But none of that is relevant to whether we should break functionality that has been core to the WWW project for 31 years.
Of course they do, it's quite normal. Here's Netscape Navigator:
Firefox supported this completely until Fx61, when it disabled FTP subresources on HTTPS. Even then, you could still view HTML pages served over FTP until Fx70.
Not allowing FTP subresources on HTTPS is basically the same as not allowing HTTP subresources on HTTPS, that is just logical.
Wouldn't help for internal network ftp servers, but would ease the publicly accessible part.
(Note that the dreamhost site has a little link icon in the lower left that will generate a link/landing page with all the important bits filled out.)
Alternatively, Firefox could allow standalone clients to register for the ftp:// uri scheme (I think that's already possible) and, if no client is registered, redirect to some info page that explains the situation and offers links to standalone clients.
That's an excellent point...
...So they'll be removing their builtin pdf viewer first then, right? That's a much much bigger chunk of code than an ftp client. Or are they both scheduled to be removed at the same time? I suppose that would be reasonable.
Transferring files.
There's a hint right there in the protocol name.
How many of them know what TLS is? Yet they've probably used it. With computers, you don't need to know what something is to have used it.
Nope. I just clicky the link.
usually waterfox if I'm only transferring one, something else if I need to do a bunch.
Do they? Do FTP servers usually just open up everything to any host? That's not the way I've used them. Don't they usually default to sharing one directory and nothing else?
> Also, by default, most FTP servers support writing to files
That's kinda what file system permissions are there for, and it is usually pretty configurable in the server, right?
> This HTTP server I wrote
Love it, but I have no experience writing assembly, and almost no experience writing C, so I cannot say anything more (I just don't have the experience or knowledge). I still have to ask though, is this relevant to something that asks if FTP is needed over HTTP on the protocol level?
> But none of that is relevant to whether we should break functionality that has been core to the WWW project for 31 years.
I think the question here is if it needs to be in the browser though? There are plenty of protocols in wide use on WWW that are not browser supported and considering that none of the "secure" variants of FTP are supported in browsers it does not seem out of the question to remove this.
If this was a priority then I'm guessing that over the last decade or so getting ftps or sftp working in the browser would have been worked on.
Typically they do not allow anonymous access by default, but do not discriminate by host.
> That's not the way I've used them. Don't they usually default to sharing one directory and nothing else?
That's a good default, but historically speaking you had to chroot them to get that behavior. Nowadays you could use Docker.
> [Writing to files] is kinda what file system permissions are there for, and it is usually pretty configurable in the server, right?
Running a server that includes code to write to files is unnecessary for serving up web pages, and it's more likely to accidentally result in the server writing to files than running a server that doesn't. You're more likely to misconfigure a server that's pretty configurable than one that isn't. Filesystem permissions are generally far looser than you want for anonymous access over the internet; I don't want random strangers to read my /etc/passwd or see which versions of what Python modules I have installed, much less create files in /tmp. Filesystem permissions are only usable in the first place (for uploading files) if the FTP server has the authority to set its user ID to the user ID of the authenticated FTP user, which means it needs to run as root until after they've authenticated. Also it means I need to add my FTP users to my real /etc/passwd and /etc/shadow.
> is this relevant to something that asks if FTP is needed over HTTP on the protocol level?
My point with the two-kilobyte secure (?) HTTP server is that FTP is a bad protocol. The reason browsers should continue to support FTP is not that FTP possesses some kind of unparalleled technical excellence, the way NNTP and IRC could be argued to; it's that FTP, however janky it may be, is still useful, and providing better access to existing FTP repositories is one of the main reasons the WWW was created in the first place.
> If this was a priority then I'm guessing that over the last decade or so getting ftps or sftp working in the browser would have been worked on.
There's relatively little advantage to ftps or sftp over unencrypted FTP for anonymous access—you aren't sending the FTP server any files or credentials, just the names of files you want—and no advantage for backward compatibility, since the existing FTP servers you want backward compatibility with aren't running ftps/sftp.
Maintenance-free code is a chimera.
If a large codebase that interacts with any other system/code (either through usage of shared libraries, network connection or a common file format) has not changed, that means there's likely technical debt that hans't been addressed (or needed to address).
Even if the program was never written from Linux, you can often get it to compile and run by fixing up headers and making some other minor changes to the source code. I’ve had plenty of success compiling and running programs that were only ever designed to run on IRIX or Solaris or other Unix systems.
https://support.cerberusftp.com/hc/en-us/articles/203333215-...
Rsync is not available on the target machine.
Parts of it are, sure, but parts of it are an absolutely horror show (The client opens a port, and then the server connects back to it!?), text conversion and binary modes that's based on ASCII, different list formats, etc. It's not great. Worse, it doesn't support the good stuff like implicit TLS extensions
> Supporting FTP isn't some big technical challenge. The code has been there in the firefox codebase for nearly 20 years now, running just fine. All you need to do to continue to support ftp is nothing at all.
Not at all. Continuing to support FTP means continuing to defend attack surface that's implemented as 20 year-old code, to deliver a feature that in 2021 the majority of people do not use.
It's a cost-benefit analysis. I want Mozilla to do more. If they believe removing FTP support enables them to do more, I'll all for it.
It's simpler than a pdf viewer.
>It's a cost-benefit analysis
If it were, they'd have never added a pdf viewer in the first place. Everyone already had one. Near-zero benefit, huge cost.
>I want Mozilla to do more.
At this point I'm afraid we're just going to have to agree to disagree. For the last 5+ years, Every time Mozilla "do more", I throw up in my mouth a little.
Every time I clicked a PDF online, I dreaded the external viewer opening (especially Adobe Reader). I very much liked when they integrated a PDF viewer. Chrome also has one.
I'm willing to bet the internal PDF viewer has at least 100x (more likely 1000x) the users the FTP client had.
This was the justification for removing RSS support.
And look at what Mozilla has chosen to develop instead.
Your reasoning, that "Continuing to support $x means continuing to defend attack surface that's implemented as $y year-old code, to deliver a feature that in $z the majority of people do not use," would ultimately consign every feature on the web to the book-burners' flames, except for the worthless minority of features that the majority of people do use. Chinese HTML text support, I suppose, and biometric authentication, and whatever the latest video codec is.
After all, it's 02045. Who watches videos encoded in VP9 now anyway? It's been obsolete since 02028! Or reads English text? Much less Hebrew? The majority of people do not use those features. Why should we continue to defend that attack surface?
Let's pick something else from this golden age of "browsing HTML pages via the FTP protocol" that people on this thread keep professing: XBM images, the very first image format ever supported by browsers, and used when Marc Andreessen literally invented the IMG tag [0].
XBM is a crazy simple image format [1]. Yet, because it is essentially C code that defines a buffer size and then gives you a char array, caused security bugs over and over [2] in all major browsers. Since virtually no one was using XBM images, the browsers all removed support for it [3].
The browsers removed code that was already written, and abandoned functionality that had already existed, because it reduced attack surface supporting something that virtually no website was using. Exactly like FTP support.
0 - https://eager.io/blog/to-what-extent-did-marc-andreessen-inv...
1- https://en.wikipedia.org/wiki/X_BitMap
2- https://www.cvedetails.com/google-search-results.php?q=xbm+i...
Well said. And the more they fail, the more they double down.
But their decisions go beyond incompetence. They might as well be controlled opposition, actively undermining open web technologies.
They deprecated RSS support with very flimsy justifications, but they make supporting the latest DRM standards a top priority, because they are terrified of losing the blessing of Netflix.
Yeah, this pretty much sums it up. A conspiracy minded person might accuse them of all kinds of nasty shenanigans, especially given who their primary finding source is these days.
>They deprecated RSS support with very flimsy justifications, but they make supporting the latest DRM standards a top priority, because they are terrified of losing the blessing of Netflix.
Oh now you're just being cynical. RSS support was like 150 lines of code! A huge attack surface! And it was invented before the year 2000! That makes it useless!
As for DRM, I'm sure that encryption algorithms are much simpler to implement and have less attack surface than an RSS reader, and that Mozilla added this tech for my own good, and that I just don't understand how it's useful to me because I'm a dumb.
Well, there is nothing vague here: FTP is a cleartext protocol, and we're migrating towards protocols that provide integrity and encryption.
Sometimes I think it's a generational thing. I find it hard to accept this, growing up with testing all protocols with Telnet and so on. But unfortunately the Internet has changed a lot, and especially bad and unscrupulous people learned how to find all possible and sometimes very creative ways to abuse whatever had been created in the past. So I understand that cleartext POP3, IMAP, SMTP and FTP authentication should go away.
Anonymous FTP is a slightly different beast though. Security-wise, it has the same weaknesses as regular HTTP. But nobody is removing HTTP support from web browsers (yet). So I'm a bit sorry to see it removed from FireFox. There are many better things to copy from Chrome.
HTTP is a cleartext protocol. Why does your browser quietly navigate to any HTTP site you throw at it? Anonymous FTP isn't any less secure than HTTP.
Why does your browser scream at you for connecting to an encrypted but unverified site, such as a self signed certificate on a closed network, but have no warnings at all for an unverified and unencrypted HTTP connection?
How do you know the context that I am using a plaintext protocol in? How do you know I'm not connecting over a patch cable to the computer next to me? How do you know I'm not connecting over an SSH tunnel?
The user should easily be able to override these safety measures.
The only argument I have heard this is that the user could be tricked into disabling security mechanisms. But that is true of anything in computing. The user could be tricked into typing in rm -rf.
When there is inconstancy like this, it usually implies there is something else going on that we aren't seeing. I have a feeling that companies like Google and Apple have an agenda to move people away from having too much outside of their influence.
I think it's both. For one thing, I think they genuinely do care about security, because any high-profile incident involving their products is a cause of embarrassment for them. At the same time, I have a feeling they would prefer people not inspect the traffic moving in and out of their apps, for example.
This is true, but it ignores the fact that the web has been moving towards depreciation of HTTP in favor of HTTPS.
While FTP is an established standard, FTPS is kind of a nightmare with different and incompatible variants.
Sometimes there's nothing wrong with transferring stuff in cleartext.
Screaming vague and meaningless "for security!" mantras isn't helpful.
> The biggest security risk is that FTP transfers data in cleartext, allowing attackers to steal, spoof and even modify the data transmitted.
I don't know how realistic that type of attack is and compromised authentication is likely worse, but both are cases that Mozilla cannot fix since they are inherent to the protocol itself.
What I'm saying is: is there a meaningful difference? Both need to bind to a port that is privileged and read files from the served directory. There is no difference between a ftpserver and a webserver from a permissions/privilege perspective.
The parent explicitly mentions that there are no warnings for a cleartext http connection, but warnings for an encrypted connection to a self-signed certificate.
This is security theatre, not actual security.
I asked how many times you saw this exploited in the wild, not "how would an attack theoretically work".
You're contradicting yourself here; Hebrew is a language used by millions of people (about ten million, so 99.9% of the world's population does not use it) and also an old format (about 3000 years old). "Pruning" support for old formats makes history inaccessible; "pruning" support for old protocols requires constant effort to keep your servers compatible with whatever is fashionable with today's cascade of attention-deficit teenagers [CADT].
And if we follow your originally stated reasoning, "Continuing to support $x means continuing to defend attack surface that's implemented as $y year-old code, to deliver a feature that in $z the majority of people do not use," we ineluctably arrive at the conclusion that we should remove support for languages used by millions of people.
Taken literally, we should remove support for all languages, since no language is used by more than 50% of the world population, but in keeping with the principle of charity, I interpreted your "majority" as "vast majority". I'm not sure where exactly the vast-majority cutoff lies: a feature that 90% of people do not use? That would include all natural languages except English and Chinese. 95%? All languages except those, Hindi, and Spanish. (In particular, it leaves out all those RTL languages that cause so much complication in text rendering, like Arabic.) 99%? That leaves 20 languages, but not, for example, Persian, Swahili, Italian, or Thai. Even a cutoff of 99.9% might leave out Hebrew, Uighur, and Greek.
What percentage of users do you think use View Source? The web inspector? Printing?
That's not a strawman argument; it's a slippery-slope argument. And, I think, it's a valid slippery-slope argument. If we are going to avoid removing support for these things, we need a better basis on which to make the decision than, "Continuing to support $x means continuing to defend attack surface that's implemented as $y year-old code, to deliver a feature that in $z the [vast] majority of people do not use."
I do agree that there needs to be some kind of cutoff. Gopher is probably below it; WAIS and XBM certainly are. But FTP?
XBM was never very widely used in web pages because it didn't support color, grayscale, or compression, although for a little while it was the only image format supported by browsers that supported transparency. I did put it on a few of my web pages, but as soon as Netscape added support for transparent pixels in GIFs, I switched over and never looked back. This would have been about 01994.
By contrast, there are about 1.1 million anonymous FTP servers today, one out of every 4000 public IP addresses, and about one for every 30 HTTP(S) servers: https://zakird.com/papers/dsn-ftp.pdf That's more than the number of HTTP servers that existed for the first seven years of the Web, up to 01997: https://news.netcraft.com/archives/2021/05/31/may-2021-web-s...
You can be sure that there's millions of people using them. Probably more people than speak Hebrew, in fact.
Hopefully the browser makers will be transparent with this telemetry.
Popularity is not a valid measure of value. The July 02021 issue of People magazine sold 3 million copies, in a single month, and is almost completely devoid of value. (Maybe in 02068 it will provide valuable insights into vapid 02020s US popular culture.) Amazon tells me Claude Shannon's Mathematical Theory of Communication is outsold by 185,210 other books at present, so perhaps it has sold 100 copies this month, but it is the foundation of data compression, error correction, and significant amounts of artificial intelligence work. One Hundred Years of Solitude has sold about 50 million copies—over the past 54 years, so perhaps it sells 80,000 copies a month, 40 times less than the July 02021 issue of People. (But probably less; it probably doesn't sell as much as it did 30 years ago.)
40:1 is more than the ratio between the number of HTTPS servers and the number of anonymous FTP servers.
* ftp://ftp.isc.org/isc/ – also available as http://ftp.isc.org/isc/
* ftp://ftp.oreilly.com/pub/ – only available as FTP
For the O’Reilly URI, it’s convenient to be able to click on directory links in the browser and then open HTML and PDF files without requiring another program.
So, it’s nice to have native FTP handling in Firefox for the odd time I’d use it but I can understand why Mozilla decided to remove it.
Seems legit.
I mean, it's opposed by the argument that it used to be popular. It's a pretty low bar.
FTP is a protocol that dates to when NCP was the protocol suite that ran the Internet. It was retrofitted to TCP/IP. That's why there's a command session and a data session. The protocol is so old that it dates to a time when IP+port was the unique identifier for a half-duplex connection. Nobody even uses active FTP anymore because everyone has firewalls now.
It's not like web browsers have added SFTP support. They haven't even added FTPS support (either flavor) as far as I'm aware. I just don't see many use cases for FTP anymore. Why would you choose FTP at this point over HTTP(S), SFTP, BitTorrent, etc.?
The last system I used that required FTP actually used implicit FTPS. Worse, when the vendor implemented SFTP to replace FTPS like their customers had been demanding, they actually implemented Simple File Transfer Protocol (i.e., RFC 913) and not SSH File Transfer Protocol. I wish I were joking.
I'm seeing this a lot today. It's almost like people have forgotten what FTP stands for.
The use case is transferring files.
>Why would you choose FTP at this point over HTTP(S), SFTP, BitTorrent, etc.?
Because I don't have a client for any of the others installed
I can’t think of a scenario where I would need FTP in 2021. Can you point me at one?
ftp://ftp.kontron.com/Products/Motherboards/Industrial/D3544-S_Mini-STX/Documentation/ ftp://ftp.panasonic.com/pub/panasonic/call_center/firmware/
One advantage of ftp is that it is much easier to have access control on different resources than dealing with .htaccess files so it was popular with customer service.
The consequence will be that many ftp servers still hosting software/firmware for legacy products will be taken down and their content lost.
Archive of apple 2 software and documentation. I use it a lot.
Oh Wow! cool! I'm so impressed!
So what you're saying is that because you "use the internet a lot" that you know everything about the requirements, hardware, software, and most importantly limitations of every single internet user on (and off!) the planet.
I guess I should at least give you some credit for not having any problems with self-doubt.
I had to use it this past weekend to get some firmware from the vendor for a network switch. ¯\_(ツ)_/¯
Not that I'll really miss it in Firefox but still...
Why was I forced to install a substandard, feature-poor, ridiculously slow pdf viewer that I never wanted and which took over as the default pdf viewer against my wishes and without asking me, just because you couldn't be bothered to install a decent one?
>I'm willing to bet the internal PDF viewer has at least 100x (more likely 1000x) the users the FTP client had.
Yeah, that tends to happen when you change the defaults without asking.
> The consequence will be that many ftp servers still hosting software/firmware for legacy products will be taken down and their content lost.
Even if all the browsers dropped support for FTP, Finder and Explorer both have native FTP support, and there are plenty of clients otherwise. I doubt those resources will be taken offline.
Yes, and it's not particularly unique or well suited to that task over any other protocol.
> Because I don't have a client for any of the others installed
Then I guess you can use telnet for FTP as well as web browsing.
When the files are on an FTP server it is. And given that there are more than a million anonymous FTP servers on the internet today, there are a lot of files that are on FTP servers.
Multiple web browsers have embedded PDF viewers because the PDF viewing experience for most people sucked so much. That's not a product decision taken lightly.
Your personal experience does not reflect that of many other browser users, it seems. Even on mobile I dread clicking a PDF link.
But it's nowhere close to the complexity of the entire web stack, not within an order of magnitude. It's much, much simpler.
I'd respond to the rest of your vague and incorrect opinions, but why would I do that if you're not even going to bother to address my points despite me asking you to repeatedly?
If I must spell it out, there you go:
> Why was I forced to install a substandard, feature-poor, ridiculously slow pdf viewer that I never wanted and which took over as the default pdf viewer against my wishes and without asking me, just because you couldn't be bothered to install a decent one?
Because you are part of a minority of Chrome and Firefox users and I'm probably part of the majority of users, in this regard. I don't know this for sure, but if a Google program manager decided to back building and embedding an entire PDF reader into a browser, I'm 99% convinced this is true.
We're dumb and you have to live with us.
Life's tuff.
No, because it opened automatically and was nearly seamless. I didn't even notice that I'd been moved to Finder at first.
BUT: you do have to concede that it's not a technical reason. It boils down to "Adobe are goddamn useless, let's just do their job for them because it will make our life a bit easier". There's no requirement for pdf viewing in the HTML spec or anything like that. It's not required for web browsing and it doesn't really have any place in the browser in a technical/engineering sense - from an "engineering purity" perspective these two things should be separate, even if you do like your pdf viewers written in javascript. The "correct/pure" engineering solution would have been for them to bundle their awful javascript pdf viewer in an electron(ish) app and release it as the "google pdf viewer", with all the requisite spam in gmail and the technical press, and to have chrome default to it if it's installed. Hell, you could make it a separate application and still bundle it with chrome.
There must have been a LOT of support enquiries about "the adobe doesn't work" for it to survive a cost/benefit analysis for implementing an entire pdf viewer. That's not a trivial piece of work that somebody churned out in an afternoon (despite the performance of the thing feeling like it ;) )
If I was that product manager, I would not make that decision lightly. First I'd have built a special page into my support area that redirects the user to adobe.com/support if they type "pdf" or "adobe" into the "search support" bar. (You know what I mean - you've seen it in action on help desk sites where they try to fob you off rather than just giving you a "contact us" box straight away).
This is all a whole lot easier to implement than a pdf viewer. In fact if you're using something like zendesk you get it for free. For me to decide to build a pdf viewer into my browser, I'd have to be getting a high volume of support emails about it after I'd implemented the change above.
I don't think that's what happened.
In the post i largely ignored, you said:
>Multiple web browsers have embedded PDF viewers because the PDF viewing experience for most people sucked so much
Allow me to give you an alternate explanation / interpretation, which I admit might come across as "a little bit cynical" or paranoid, but which I believe to be more fully borne out by the facts than the "cost/benefit analysis" theory you advocate. I don't think "multiple browsers" did that at all. Here's my theory:
1. Google decided to build a pdf viewer into chrome because they were busy trying to turn chrome into an operating system (see also: chrome os), and they knew that would mean including a pdf viewer, since a pdf viewer is a fairly essential tool for an operating system if it wants any kind of mainstream adoption. This had the added side-effect that for many users their pdf viewing experience would improve, because adobe are basically incapable of doing software. So it was really a "two-fer" for google.
2. Mozilla, seeing google's announcement for a pdf viewer built into their browser, did what Mozilla has been doing for the past decade: copy Chrome without giving any thought at all to any of the considerations you and I are discussing today. Or indeed any consideration other than "what is google doing with chrome this week?".
Now, I do try to keep my paranoia and cynicism in check, but to me this seems like a far more likely explanation. Perhaps I'm wrong. It would be kind of nice if I was. If you have some data to support your theory I'd love to see it.
I don't have much data to back up my theory. I can't be bothered looking into what chrome's support site was like pre-pdf-support. But I do have one data point: I can confirm that chrome added pdf support first, with Mozilla aping them almost immediately (they were pretty much at parity within a year or two).
Maybe Mozilla had coincidentally already done a full cost/benefit analysis of adding a pdf viewer before google went live with theirs. It's not impossible. But it seems a little unlikely to me.
</rant> ;)
>I didn't even notice that I'd been moved to Finder at first.
You... can't tell finder from a web browser??
There goes 100% of your credibility with regard to UX.
Of course I can tell the difference between a browser and the finder. My point was the transition was so seamless that I thought Safari was embedding the finder in the Safari window until I looked up at the app bar and realized it had actually switched apps.
But feel free to go on dismissing me, since it's clear from your comments that you think no one in the world is right but you.
What's the "good" interpretation? That you suffer from an attention deficit disorder, so it's not your fault that you have no clue what you're looking at and the things you're saying are patently ridiculous?
> I thought Safari was embedding the finder in the Safari window
So, to summarise, your argument is that you have no idea about how your software works or what it does. It felt "seamless" to you because you had no idea what to expect and think your browser magically embeds other applications now.
Just in case I wasn't clear last time: If you think that switching to an entirely different different application is a reasonable thing to miss, you have zero credibility where UX is concerned.
>it's clear from your comments that you think no one in the world is right but you.
Lots of people who aren't me are right. It's just that statistically speaking those people tend to agree with me on most things.
Kragen, for example, has been saying things that are right all day (In particular I found this treatise on security stuff to be damn near sexy: https://news.ycombinator.com/item?id=27900935).
Even some people who disagree with me on a bunch of points have said things that are right. It's happened today. And you'll see me acknowledge them when they happen if you look.
The reason you haven't seen that is because you haven't said anything that was right.
But if you really believed this assertion you could easily prove it accurate: All you'd need to do is say "OK, yes, I had no clue what I was looking at. I don't know why I thought the finder was in a web browser. I guess I was just confused. That was dumb and inattentive of me". If your theory is accurate I won't be able to agree with that.
You know, you're really not in a good position to criticize other people in this conversation with exaggerated complaints about their intellectual arrogance.
"my UX wasn't diminished"
"nearly seamless"
That's pretty funny.
