1568640 - Disable FTP on Android

Status: RESOLVED DUPLICATE of bug 1622409

(Core Graveyard :: Networking: FTP, task)

Description

[Darkspirit]

https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/eopgOoY1QLs/discussion

FTP is a non-securable, legacy protocol. We've WONTFIXed FTP support on iOS, but its usage in Blink-based Chrome is high-enough that it seems difficult to remove all at once. This seems like a reasonable way of reducing its viability as an attack surface as a stepping stone to more complete removal.

Usage information from UseCounter
Looking at Navigation.MainFrameSchemeDifferentPage for the past 7 days, I see 0.06% of stable users navigating to an ftp: page (0.003% of total navigations). Looking at Download.TargetConnectionSecurity for the same time period, I see 0.04% of users downloading a resource from ftp: (0.03% of downloads). If I limit the platform to Android, I see less usage: Navigation.MainFrameSchemeDifferentPage is 0.01% of users and 0.0003% of total navigations, Download.TargetConnectionSecurity is 0.01% of users and 0.003% of total downloads.

Support for rendering FTP resources was removed by https://crbug.com/744499. It's planned in bug 1560699.

Issue 500548: Remove FTP for Android

FTP is hardly used on Chrome-for-Android. We should see how much binary size reduction we would get for removing it.

There's a more general bug to remove FTP support across platforms. However, there is significantly more usage on desktop than mobile so we'd want to have a better replacement story in place. On Android we won't have an app fallback, but it is also used less frequently.

Comment 1

[Darkspirit]

Attachment: Bug 1568640 - Disable FTP on Android.

Comment 2

[Nhi Nguyen (:nhi)]

Mike, what do you think about this proposed change?

Comment 3

[Darkspirit]

In comparison, bug 1227521 will inevitably cause some complains against all browser vendors next year, but this is a safe change as it's completely unusual to use ftp:// on Android. Incremental deprecation and removal of FTP is desired: bug 85464 comment 34 and other comments.
Sadly it's not even protected by HSTS and Android users are regularly using public WiFi networks, therefore far more often exposed to MitM attacks.
It would still be possible to manually re-enable it for some time.

Comment 4

[Mike Conca [:mconca]]

:dveditz, is this a security hole we are concerned with? I would love your opinion.

I'm concerned about breaking a user flow that we are unaware of, perhaps mobile users clicking on an FTP link embedded in a site that downloads a menu, PDF file, other doc. Let me see if I can't also get current usage stats for Firefox Android.

Comment 5

[Daniel Veditz [:dveditz]]

I don't have a strong opinion about FTP. it's an old crufty protocol and, like http:, not private or secure. Like http: we wish it would go away, but we're a User Agent and as long as users need to get to those resources we need to keep supporting those protocols. Do users still need it on android? I don't know -- that's a data science and Product decision.

Desktop will be rolling out new "insecure" icons for http: rather than the default nothing. Is Android doing the same? If so ftp: urls should get the same treatment if we don't remove FTP functionality entirely.

Is it a "security hole"?

• I'm not worried about the "attack surface" of our ftp implementation. Less is always better, but this is old, stable, fuzzed code.
• the privacy/tampering risks to users are the same as with http: links. If we remove FTP and there are equivalent HTTPS links then we've forced users into safer behavior. If there aren't then what do those frustrated users do? If they give up, yay for us? If they switch to a different browser to download it anyway then it's no win for them or Firefox.

But FTP support does need to go away at some point. If usage is small enough maybe that's now.

Comment 6

[Darkspirit]

70 will be released in 12 weeks. This patch should ride the trains and encourage user feedback, so we could notify admins and let rare problems be fixed, to drive the ecosystem forward in the users' interest. Otherwise this pref change could still be restricted Nightly and Beta until the end of Beta 70. In the meantime, Chromium could turn FTP on Android off as well. Nerds and enterprise users are aware of about:config anyways.

Comment 7

[Darkspirit]

I missed that Fennec Nightly and Stable have both been migrated to 68esr. So this change should only affect GeckoView & Fenix for now.

Comment 8

[Mike Conca [:mconca]]

Data science does not currently have usage numbers for FTP. I don't see a reason to rush this change and have asked DS to gather additional data to help support this decision (bug 1570155).