(In reply to Mark Straver from comment #6) > Has anything substantial changed since https://bugzilla.mozilla.org/show_bug.cgi?id=1174462#c25 ? Most high-risk downloads are done via https today. (Thanks for redirecting at least [some](https://forum.palemoon.org/viewtopic.php?f=24&t=22698#p172399) downloads to https last week. bug 1554930 comment 16) > If this is purely about encryption, then there **has** been the much longer standing request to add FTPS support. Most FTP servers also offer FTPS (either implicitly or explicitly) so the logical thing would be to add and prefer FTPS. FTPS and HTTPS are often not offered for the same reason. If server operators finally set up Let's Encrypt, they could offer both, if they want. https://nginx.org/en/docs/http/ngx_http_autoindex_module.html is similar to what web browsers offered in the past. > Also: redirecting a standard FTP request to "whatever the system file manager is" is likely providing _less_ security than even leaving it as-is. They should add a strong warning and consider disabling insecure connections to public IP addresses by default.
Bug 1574475 Comment 8 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
(In reply to Mark Straver from comment #6) > Has anything substantial changed since https://bugzilla.mozilla.org/show_bug.cgi?id=1174462#c25 ? Most high-risk downloads are done via https today. > If this is purely about encryption, then there **has** been the much longer standing request to add FTPS support. Most FTP servers also offer FTPS (either implicitly or explicitly) so the logical thing would be to add and prefer FTPS. FTPS and HTTPS are often not offered for the same reason. If server operators finally set up Let's Encrypt, they could offer both, if they want. https://nginx.org/en/docs/http/ngx_http_autoindex_module.html is similar to what web browsers offered in the past. > Also: redirecting a standard FTP request to "whatever the system file manager is" is likely providing _less_ security than even leaving it as-is. They should add a strong warning and consider disabling insecure connections to public IP addresses by default.