Intent to unship: FTP protocol implementation

1441 views
Skip to first unread message

Michal Novotny

unread,
Mar 18, 2020, 8:24:50 PM3/18/20
to dev-platform
We plan to remove FTP protocol implementation from our code. This work
is tracked in bug 1574475 [1]. The plan is to

- place FTP behind a pref and turn it off by default on 77 [2]
- keep FTP enabled by default on 78 ESR [3]
- remove the code completely at the beginning of 2021

We're doing this for security reasons. FTP is an insecure protocol and
there are no reasons to prefer it over HTTPS for downloading resources.
Also, a part of the FTP code is very old, unsafe and hard to maintain
and we found a lot of security bugs in it in the past. After disabling
FTP in our code, the protocol will be handled by external application,
so people can still use it to download resources if they really want to.
However, it won't be possible to view and browse directory listings.


[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1574475
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1622409
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=1622410

Henri Sivonen

unread,
Mar 19, 2020, 4:02:49 AM3/19/20
to Michal Novotny, dev-platform
On Thu, Mar 19, 2020 at 2:24 AM Michal Novotny <michal....@gmail.com> wrote:
> We plan to remove FTP protocol implementation from our code.

Chrome's status dashboard says "deprecated" and
https://textslashplain.com/2019/11/04/bye-ftp-support-is-going-away/
said the plan was to turn FTP off by default in version 80. Yet, I
just successfully loaded ftp://ftp.funet.fi in Chrome 80 on Mac and in
Edge 82 (Canary) on Windows 10, and I'm certain I haven't touched the
flag in either. (The location bar kept showing the ftp:// URL, so it
doesn't appear to be a case of automatically trying HTTP.)

Do we know why Chrome didn't proceed as planned? Do we know what their
current plan is?

Do we know if Edge intends to track Chrome on this feature or to make
an effort to patch a different outcome?

--
Henri Sivonen
hsiv...@mozilla.com

Johann Hofmann

unread,
Mar 19, 2020, 5:26:50 AM3/19/20
to Henri Sivonen, Michal Novotny, dev-platform
Can you share some insight into the usage telemetry that was considered for
unshipping this?
> _______________________________________________
> dev-platform mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>

David Teller

unread,
Mar 19, 2020, 5:29:13 AM3/19/20
to dev-pl...@lists.mozilla.org
Out of curiosity, what external application? OS-specific?

Frederik Braun

unread,
Mar 19, 2020, 5:39:59 AM3/19/20
to dev-pl...@lists.mozilla.org
AFAIU chrome removed all web-observable/web-exposed bits of FTP (e.g.,
navigations, subresources etc.)but still allows top-level navigations
from the user.


Am 19.03.20 um 09:02 schrieb Henri Sivonen:
> On Thu, Mar 19, 2020 at 2:24 AM Michal Novotny <michal....@gmail.com> wrote:
>> We plan to remove FTP protocol implementation from our code.
>

Frederik Braun

unread,
Mar 19, 2020, 5:42:39 AM3/19/20
to dev-pl...@lists.mozilla.org
> We're doing this for security reasons. FTP is an insecure protocol and
> there are no reasons to prefer it over HTTPS for downloading resources.
> Also, a part of the FTP code is very old, unsafe and hard to maintain
> and we found a lot of security bugs in it in the past.

I know this used to be (is?) a widely used feature, but I can second
these considerations. It's not right to waste smart network engineering
time on decades old legacy code and it's likely even harder to justify a
rewrite.

Romain Testard

unread,
Mar 19, 2020, 5:55:28 AM3/19/20
to Frederik Braun, dev-pl...@lists.mozilla.org
Would it make sense to ship after Chrome to help ensure this does not lead
to churn?
Also at a time people try to find ways to work from home and share files
(spike of usage in Firefox send), potentially breaking ways people have to
share files may not be good timing?

Michal Novotny

unread,
Mar 19, 2020, 5:56:26 AM3/19/20
to dev-platform
According to [1], it will be turned off for all users in 81. In 80 it
will be turned off for 1% of users.

[1]
https://docs.google.com/document/d/1JUra5HnsbR_xmtQctkb2iVxRPuhPWhMB5M_zpbuGxTY/edit#heading=h.a4pkgy626xf3

Cameron McCormack

unread,
Mar 19, 2020, 6:19:26 AM3/19/20
to Michal Novotny, dev-platform
If you plan to time the unshipping of our FTP support to be after Chrome 81, then please be aware that Chrome releases are currently paused on Chrome 80.

https://chromereleases.googleblog.com/2020/03/upcoming-chrome-and-chrome-os-releases.html

Michal Novotny

unread,
Mar 19, 2020, 6:19:48 AM3/19/20
to dev-pl...@lists.mozilla.org
Yes, it's OS specific, so it depends on what application is registered
to handle FTP URI.


On 3/19/20 10:29 AM, David Teller wrote:
> Out of curiosity, what external application? OS-specific?
>
> On 19/03/2020 01:24, Michal Novotny wrote:
>> We plan to remove FTP protocol implementation from our code. This work
>> is tracked in bug 1574475 [1]. The plan is to
>>
>> - place FTP behind a pref and turn it off by default on 77 [2]
>> - keep FTP enabled by default on 78 ESR [3]
>> - remove the code completely at the beginning of 2021
>>
>> We're doing this for security reasons. FTP is an insecure protocol and
>> there are no reasons to prefer it over HTTPS for downloading resources.
>> Also, a part of the FTP code is very old, unsafe and hard to maintain
>> and we found a lot of security bugs in it in the past. After disabling
>> FTP in our code, the protocol will be handled by external application,
>> so people can still use it to download resources if they really want to.
>> However, it won't be possible to view and browse directory listings.
>>
>>
>> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1574475
>> [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1622409
>> [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1622410

Michal Novotny

unread,
Mar 19, 2020, 10:01:55 AM3/19/20
to dev-platform
We added the telemetry probes in bug 1579507 [1] to see how many users
still use FTP. The usage was pretty low as you can see in bug 1570155 [2].

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1579507
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1570155#c5


On 3/19/20 10:26 AM, Johann Hofmann wrote:
> Can you share some insight into the usage telemetry that was considered
> for unshipping this?
>
> On Thu, Mar 19, 2020 at 9:02 AM Henri Sivonen <hsiv...@mozilla.com
> <mailto:hsiv...@mozilla.com>> wrote:
>
> On Thu, Mar 19, 2020 at 2:24 AM Michal Novotny
> <michal....@gmail.com <mailto:michal....@gmail.com>> wrote:
> > We plan to remove FTP protocol implementation from our code.
>
> Chrome's status dashboard says "deprecated" and
> https://textslashplain.com/2019/11/04/bye-ftp-support-is-going-away/
> said the plan was to turn FTP off by default in version 80. Yet, I
> just successfully loaded ftp://ftp.funet.fi in Chrome 80 on Mac and in
> Edge 82 (Canary) on Windows 10, and I'm certain I haven't touched the
> flag in either. (The location bar kept showing the ftp:// URL, so it
> doesn't appear to be a case of automatically trying HTTP.)
>
> Do we know why Chrome didn't proceed as planned? Do we know what their
> current plan is?
>
> Do we know if Edge intends to track Chrome on this feature or to make
> an effort to patch a different outcome?
>
> --
> Henri Sivonen
> hsiv...@mozilla.com <mailto:hsiv...@mozilla.com>
> _______________________________________________
> dev-platform mailing list
> dev-pl...@lists.mozilla.org <mailto:dev-pl...@lists.mozilla.org>
> https://lists.mozilla.org/listinfo/dev-platform
>

Nhi Nguyen

unread,
Mar 24, 2020, 12:16:57 PM3/24/20
to dev-platform
Update: In light of recent events, we will only disable FTP in Nightly,
starting from 77. FTP will remain enabled in release until further notice.

On Thu, Mar 19, 2020 at 7:01 AM Michal Novotny <michal....@gmail.com>
wrote:
> https://lists.mozilla.org/listinfo/dev-platform
>

ValdikSS

unread,
Mar 24, 2020, 12:16:57 PM3/24/20
to dev-pl...@lists.mozilla.org
Just a random Joe here, but I'd like to vote *against removing FTP support*. FTP is still widely used, its easy to configure and to use file transfer protocol. Despite its age, there still aren't really any proper full-featured and well-supported alternatives for FTP, one of the reason is because FTP is universally supported in OS and browsers while other protocols are not, and removing FTP support from Firefox removes "old and ugly" protocol without introducing any alternative for it, reducing the software functionality for end user.

The main advantage of the protocol is its design for file transfer only. Unlike more general and complex protocols like HTTP, FTP does not require for the administrator to setup and configure multiple complex software (web server + application server/interpreter + file sharing software on top of it) to perform one simple thing: file transfer. You can't upload whole folder without complex hacks via HTTP, while FTP allows to do that in one click.

File transfer with FTP:

* Easy software setup, lots of mature server and client software for any platform
* Upload privileges could be given as easy as sharing the link
* You can download and upload whole folders
* You can navigate through folders, download and upload files and folders with stock Unix and Windows console and graphical software

File transfer with HTTP:

* Complex software setup: web server + special third-party file transfer software, which does not conform to any specification
* Could not be properly used outside of web browsers
* No functionality to download multiple files at once, only file-by-file
* No functionality to download or upload folders

One of the argument against FTP is that it's unsecure. The plain FTP, just as HTTP, does not have encryption, but there's HTTPS alternative for FTP — FTPS, which is a TLS layer on top of FTP. I believe it could be easily implemented in Firefox. There's a bug for adding FTPS support which has been filled 19 (!) years ago
https://bugzilla.mozilla.org/show_bug.cgi?id=85464

I guess It would be acceptable if Mozilla remove FTP support but introduce it's alternative, WebDAV for example. WebDAV is a file transfer protocol on top of HTTP. It provides functionality similar to FTP, but it's not popular due to very limited software support (both client and server).

I ask you to consider not to remove FTP support. Despite its problems, the protocol still does what it is designed to do and beats its rivals. If protocol insecurity is the only consideration, I am willing to help by implementing FTPS (FTP over TLS) support and sending a patch, if that would change Mozilla's decision to keep this functionality. Please let me know if I can do anything, because I won't try to implement FTPS support if it won't be merged.

Also, Google still index FTPs. I find it strange if the user clicks on Google search result and it could not be opened in a browser.
signature.asc

nikunj...@gmail.com

unread,
Apr 27, 2020, 6:59:27 AM4/27/20
to
There is no information about sFTP in this page. Will sFTP work in Firefox? Or all FTP related functionality will be removed? Will users be able to list files and directories in Firefox from sFTP server?

Michal Novotny

unread,
Apr 27, 2020, 7:40:45 AM4/27/20
to dev-pl...@lists.mozilla.org
SFTP was never supported by Firefox.

Valentin Gosu

unread,
Feb 10, 2021, 3:37:14 AMFeb 10
to dev-platform
Hi everyone,

FTP support is currently disabled on Nightly.
Our current plan is for the pref flip to ride the trains with Firefox 88 to
beta and release [1], meaning we would be disabling FTP a week after Chrome
[2]
Firefox 89 is supposed to remove the FTP code completely [3]

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1691890
[2] https://bugs.chromium.org/p/chromium/issues/detail?id=333943#c66
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=1574475

Thanks!


On Mon, 27 Apr 2020 at 13:40, Michal Novotny <michal....@gmail.com>
wrote:

> SFTP was never supported by Firefox.
>
> On 4/27/20 12:59 PM, nikunj...@gmail.com wrote:

Henri Sivonen

unread,
Feb 10, 2021, 3:46:15 AMFeb 10
to dev-platform
On Wed, Feb 10, 2021 at 10:37 AM Valentin Gosu <valent...@gmail.com> wrote:
> FTP support is currently disabled on Nightly.
> Our current plan is for the pref flip to ride the trains with Firefox 88 to
> beta and release [1], meaning we would be disabling FTP a week after Chrome
> [2]

Are we also stopping advertising the capability to act as an ftp: URL
handler to operating systems? Currently, if I try to follow an ftp:
URL in Gnome Terminal, it tries to launch Firefox. Is that something
we advertise to Gnome or something that Gnome just knows and needs to
be patched to stop knowing?

--
Henri Sivonen
hsiv...@mozilla.com

Mike Hommey

unread,
Feb 10, 2021, 3:57:23 AMFeb 10
to Henri Sivonen, dev-platform
I /think/ this comes from the .desktop file, which in most cases, comes
from the distro.

Mike

Anne van Kesteren

unread,
Feb 10, 2021, 4:01:21 AMFeb 10
to Valentin Gosu, dev-platform
On Wed, Feb 10, 2021 at 9:37 AM Valentin Gosu <valent...@gmail.com> wrote:
> FTP support is currently disabled on Nightly.

Does this have any impact on the URL parser? Do we still (want to?)
support the ftp scheme in form submission (to then delegate the
computed URL to some kind of handler rather than the browser)? Not
sure there are other bits in standards that are impacted by this, but
it will certainly allow for some nice cleanup in Fetch. 😊

Valentin Gosu

unread,
Feb 10, 2021, 5:00:37 AMFeb 10
to Mike Hommey, Henri Sivonen, dev-platform
On Wed, 10 Feb 2021 at 09:57, Mike Hommey <m...@glandium.org> wrote:

> On Wed, Feb 10, 2021 at 10:45:53AM +0200, Henri Sivonen wrote:
> > On Wed, Feb 10, 2021 at 10:37 AM Valentin Gosu <valent...@gmail.com>
> wrote:
> > > FTP support is currently disabled on Nightly.
> > > Our current plan is for the pref flip to ride the trains with Firefox
> 88 to
> > > beta and release [1], meaning we would be disabling FTP a week after
> Chrome
> > > [2]
> >
> > Are we also stopping advertising the capability to act as an ftp: URL
> > handler to operating systems? Currently, if I try to follow an ftp:
> > URL in Gnome Terminal, it tries to launch Firefox. Is that something
> > we advertise to Gnome or something that Gnome just knows and needs to
> > be patched to stop knowing?
>
> I /think/ this comes from the .desktop file, which in most cases, comes
> from the distro.
>

We have this bug on file:
https://bugzilla.mozilla.org/show_bug.cgi?id=1667468
We should definitely stop registering Firefox as an ftp handler.

Mike Hommey

unread,
Feb 10, 2021, 3:24:28 PMFeb 10
to Valentin Gosu, dev-platform, Henri Sivonen
Oh right, the external protocol service also registers.

Mike
Reply all
Reply to author
Forward
0 new messages