Open Bug 1574475 Opened 3 months ago Updated 18 days ago

Remove FTP support

Categories

(Core :: Networking: FTP, enhancement, P2)

enhancement

Tracking

()

People

(Reporter: ehsan, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Keywords: parity-chrome, sec-want, site-compat, Whiteboard: [necko-triaged])

FTP is an insecure protocol which Blink is considering removing. It seems like we're considering removing support for it on Android but perhaps we should go a step further and remove it completely?

URL: 1438713
See Also: → 1496725
Keywords: site-compat
Flags: needinfo?(honzab.moz)
URL: 1438713
OS: Unspecified → All
Hardware: Unspecified → All
See Also: → 1438713
Duplicate of this bug: 1174462

FTP is still popular in some corners of the web. For example, a majority of the sites hosting the GCC source code use FTP.

It’s little known but all major desktop platforms support FTP with the built-in file manager (Windows: File Explorer, macOS: Finder, Ubuntu Linux: Files) so can we just open the external app?

(In reply to Kohei Yoshino [:kohei] (Bugzilla UX) (FxSiteCompat) from comment #3)

It’s little known but all major desktop platforms support FTP with the built-in file manager (Windows: File Explorer, macOS: Finder, Ubuntu Linux: Files) so can we just open the external app?

Yes, that would be the plan.

(In reply to Botond Ballo [:botond] from comment #2)

FTP is still popular in some corners of the web. For example, a majority of the sites hosting the GCC source code use FTP.

Downloading software source code over an insecure protocol is an extremely dangerous practice, FWIW.

Has anything substantial changed since https://bugzilla.mozilla.org/show_bug.cgi?id=1174462#c25 ?

If this is purely about encryption, then there has been the much longer standing request to add FTPS support. Most FTP servers also offer FTPS (either implicitly or explicitly) so the logical thing would be to add and prefer FTPS.
Also: redirecting a standard FTP request to "whatever the system file manager is" is likely providing less security than even leaving it as-is. There's usually a very good reason that people use a browser or a dedicated FTP client instead of their default file manager for FTP requests.

(In reply to Mark Straver from comment #6)

Has anything substantial changed since https://bugzilla.mozilla.org/show_bug.cgi?id=1174462#c25 ?

This is a hard question to answer since the content of your discussion with Doug wasn't documented on the bug. At this point all of the information available can be found at what's been linked to above so far. I'd expect all of the old objections will be taken into account by the module owners when we get to the point of making a decision here (not sure when that will be).

(In reply to Mark Straver from comment #6)

Has anything substantial changed since https://bugzilla.mozilla.org/show_bug.cgi?id=1174462#c25 ?

Most high-risk downloads are done via https today.

If this is purely about encryption, then there has been the much longer standing request to add FTPS support. Most FTP servers also offer FTPS (either implicitly or explicitly) so the logical thing would be to add and prefer FTPS.

FTPS and HTTPS are often not offered for the same reason. If server operators finally set up Let's Encrypt, they could offer both, if they want.
https://nginx.org/en/docs/http/ngx_http_autoindex_module.html is similar to what web browsers offered in the past.

Also: redirecting a standard FTP request to "whatever the system file manager is" is likely providing less security than even leaving it as-is.

They should add a strong warning and consider disabling insecure connections to public IP addresses by default.

I strongly support removing FTP support completely for security reasons.
FTP is an insecure protocol that we should strongly discourage people from using for anything.

The code is an attack vector and has a long track record of bugs and security issues.
It's very old and mostly written in low-level C code and we support truly archaic systems
by default - FTP servers running on 16-bit Windows etc:
https://searchfox.org/mozilla-central/source/netwerk/streamconv/converters/ParseFTPList.h#61
https://searchfox.org/mozilla-central/source/netwerk/streamconv/converters/ParseFTPList.cpp#1114

From a security standpoint, I agree with Mats. FTP code is very old, we have found bugs in it before and I don't think it is safe.

However, as long as people are using it, I don't think we should just remove it without having some kind of alternative. Another approach that was discussed before in Necko is to only partially remove support: As Mats pointed out, our FTP implementation supports a broad variety of servers, most of which are likely no longer seen in the wild. We could simplify our FTP implementation to only support was is actually currently used and remove a lot of old archaic code.

This would require a Telemetry probe that is more precise than just protocol usage and ties into the ParseFTPList code.

Isn't there a possibility to write some Javascript code to wrap the ftp connection to being a http(s) download? We would use a better maintained codepath then?

Handing the problem off to GNOME or some other environments doesn't seem to increase security. Those are rather smaller projects with little manpower. Firefox would be the one open source place with the knowledge and the manpower.

Flags: needinfo?(honzab.moz)
Priority: -- → P2
Whiteboard: [necko-triaged]
Depends on: 1579507

Hi. Just a Firefox user. I know this isn't the place for advocacy, but I'm kinda curious about how this bug is going. Google is apparently moving forward with FTP Removal according to this Computer World article [1] and will depreciate FTP with Chrome 80 and according to this gHacks article [2] will remove FTP in Chrome 82. After seeing this news, I checked to see Mozilla's stance on FTP and all I could really find focusing on FTP removal was this bug. I still use FTP from time to time, but if the FTP protocol died off due to security/maintenance concerns, I'm sure I would survive. My point in filing this comment is to ask if Mozilla is going to come up with a unified response on 'what' and 'how' FTP will be handled going forward. When Google does things with Chrome it moves the tech news cycle and it would be a nice thing if those boiler plate news stories could have a blurb at the bottom about Mozilla's plans along side anything from Apple and Microsoft (while its still on a separate code base from Chrome).

[1] https://www.computerworld.com/article/3378017/fast-forward-whats-coming-in-future-versions-of-chrome.html
[2] https://www.ghacks.net/2019/08/16/google-chrome-82-wont-support-ftp-anymore/

You need to log in before you can comment on or make changes to this bug.