Firefox can't be everything. It should focus on being a great browser and not a great browser and also great FTP client, or a great browser and also a great feed reader, or a great browser and also a great mail client. People using FTP can use a dedicated client, of which there are plenty on every platform, and people who don't use FTP (i.e. the vast, vast majority of web browser users) won't even notice.
A modern web browser is probably some of the most complex software humanity has invented yet, besides a full-scale OS. Taking a maintenance burden that's unrelated to the core browser product of a struggling NFP should be welcomed with a sigh of relief.
There are a few people commenting with nonsense like this:
> You can configure Firefox to open "ftp://" links with the client of your choice. This is a non-issue.
That's absolutely useless if the client of your choice can't render HTML and the ftp:// link is to an HTML file.
The fundamental idea of the WWW project was that it provided a universal, uniform interface to all the information on the internet, regardless of protocol. This move amounts to Firefox abandoning that vision. Abandoning Gopher was maybe reasonable—there just aren't that many Gopher servers out there—but FTP is still a widely used protocol.
More broadly, this is a tradeoff between the traditional vision of the WWW as a vast library, in which human knowledge accumulates over time and becomes accessible to all, and the strip-mall vision of the WWW as a means to sell people things they don't need. This move amounts to burning down a wing of the library (or, at least, its card catalog) because it wasn't profitable enough. Or because people keep getting mugged there, I guess.
This kind of intentional functionality regression is precisely the kind of thing I use free software to avoid.
I also find the incredibly vague and nonspecific "but security!" scaremongering language to be quite hyperbolic, a repeat of the borderline lies mozilla peddled when they decided to dump xul for webextensions.
It seems to me that the removal of features like this amounts to "I don't use/understand it, therefore I'm going to assume it's not useful to anybody".
Of course, Mozilla being out of touch with its user base is hardly news, so this comes as no surprise at all to me.
(While I'm talking about browsers and particularly mozilla, I'd just like to take a moment to congratulate them on finally getting their market share down below that of edge. They've been working hard at driving firefox into the ground for a long time now, and I'm sure they must be feeling very proud to have finally achieved this important milestone in their seemingly unending quest to achieve that holy grail of 0 users. So I'd just like to say: Nice work, Mozilla!)
I cannot for the life of me remember the last time I landed on a page with FTP or had to use FTP in any way. Even lists of file downloads are http pages where I just click on the file.
> More broadly, this is a tradeoff between the traditional vision of the WWW as a vast library, in which human knowledge accumulates over time and becomes accessible to all, and the strip-mall vision of the WWW as a means to sell people things they don't need.
I don't get this at all.
* Are you saying FTP is a fundamentally better protocol to download files than HTTP?
* Are you saying that it would be easier to run a FTP server than a HTTP server?
* Do you think that FTP-only-sites generally depend on HTML-over-FTP for browsing? Because that's something I've never seen AFAIK, either they use HTTP-only or HTML-over-HTTP for browsing and FTP for download.
I get the "strip-mall vision of the WWW as a means to sell people things they don't need" complaint, but that does not seem related to the protocol discussion of HTTP and FTP at all.
Browsers removing support are breaking part of the web that was working fine.
Your web browser doesn't need to support FTP. It just needs to support the web. Everything else is a bonus, unless it's a security liability. Then it has no business being in there.
It's an edge case these days though as more are moving to https:// links so I can understand the browser vendors wanting to make the code base smaller. They have enough to do. Especially for Mozilla given what they charge for us to use their product.
> Now they're [...] removing [...], and people are still complaining?
It's different people.
It is a shorthand but it always seems like it's designed as a "gotcha". I haven't thought enough about it to figure out what fallacy it entails, just enough to ignore it anytime I see an argument that uses it.
Even Apache 1 can expose dirs over http instead of ftp, there is literally no reason for FTP unless you want uploads. In which case: no you don't, you want sftp at the very least, because you care about the fact that you want data that gets uploaded to be your data, not the data that a MITM trivially changed it to. Which FTP fully allows.
FTP is used often in my field. The removal of FTP from both Chrome and FireFox has been very inconvenient. I tried a few free FTP clients with GUI. They are huge and clumsy in comparison to browsers. For example, cyberduck zip is as large as firefox and I couldn't copy-paste a ftp:// URL in FileZilla. I wonder why these FTP clients don't adopt a browser-like interface. It would be more friendly. Now I mostly use command-line lftp, which is better than the GUI clients I have tried but still not as convenient as browsers.
You should be able to paste a full ftp://server.tld/path into the host field and upon connection it'll drop you right into that folder.
As for why the GUIs aren't that great I think it's precisely because FTP was made with CLI in mind and by the time good GUIs came around there were better protocols to plug into them.
There are times when HN seems to become very negative to a particular topic. In the past I’ve seen it with Kubernetes, systemd or GCP/AWS. I feel it’s that way with Mozilla/Firefox. More often than not, comments on Mozilla/Firefox are very negative then create a feedback loop of negativity. Obviously subjective, but just what I see
When Google or MS does something shitty with their browsers I pretty much expect it from them and I'm partially insulated from their bad behaviors since I avoid using those browsers. When Mozilla acts badly though I'm often personally impacted.
I'm actually okay with them getting rid of FTP support (although I think leaving it there, but disabled by default was a better way to go - FTP links are pretty common out there) but I'm not at all surprised by the backlash.
Please elaborate. In excruciating detail.
> A modern web browser is probably some of the most complex software humanity has invented yet, besides a full-scale OS.
And whose fault is that, if not WHATWG?
Embrance. Extend. Extinguish.
--------------------- ^ [The web is here]
People bitched when Firefox added a stupid non-standard thing, yes. Now, the few who still use Firefox, will bitch because they have arbitrarily removed a standard thing.
That said some functionality has been included in bookmarks such as clicking favorite button saves directly in unsorted, clicking twice opens a menu where tags can be added, and can see all bookmarks through menu. A secondary bookmarks tree can be added with extra features being read status, and simple status change and deletion from menu without requiring right click. Kinda like Chrome did it.
Browsers never had decent ftp support, true. They just allow you to list directories and download stuff. But on the other hand, the FTP support doesn't cost anything. Don't know much about Pocket to be honest, but this form of integration is much worse than to support a protocol.
Aside from that, maybe using http for downloads is the better alternative today.
The epitome of corporate speak: "we're taking away a feature of this software. You're welcome."
I expect that kind of talk from Google; hearing it from Mozilla makes me a little sad.
I remember back when the Spread Firefox campaign was still around - at the time, Firefox and Mozilla in general felt grassroots, fun, and human. Like a club anyone could join and that anyone would want their friends, family, coworkers, and even strangers or people they didn't like to get in on: an all-in-this-together effort for a better internet.
Anymore, Mozilla feels more and more corporate, more like a company - even as Google Chrome (and the many browsers built from Chromium) eats away more and of their market share and they move toward being "the little guy" again - and less and less like a group of people.
I think what I really miss is having a browser that made me care about it beyond just wanting alternatives.
That was long long time ago. I think something like early 00s when Firefox was just launched. Things changed. Mozilla is no longer the same.
But, hey, if you are not yet a FF user, here's where you can download it, in case you're looking for a browser that... lacks FTP support. Something many users are likely to be seeking out.
However, there is no need to characterizes FTP being dangerous by jumping from FTP is old and is in plaintext, to FTP servers are being exploited and used to distribute malware, to FUD-type statement implying that there are [unspecified] exploits now available to attack Firefox if FTP was enabled.
This is just plain disgusting and it leaves a bad taste in my mouth.
maintaining features is cost
I'm not saying there weren't good reasons to get rid of ftp support, but that doesn't seem like one.
What would happen if they rip it out?
What should be done is push for things like ftps or add big warnings around it.
That wasn't the decision. Maintaining this was.
Show me an example of actual FTP MITM hack in the wild.
Sure loading FTP resources from HTTP(S) context is not a good idea (as would be downloading executables over FTP), but did they actually make any effort to inform the public and owners of FTP servers? I do not think so, I haven't seen it.
Mozilla these days has very weird priorities. Their decisions should not feel so unilateral or "because Chrome does it". There should be more emphasis on widely understood infrastructure even at the cost of "soft" projects/campaigns [1] - these could be served by the EFF after all. I can't understand why shedding MDN was a good idea in their heads.
[1] Like this one: https://foundation.mozilla.org/pl/blog/mozilla-investigation...
I agree. The attempts to be more and more like Chrome are especially confusing to me. Maybe they just want to copy what's popular but the thing they seem to miss is that if people wanted a browser that was just like chrome they'd probably just use chrome. The removal of choice, customization, and control over Firefox is what's going to drive people away. Those are the features that attracted most of us to Firefox in the first place.
Then they can use an FTP client which will perform better anyways. This is Mozilla removing it from their web browser, not L3 black holing port 21 traffic.
Why do you need to use a web browser?
Just yesterday I found a link to FTP while researching something. Was pretty annoying to go get another FTP client up and running to get it.
Anyway, the movement away from unencrypted protocols to TLS-only is moving us closer to a fully censored internet. Sure, an unencrypted internet did not have any integrity guarantees, and thus was easy to censor (and worse) by totalitarian nation states.
However, a TLS-only internet is very easily censorable by our new global central planners (FAANG). This way, they'll have much more control than was available to the common MITMing nation state.
Malware vector, really? When was the last time FTP was a major malware distribution channel as opposed to, you know, plain http? And I don't buy the "save programming resources" argument either. FTP is an old, simple and stable protocol, it's not like there's much need to touch that code.
We would have encrypted communication with privileged government access. I think it is actually competition that keeps TLS trustworthy.
FTP is a horrible kludge that needs to be depreciated. SFTP is better. The number of ports needed, holes punched in firewalls, everything sent in plain-text, inability to traverse NAT without more kludge and hacky work-arounds. We only tolerate it because it was the only thing that worked.
There are better/newer methods that should be embraced.
We don't bemoan the death of Gopher, or Finger do we? Hell no. FTP does have it's uses, but I'd dare wager that every-single-instance could be upgraded to SFTP and the world would move on.
Legacy, ancient apps that haven't been touched in 40 years; will break. Let them.
It's sad, but not surprising.
That barrier seems pretty porous these days. Being that you can access serial ports via JS, for example :)
Yes.. well, they can do the same by compromising servers that offer the payload via HTTP(S). At least when the payload is ftp, it stands out and you can catch it in your gateway/firewall devices.
With https you now need https inspection at the border in order to be able to do that. These MITM devices do tend to cause a lot of trouble.
explorer: right click "my computer" -> map network drive. (or just ctrl+L and type an FTP url.)
finder: go -> connect to server
nautilus/dolphin: network -> connect to server (or just ctrl+L and type an FTP url.)
One can argue that servers should upgrade, and that’s valid. But they don’t and they likely won’t do this just harms Firefox’s user base and is one more reason I no longer recommend Firefox. They just don’t seem user friendly as they once were.
I would expect Mozilla to advocate for more FTP as a cheap way of distributing files.
Define "lots". Chrome dropped FTP support in late 2020 and basically nobody noticed. The vast majority of the remaining public FTP servers are also accessible over HTTP.
> I would expect Mozilla to advocate for more FTP as a cheap way of distributing files.
In what sense is FTP "cheap"? What makes it any different from HTTP in that regard?
Maybe people outside of the tech world failed to notice, but it was discussed here at the time:
a ton of government and scientific datasets are provided over FTP
It's one thing to have your password stolen, but another thing entirely to have your download and its shasum/md5sum/whatever sidecar file replaced in-flight
Sure, there might be a user that doesn't know how to get a good FTP tool. But how many FTP servers are they accessing? Probably not enough of those to justify the maintenance effort.
Now they have to be handled by an external protocol handler, and I'd bet most of us don't have one set up, so things will be a little bumpy for a bit
It removes a malware vector going through Firefox.
But seriously, who's serving FTP but doesn't serve HTTPS?
I've used FTP, fairly heavily back at an old job that required it, but I have an FTP client. They are a dime a dozen for every platform. But I haven't used FTP at all in at least a decade.
Mozilla should focus their efforts in their web browser on web browsing. If you need to FTP, Gopher, or torrent over the internet, you can grab a client that does those things.
Why are people still using ftp rather than http?
"But why wouldn't you use some other method to manage your files? Why combine the two?" I dunno, but WordPress is basically that (managing your blog's/site's appearance, content, and server-side plugins, over the same interface/protocol that serves the blog/site) but for blogs & websites, and it's damn near the most successful Web project ever, so there must be something to it unless that's not a big reason for its success (and I'm pretty sure it is).
I can certainly see the appeal if your main focus is serving files, or providing file-serving hosting to others (say, other departments, or to paying clients, or whatever). One daemon to configure for the whole task.
I do use FTP every now and then, but I do so from the command line or file manager like mc (or far manager when I am on Windows). Even there, it has been declining steadily, though, because ssh/sftp works pretty well as a drop-in replacement, unless one of the endpoints is so low-end the encryption becomes a throughput bottleneck. But it's been many years since I've had that problem.
It also doesn't really do a good job of transferring files - the protocol is slow and is incompatible with lots of firewall setups.
This is why we can't have nice things and why the internet is going to become Chrome-first.
[0] Principle 6: The effectiveness of the internet as a public resource depends upon interoperability (protocols, data formats, content), innovation and decentralized participation worldwide. https://www.mozilla.org/en-US/about/manifesto/
Browser support is important here because those files are often not explored from command line etc, but rather the FTP links are placed on individual pages as a quick download. At least for me, it's much more convinient to click and wget, than reading a page then switch window to query from API/client...
And you aren't using Firefox anyway, it has never supported FTP uploads.
https doesn't let you also manage your files with the same protocol/daemon without other stuff on top of, or alongside, it.
For software project with size and age of Firefox, deleting obsolete or redundant code is universally good. It is hard but necessary task. I am okay with completely stop using FTP for that cause. Or eventually fire up Chrome FWIW.
Mozilla's explanation/justification here for removing ftp is quite flimsy. It presumes there could never, ever be any possible situation in which a user wants to use a browser for ftp. Whether now or in the future. It just does not add up. There are no specific references to ftp-based exploits, or other examples of how ftp is harmful. Who uses ftp for transfers of unencrypted files containing sensitive data over the open internet. ftp can be useful for stuff that is not sensitive and for transfers over the local network between devices (no internet connection required).
It makes sense to remove ftp if the web is just for advertising and sales. Why would any "consumer" need ftp.
Fortunately the text-only browser I use is probably not going to remove ftp. But any decline in ftp use that results from the decisions of these advertising-dependent organisations is concerning.
You can see here where the GUI didn't support FTP over SSL, and then eventually got marked WONTFIX because they decided to deprecate FTP entirely instead: https://bugzilla.mozilla.org/show_bug.cgi?id=85464
That's just how you do big changes these days. Especially if you're Mozilla.
Here's a step-by-step guide to how it works:
1. Decide that you want to drop something because it's not shiny anymore.
2. Scream "OMG WE NEED TO DO THIS FOR SECURITY!!!"
3. Watch while people commend you for taking such a brave stance for "teh security"
See also: webextensions.
This decision seems like a no-brainer, but I’ve found I’m always surprised how much use legacy features like this can have.
Luckily I could convince him to use ProFTPD with sftp http://proftpd.org/docs/contrib/mod_sftp.html . This is very neat as the service runs on their own ssh-alike port.
the sheer lack of awareness here sometimes, I swear.
