back to article In a complete non-surprise, Mozilla hammers final nail in FTP's coffin by removing it from Firefox

Mozilla has finally expunged File Transfer Protocol (FTP) from the Firefox browser – an action already taken by other major browsers like Chrome and Edge, making Firefox 89.0 the last bastion of the protocol. The company explained yesterday that it will end FTP support in Firefox 90 as part of its drive to a browser that's all …

  1. Antron Argaiv Silver badge
    Unhappy

    fond ftp memories

    In the early 90s, I worked at Data General. We engineers had just received Sun workstations, to use for schematic capture. No instruction, just dropped on our desks. We felt our way around SunOS, and discovered all the Unix tools, including nntp and ftp...and, for me, comp.os.minix. Because Unix was so much neater than Windows 3.1.

    I spent a good bit of time downloading Linux floppy images of tsx-11.mit.edu and decwrl.dec.com. ftp was the way you did that sort of thing, pre-web. It was also how you got things like image and waveform manipulation tools, which you ftp'd off the author's host and compiled for your machine. No packages back then, and "open source" wasn't really a term people used. They just put the code up on their machines and you ftp'd it.

    I used ftp recently to deliver design files to my PCB layout contractor. Still available on the Win10 command line...for that [almost] old-timey Unix feel...

    1. Plest Bronze badge
      Happy

      Re: fond ftp memories

      FTP is still useful for data that has not real value but without the (S) prefixed most sec bods will go ballistic if they find any FTP clients on the network. God forbid an FTP server or port 21 is found to still be open, "Nail 'em up!" the cry is heard!

      1. NoneSuch Silver badge
        Pint

        Re: fond ftp memories

        No better protocol for ISO images.

        1. Korev Silver badge
          Headmaster

          Re: fond ftp memories

          The funny thing is that Bittorrent is actually better as all the chunks are checksummed. Good luck trying to get the authorisation to actually do it though...

          1. sev.monster Bronze badge

            Re: fond ftp memories

            It really is a shame that torrenting gets such a bad rap due to its decentralized nature allowing nasty nancies to go wild—same with any cryptocurrency no matter how beneficial. Just because miscreants misuse it doesn't mean everyone has to. I can't even use it on my home ISP without them complaining, no matter what the content of the torrent is.

            1. Michael Wojcik Silver badge

              Re: fond ftp memories

              Bittorrent actually makes a lot of sense within organizations, particularly if employees need to distribute a lot of large files to many recipients (such as pre-release product builds). Rather than everyone pounding on the same server or small cluster you can let employees peer-distribute. Better latency, better use of bandwidth, better resiliency.

              But few organizations seem to realize this. I suggested it years ago but most people here continue to use FTP (sigh)1 or SMB (yuck) or Sharepoint (beyond yuck) for this sort of thing.

              We do have Filr (because it's our product), which IMO is one of the better versions of the Dropbox-style "HTTPS plus a native client if you must" approaches. But while it's pretty convenient and responsive – certainly far better than SMB – it doesn't have the peer-to-peer advantages of Bittorrent.

              1Don't get me wrong. FTP in passive mode has its uses, and it runs just fine over TLS, so this "FTP is plaintext!" panic is bullshit. FTP's use of separate data and control channels, for all the problems that causes, makes it maximally efficient for a single-server data-transfer mechanism while still being responsive to control flow. But many FTP holdouts don't bother running it over TLS, and the FTP haters have made it inconvenient for non-technical users.

              Fortunately Pale Moon still supports it. Firefox, Chrome, and Safari can just fuck off as far as I'm concerned. When I want a nanny I know where to find one.

      2. martyn.hare
        Thumb Up

        FTP with IP restricted challenge/response, encrypted payloads, plus signed checksum files…

        There’s a lot that security bods could learn from choosing stable, well-tested software with simplified monitoring and debugging capabilities. FTP when correctly configured is still vastly safer to use than modern alternatives, complete with better performance and far less maintenance required for long term use.

        Separating out the mechanisms used to provide confidentiality, integrity and availability is a much better approach than the overly-complex quagmire we find ourselves with today. There’s just no two ways about it. Perfect is the enemy of good and all that…

        1. Charles 9 Silver badge

          Re: FTP with IP restricted challenge/response, encrypted payloads, plus signed checksum files…

          "Separating out the mechanisms used to provide confidentiality, integrity and availability is a much better approach than the overly-complex quagmire we find ourselves with today."

          NOT when you need the KISS Principle, especially when dealing with a Dave...and Daves outnumber us by at least an order of magnitude. And forget about requiring a license to use the Internet...

    2. Dave559 Silver badge

      Re: fond ftp memories

      ftp.aminet.net FTW! [1]

      Or the name of your friendly convenient mirror: you got a good feeling for the geography of the net back then (and the sometimes non-obvious short domain names that many sites used), back in the good old days; src.doc.ic.ac.uk, ftp.uni-paderborn.de, ftp.sunsite.dk, ftp.wustl.edu, etc…

      It sort of did feel like you were playing the game Hacker, tunnelling all around the world to download the latest exciting new freeware or shareware programs (and mega-demos!)…

      [1] Of course, the aminet.net domain didn't actually originally exist way back then, as Aminet pre-dated the web, and it was the ftp sites that had all the info, and the mirror sites gained web front ends later on, so there still wasn't really a need for a canonical web presence…

  2. karlkarl Silver badge

    They have removed FTP before they implemented an SCP or SFTP replacement?

    Should this not be logged as a bug report?

    For my own software, I tend to implement replacements *before* I remove obsolete features. Does this not make sense to everyone?

    1. katrinab Silver badge
      Paris Hilton

      scp and sftp are available on Windows.

      https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement

      Alternatively, install Windows Subsystem for Linux and install your favourite linux distro on it.

      Debian and Ubuntu seem to be the most reliable on Windows from my testing. Of those, I prefer Debian.

      1. Anonymous Coward
        Anonymous Coward

        Fine advice, but not relevant to the article or browser

        And yes, they should have added support for sftp/scp/ssh to the browsers decades ago. That they didn't isn't surprising to me. Neither would have made selling out their users to the likes of google, facebook, and twitter and more profitable so why bother. So now it's all http all the time.

        FTP only hung on as long as it did because lazy script kiddie web designers didn't know how to copy assets onto a webserver any other way.

        1. doublelayer Silver badge

          Re: Fine advice, but not relevant to the article or browser

          "And yes, they should have added support for sftp/scp/ssh to the browsers decades ago."

          Why should they do anything like that? SSH is a control protocol, which has very little to do with browsers. Why should a browser do the job of an SSH client when you can go get an SSH client? At least with FTP, the browser's job of downloading files is part of what FTP is for. Similarly, I don't think a browser should implement the uploading features of an SCP/FTP client, because that's not its purpose.

          A browser, to me, is a tool for getting files over certain protocols and displaying them to the user, and shouldn't try to do much more than that. Opinions vary on what documents a browser should display (run scripts in them, have a PDF viewer in them, etc), but I would hope that we don't also have to shove every other kind of program into that.

          1. sev.monster Bronze badge
            Unhappy

            Re: Fine advice, but not relevant to the article or browser

            Unfortunately for your worldview, the bog-standard web browser is no longer just something to "get files over certain protocols and [display] them to the user." It is a platform to which the entire rest of the system is exposed on, and whole applications are developed for. At this point the web browser is an abstraction layer to the rest of the system, utilized to make cross-platform applications.

            Not saying I like it, but that is the world we live in now.

            1. doublelayer Silver badge

              Re: Fine advice, but not relevant to the article or browser

              That is unfortunate, and as you probably already determined, I don't really like this. Even so, it doesn't change my original point. If the web browser is displaying a document which is effectively an application, then someone else can with great ease implement an SSH client that runs on it. There is still no reason for that to be integrated into the browser.

        2. Bitbeisser
          Devil

          Re: Fine advice, but not relevant to the article or browser

          Hey, they ditch FTP and such so they can better snoop on those people that are stupid enough to use a web browser for their email...

    2. Peter2 Silver badge

      Be honest; did you actually use FTP in a web browser?

      Web browser clients only offered the ability to download; for uploading even windows explorer was a better solution than offered by any of the web browsers.

      Which is a moot point, given that everybody used Filezilla for FTP sites because it was the best tool for the job.

      1. karlkarl Silver badge

        The classic one that I used from browser was ftp.idsoftware.com

        It was a good experience. Being able to download from a plain list of files without Javascript, adverts and other nonsense.

      2. The Unexpected Bill
        Go

        Using FTP in a browser

        Yes, I absolutely still do, or at least I did until Fx 90 landed. (In fact, I pref'd it back on in Firefox 88 and 89.) Adobe in particular still maintains an FTP site with patches and other updates for software new and old. HP's FTP site is also still running, and quite handy for products they have "forgotten" about, or at least it is when they haven't helpfully purged the files from there as well.

        It won't be as convenient to use a standalone FTP program for quick downloads like this.

        1. Yes Me Silver badge
          Facepalm

          Re: Using FTP in a browser

          But why haven't you disabled FF updates? It's not hard. (This message brought to you via Firefox 71.0.)

          1. sev.monster Bronze badge
            Boffin

            Re: Using FTP in a browser

            Because people like the new shinies, including webdev monkeys that require the latest and greatest new JS features to power their incredibly streamlined and fancy Angulareact Vuenode Gruntygulp 10.3b—now requiring only 12GB of memory to function, a 10% decrease from the alpha.

            Oh, you want to log in to your Internet banking? Sorry, we require the latest Firefox Nightly or Chrome Canary build to use some silly function that could be backported with a single line of Mochacoffeescriptachino, but our web framework doesn't support it so we can't. Oh also, your browser must support and allow us to use your camera for our cheque scanner, and the site will mysteriously break should it not be allowed to do so.

      3. ChrisC Silver badge

        *Did* I? Yes, countless times over the years where firing up a full-fat FTP client would have been overkill.

        *Do* I still? On occasion, when dealing with firmware/driver updates for certain bits of hardware where the manufacturer hasn't felt the need to spend/waste any time on providing a HTML front end to their download folder, and just points you in the direction of the relevant location on their FTP site instead...

        1. Charlie Clark Silver badge

          But the problem for downloads, especially drivers, is that without encryption they're subject to MitM attacks…

          1. Richard 12 Silver badge
            Holmes

            True

            But one checks the hashes post download, which would detect such shenanigans, and thus try again.

            A miscreant can of course easily see what you downloaded, but I can't say I'm worried about that for FTP.

            1. doublelayer Silver badge

              Re: True

              If you have a particularly determined MITM attacker, they'll check whether you read the hashes of the file you're downloading and switch them for the hashes of the file they're sending. I admit that's not a very likely event, but if they're already prepared to modify your download, that is a way to bypass your hash check.

              A larger risk is people who don't know to check for integrity or who are lazy enough that they don't, in which case there could be a security risk. Not in my opinion a strong one, but strong enough that I'll give users an encrypted method to download things.

            2. Charlie Clark Silver badge

              Re: True

              Where or how does FTP implement hash checking? I download loads of stuff for which there is no hash present. Fortunately, I know my software distribution system does use hash-checking.

              And, again, this is still not an argument against using TLS

        2. foxyshadis

          There is no possible way that any "full fat" FTP could be more than a rounding error against a web browser today. The fattest I can think of is Filezilla, and that pops open and starts downloading in half a second, let alone lighter ones like WinSCP or ye olde WS-FTP, or on Linux the window manager's default browser.

          1. ChrisC Silver badge

            You're making the fatal assumption that I was starting off from a clean slate with neither browser nor FTP client already open...

            In reality, the likelihood of me already having at least one browser open is high, whilst the likelihood of me already having a FTP client open is somewhere approximating zero. In such a scenario, no matter how little effort would be required to open said client, it's still infinitely greater than the effort that wouldn't be required to open the browser that's already open and waiting to be used. Thus, overkill.

      4. Korev Silver badge
        Boffin

        > Be honest; did you actually use FTP in a web browser?

        Yes, a lot of scientific datasets are available using FTP, and it was more convenient to look at the directories in a browser than firing up an FTP client. If downloading more than a couple of files then I'd usually find the path in a browser and then automate with LFTP though.

      5. oiseau Silver badge
        Thumb Up

        ... did you actually use FTP in a web browser?

        Never.

        Many (many) years ago, when I was on the Windows side of office/desktop users, I used WS_FTP by Ipswitch.

        They had a freeware version for the likes of me, good software that worked beautifully well.

        O.

      6. tiggity Silver badge

        I used FTP in Firefox, until they broke add ons by going the chrome model, I occasionally used FireFTP addon as very nice browser addon tool for FTP upload when required.

        A lot of places still use FTP internally & you would be surprised how many companies still expect you to get / send data via FTP rather than via API calls in their "integration" of data between systems.

        ... I can even remember way back when some third party card payment / authorization systems used FTP as the interface ... there's a bit of scary for you!

      7. Michael Wojcik Silver badge

        Yes, and I still do, because I use Pale Moon, not one of the crippled "major" browsers.

        And when I need more functionality than LIST and GET, I use a command-line FTP client. Filezilla is fine for point-and-drool fans; I don't have time for that nonsense.

    3. Flocke Kroes Silver badge

      Personal opinion

      I use scp and sftp when I want a secure file transfer. Using those protocols through a browser defeats the purpose. Likewise normal ftp is a sufficient security disaster that I would only consider it on an air-gapped network. Putting a cloud in the middle is as daft as requiring javascript for internet banking.

      1. Dave559 Silver badge

        Re: Personal opinion

        What's your objection to using sftp through a web browser?

        It sounds like nothing that sensible modular design would have any problems with.

        I don't use it any more, but, if I recall, because of such modular design, the Konqueror web browser could deal with sftp: URIs perfectly happily since a long time ago, and most Linux file managers also have similar features (insert obligatory grumble about how it's really a bit shit that the MacOS Finder can handle the alien smb: but not the native sftp:).

        At the very least, any half-decent web browser should pass-through an sftp: URI to your preferred file manager (or sftp client) if it doesn't know anything more about what to do with it.

        1. Charles 9 Silver badge

          Re: Personal opinion

          Running a protocol handler to an external program isn't the issue. Firefox still supports these so can pass them along to WinSCP or whatever. The debate was whether or not to handle the protocol internally like in the bad old days.

    4. Charlie Clark Silver badge
      Stop

      https is the replacement. At least as far as browsers go. Can't remember the last time I fired up a pure ftp session simply to download something. For the rest, Mozilla did go into considerable detail when they made the announcement.

      1. A.P. Veening Silver badge

        Can't remember the last time I fired up a pure ftp session simply to download something.

        I can still remember the time I fired up a pure command line FTP session on an AS/400 to upload something (from production), the automated FTP-tool had failed (again) in the night job.

    5. Colin Miller

      WinSCP

      WinSCP ( https://winscp.net/eng/index.php ) is a good tool for scp and ftp, on Windows

      It has two explorer-like panes, the left local and the right remote. You can also drank from the right into another explorer and vice-versa

  3. Forget It
    Go

    Winscp is your friend

    https://winscp.net/eng/download.php

    1. Charles Calthrop

      Re: Winscp is your friend

      Yes, I greatly prefer winscp to filezilla.

      Ah, the joys of the mid90s, finding ftp sites full of mp3s.

    2. Plest Bronze badge
      Thumb Up

      Re: Winscp is your friend

      That WinSCP library has been so useful, lock it into PowerShell scripts and you have some very usable and flexible features for automating stuff.

      The guy who develops WinSCP is one of the true unsung heroes of modern IT!

      1. phuzz Silver badge

        Re: Winscp is your friend

        Doesn't Powershell have SCP built in already?

        I checked, and yup, OpenSSH (including SCP) has been part of PowerShell since the Autumn 2018 update.

        No diss to WinSCP though, I use it all the time, it's great.

    3. Anonymous Coward
      Anonymous Coward

      Re: Winscp is your friend

      I use winscp for FTP to upload homebrew to consoles. All on my local network and the server is started as needed.

      It's been a very long time since I used FTP for anything else, although I used it all the time in the innocent days of the 1990s internet.

    4. ecofeco Silver badge

      Re: Winscp is your friend

      Thanks! Downloaded.

      Looks perfect.

  4. TeeCee Gold badge
    Facepalm

    Root cause.

    One might be driven to ask WTF it was doing in a bloody browser in the first place!

    Oh yes: "Oooo. Lusers lurve this tool. I know, we'll build it into our browser and they'll use that rather than XYZ browser, 'cos they're lazy bastards who hate using the right tool for the job if it takes an extra two seconds.".

    See also: Adjustable spanner / swiss army knife.

    References: Bloatware. Attack surface.

    1. IGotOut Silver badge

      Re: Root cause.

      Yes because browsing a site then clicking a link is such a luser (how old are you?) thing to do. It is so stupid compared to browsing the site, right clicking and copying the link to get the address, opening up ftp client, setting all the required permissions and then downloading.

      How's the crank handle on your car?

      1. Flocke Kroes Silver badge

        Re: Root cause.

        The crank handle on my ftp client could get shell globs, recursively fetch directories and continue a download that had been interrupted. Some of these features may be available on modern vehicles with built in starter motors but I am sure the user interface changes with the moon. For anything non-trivial I still use wget or curl.

        Don't be too proud of this technological terror that has been created for you. You can still suffer the death of a thousand mouse clicks.

    2. rg287 Silver badge

      Re: Root cause.

      Zawinski's Law

      Every program attempts to expand until it can read mail. Those programs which cannot so expand are replaced by ones which can.

      More seriously, in the case of Firefox it came from Netscape, which was an "Internet suite" that included email, FTP, browsing, even support for Gopher. It was an era when ISPs used to give people email and free web-hosting with their internet.

      It was useful back then.

      Zawinski also said (in 1998!):

      We're at the beginning of an industry, and this could all turn into television again. It could be controlled by a small number of companies who decide what we see and hear. And there's a lot of precedent for that.

      Probably not a difficult prediction, but accurate nonetheless. Though if he'd tried to pick winners, he'd have got it wrong because at least two of them didn't exist yet.

      1. ecofeco Silver badge

        Re: Root cause.

        Netscape also had Composer, which I built my first websites with!

        And Newsgroups which I used to access usenet

    3. Yes Me Silver badge

      Re: Root cause.

      "One might be driven to ask WTF it was doing in a bloody browser in the first place!"

      Because Tim Berners-Lee put it there, because in 1993 it would have been unthinkable not to support FTP, because that was where all the data was.

  5. Trigun

    Not used FTP for well over a decade, mostly due to securiuty concerns. I tend to use winscp - usually over a VPN as well (depending on what I've transferring and to where).

  6. heyrick Silver badge

    but there's always someone wanting to stick with legacy systems.

    When you have some older machines running in their own little world, a simple protocol like FTP is useful for shifting files around.

    1. Version 1.0 Silver badge

      Re: but there's always someone wanting to stick with legacy systems.

      I think that Kermit was better - I used it all the time about 40 years ago. The nice thing about Kermit and FTP was that they made it easy to move files between different operating environments.

      1. Lil Endian
        Pint

        Kermit!

        Wow! Memory lane!

        I can remember bodging serial cables from multiple lengths of speaker wire to transfer between machines :)

        Cheers!

    2. Charles 9 Silver badge

      Re: but there's always someone wanting to stick with legacy systems.

      Then SFTP would be the alternative, especially since Secure Shell is now the preferred remote login method, and SFTP uses Secure Shell as the wrapper. Meaning if you ssh onto your server, then you should be able to sftp onto it just as easily.

      1. LDS Silver badge

        Re: but there's always someone wanting to stick with legacy systems.

        That's the issue. With SFTP you also give access to a shell on the system, unless other configurations are made to avoid it.

        With FTP you can give file access only, to specific directories. And you can still encrypt the traffic with TLS.

  7. steelpillow Silver badge

    Cleanliness is next to godliness

    I can appreciate removing FTP from what is essentially an HTTPS client. Let's do one thing and do it well.

    But I know at least one book publishing site which limits large HTTPS uploads and requires that your 1,000 page illustrated wannabee blockbuster be uploaded via FTP/SFTP. And there are all those other places where a robust connection is more important than speed.

    Long live SFTP.

    1. doublelayer Silver badge

      Re: Cleanliness is next to godliness

      I don't think it ever supported uploads over FTP. I think that was just for downloading files or browsing the directory tree. FTP clients exist for that purpose, and they'll probably do it better than a browser does.

  8. Anonymous South African Coward Silver badge

    Still using plain-vanilla FTP for telemetry.

    Will have to upgrade it to SFTP eventually.

    1. Crypto Monad

      Also remember that SFTP and FTPS both exist, and are two completely different things.

      (One is a subsystem of SSH. The other is the regular FTP protocol, over TLS)

  9. tapanit
    Linux

    Firefox was not quite the last bastion to support ftp: Konqueror still does. (Just tried it in Kubuntu 20.04.)

  10. Anonymous Coward
    Anonymous Coward

    FTP and Firefox

    I had to grit my teeth yesterday when I was forced to use M$ Internet Explorer to access an ftp site after Firefox refused.

    1. Charlie Clark Silver badge

      Re: FTP and Firefox

      But where I need FTP, I use a fully featured FTP client and preferably one that defaults to SFTP. FTP in the browsers comes from the days when http couldn't be relied upon for sustained connections such as downloads but that hasn't been the case for over a decade.

  11. steelpillow Silver badge
    Trollface

    Really?

    From the headline hype, you'd think Filezilla is being purged too.

  12. Mike Lewis

    My memory of FTP

    I once rewrote 2,650 lnes of C as a seven line shell script.

    The previous programming team had written a data transfer program with its own implementation of FTP. I just used the one that was already on the UNIX computer.

  13. Anonymous Coward
    Anonymous Coward

    Hold your applause, please.

    Like so many other parts of the Firefox browser, this was abandoned because they couldn't retain a maintainer, the code was a hot mess, and they decided it would be less work to cut it off instead of fixing it by implementing something secure or useful like scp/sftp support. RSS and live folders fell to the same axe. Thunderbird nearly got the same treatment.

    That said I would love to see the day I don't have to deal with OG FTP ever again, but the entire embedded systems world is still mired in it. BTW, for those of you that just rolled your eyes, the building your in probably has dozens of them, weather you know it or not. If you have a cisco switch or phone system you probably do. Morons can't be bothered to update their firmware to support anything with support for ANY security, so does pretty much anything that supports netboot from the BIOS.

  14. Bitbeisser
    FAIL

    Well, there is a more or less easy way to work around and use a real FTP client.

    But in general, I wonder what bozos started to make the Firefox design decisions at Mozilla. I thought that showing entries in the search field in the address bar was an April fools joke or maybe a glitch that passed through QC, but apparently, they are dead serious about this. Makes me really wonder what's next and if the last usable browser is finally going down the drain...

    1. oiseau Silver badge
      Pint

      ... wonder what bozos started to make the Firefox design decisions at Mozilla.

      Finally ...

      Thank you for that. 8^D

      I've been bitching about exactly the same thing for three or four years now.

      They (them Bozos at Mozilla ...) have turned what once was a relatively decent browser with a lot of potential into a POS mess with an absurd UI.

      I know, it's not friday yet, but still...

      Have one three on me. ----->

      O.

  15. Missing Semicolon Silver badge

    HTTPS all the time

    Is a real pain on local networks. Type (say) http://inkjet into the browser address bar, and if the HP inkjet to which I have assigned that name is having a sulk, instead of just producing an error, it a) Tries https://inkjet and then b) tries searching on google.

    I now can't retry, as the original http://inkjet URL is gone. I must retype the damned thing.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021