Firefox can't be everything. It should focus on being a great browser and not a great browser and also great FTP client, or a great browser and also a great feed reader, or a great browser and also a great mail client. People using FTP can use a dedicated client, of which there are plenty on every platform, and people who don't use FTP (i.e. the vast, vast majority of web browser users) won't even notice.
A modern web browser is probably some of the most complex software humanity has invented yet, besides a full-scale OS. Taking a maintenance burden that's unrelated to the core browser product of a struggling NFP should be welcomed with a sigh of relief.
There are a few people commenting with nonsense like this:
> You can configure Firefox to open "ftp://" links with the client of your choice. This is a non-issue.
That's absolutely useless if the client of your choice can't render HTML and the ftp:// link is to an HTML file.
The fundamental idea of the WWW project was that it provided a universal, uniform interface to all the information on the internet, regardless of protocol. This move amounts to Firefox abandoning that vision. Abandoning Gopher was maybe reasonable—there just aren't that many Gopher servers out there—but FTP is still a widely used protocol.
More broadly, this is a tradeoff between the traditional vision of the WWW as a vast library, in which human knowledge accumulates over time and becomes accessible to all, and the strip-mall vision of the WWW as a means to sell people things they don't need. This move amounts to burning down a wing of the library (or, at least, its card catalog) because it wasn't profitable enough. Or because people keep getting mugged there, I guess.
This kind of intentional functionality regression is precisely the kind of thing I use free software to avoid.
I also find the incredibly vague and nonspecific "but security!" scaremongering language to be quite hyperbolic, a repeat of the borderline lies mozilla peddled when they decided to dump xul for webextensions.
It seems to me that the removal of features like this amounts to "I don't use/understand it, therefore I'm going to assume it's not useful to anybody".
Of course, Mozilla being out of touch with its user base is hardly news, so this comes as no surprise at all to me.
(While I'm talking about browsers and particularly mozilla, I'd just like to take a moment to congratulate them on finally getting their market share down below that of edge. They've been working hard at driving firefox into the ground for a long time now, and I'm sure they must be feeling very proud to have finally achieved this important milestone in their seemingly unending quest to achieve that holy grail of 0 users. So I'd just like to say: Nice work, Mozilla!)
Parts of it are, sure, but parts of it are an absolutely horror show (The client opens a port, and then the server connects back to it!?), text conversion and binary modes that's based on ASCII, different list formats, etc. It's not great. Worse, it doesn't support the good stuff like implicit TLS extensions
> Supporting FTP isn't some big technical challenge. The code has been there in the firefox codebase for nearly 20 years now, running just fine. All you need to do to continue to support ftp is nothing at all.
Not at all. Continuing to support FTP means continuing to defend attack surface that's implemented as 20 year-old code, to deliver a feature that in 2021 the majority of people do not use.
It's a cost-benefit analysis. I want Mozilla to do more. If they believe removing FTP support enables them to do more, I'll all for it.
Well said. And the more they fail, the more they double down.
But their decisions go beyond incompetence. They might as well be controlled opposition, actively undermining open web technologies.
They deprecated RSS support with very flimsy justifications, but they make supporting the latest DRM standards a top priority, because they are terrified of losing the blessing of Netflix.
Well, there is nothing vague here: FTP is a cleartext protocol, and we're migrating towards protocols that provide integrity and encryption.
Sometimes I think it's a generational thing. I find it hard to accept this, growing up with testing all protocols with Telnet and so on. But unfortunately the Internet has changed a lot, and especially bad and unscrupulous people learned how to find all possible and sometimes very creative ways to abuse whatever had been created in the past. So I understand that cleartext POP3, IMAP, SMTP and FTP authentication should go away.
Anonymous FTP is a slightly different beast though. Security-wise, it has the same weaknesses as regular HTTP. But nobody is removing HTTP support from web browsers (yet). So I'm a bit sorry to see it removed from FireFox. There are many better things to copy from Chrome.
I cannot for the life of me remember the last time I landed on a page with FTP or had to use FTP in any way. Even lists of file downloads are http pages where I just click on the file.
* ftp://ftp.isc.org/isc/ – also available as http://ftp.isc.org/isc/
* ftp://ftp.oreilly.com/pub/ – only available as FTP
For the O’Reilly URI, it’s convenient to be able to click on directory links in the browser and then open HTML and PDF files without requiring another program.
So, it’s nice to have native FTP handling in Firefox for the odd time I’d use it but I can understand why Mozilla decided to remove it.
Seems legit.
I had to use it this past weekend to get some firmware from the vendor for a network switch. ¯\_(ツ)_/¯
That's not two important services you've named, but only one, and at some point it will be destroyed; it's only temporary. Hopefully it will last a few decades.
Brewster Kahle, the founder of archive.org, has a saying:
Governments burn libraries.
> More broadly, this is a tradeoff between the traditional vision of the WWW as a vast library, in which human knowledge accumulates over time and becomes accessible to all, and the strip-mall vision of the WWW as a means to sell people things they don't need.
I don't get this at all.
* Are you saying FTP is a fundamentally better protocol to download files than HTTP?
* Are you saying that it would be easier to run a FTP server than a HTTP server?
* Do you think that FTP-only-sites generally depend on HTML-over-FTP for browsing? Because that's something I've never seen AFAIK, either they use HTTP-only or HTML-over-HTTP for browsing and FTP for download.
I get the "strip-mall vision of the WWW as a means to sell people things they don't need" complaint, but that does not seem related to the protocol discussion of HTTP and FTP at all.
Web pages that are profit-making ventures, with employees dedicated to working around the latest browser featurectomies, will have no trouble with this sort of constant change. Web pages that are just HTML files that someone uploaded to a server in 02003 will disappear into the memory hole. They're already hard to find, but now they'll be totally inaccessible.
FTP is a bad protocol. HTTP servers are generally easier to run than FTP servers, and especially to run in a secure fashion. None of that is relevant to whether we should break functionality that has been core to the WWW project for 31 years.
Of course they do, it's quite normal. Here's Netscape Navigator:
Firefox supported this completely until Fx61, when it disabled FTP subresources on HTTPS. Even then, you could still view HTML pages served over FTP until Fx70.
Browsers removing support are breaking part of the web that was working fine.
Your web browser doesn't need to support FTP. It just needs to support the web. Everything else is a bonus, unless it's a security liability. Then it has no business being in there.
Your browser doesn't NEED to natively support .pdf but it does and you've probably used that feature. I mean you could have it launch an external .pdf viewer, which is a FAR more complex piece of software than the little FTP protocol code they're disabling here.
Your browser doesn't NEED to support TABs. Your OS is already equipped with the ability to run multiple instances.
Your browser doesn't NEED to sandbox anything, you could just run each instance in it's own VM.
Your browser doesn't NEED to play video, it could launch an external viewer.
[1] Because the default handler for ftp:// was originally Chrome on my system, which is pretty common. Chrome dropping it didn't change that mapping.
OMG! Look, everyone: a telepath! ESP IS REAL!
I tried chrome on an ftp:// uri, and it just does nothing. I suspect because it was the Windows default app for ftp uri's, then they dropped support, but that didn't change the mapping in Windows.
It's an edge case these days though as more are moving to https:// links so I can understand the browser vendors wanting to make the code base smaller. They have enough to do. Especially for Mozilla given what they charge for us to use their product.
Wouldn't help for internal network ftp servers, but would ease the publicly accessible part.
(Note that the dreamhost site has a little link icon in the lower left that will generate a link/landing page with all the important bits filled out.)
That's an excellent point...
...So they'll be removing their builtin pdf viewer first then, right? That's a much much bigger chunk of code than an ftp client. Or are they both scheduled to be removed at the same time? I suppose that would be reasonable.
My choice has always been Firefox.
> Now they're [...] removing [...], and people are still complaining?
It's different people.
It is a shorthand but it always seems like it's designed as a "gotcha". I haven't thought enough about it to figure out what fallacy it entails, just enough to ignore it anytime I see an argument that uses it.
Except then you have to find, install, and configure that program, which not everybody may be able or willing to do. We have trust browsers, for better or worse, and many people may not be comfortable identifying another trustworthy program to handle FTP downloads (due to malware/adware concerns), especially when they're trying to do something else. Having something in the browser saves users a trust decision.
Also, this feature has been so established that lots of stuff was designed expecting it to work that will now be broken. I also wouldn't be surprised if some FTP sites (say with old drivers) just get taken offline without being migrated, due to this.
A lot of sites, especially old ones, are build with the assumption that every browser can access FTP links as you would with HTTP. And so for example a download section is a link to a FTP server.
To me removing it is stupid. Is it a security concern? Not really. Also not having it in the browser will not make security better, a person that needs it will use it with another client. Will make the browser faster or smaller? Not really, a FTP client is something really simpler, and browser have them since ever.
Even Apache 1 can expose dirs over http instead of ftp, there is literally no reason for FTP unless you want uploads. In which case: no you don't, you want sftp at the very least, because you care about the fact that you want data that gets uploaded to be your data, not the data that a MITM trivially changed it to. Which FTP fully allows.
How many of them know what TLS is? Yet they've probably used it. With computers, you don't need to know what something is to have used it.
FTP is used often in my field. The removal of FTP from both Chrome and FireFox has been very inconvenient. I tried a few free FTP clients with GUI. They are huge and clumsy in comparison to browsers. For example, cyberduck zip is as large as firefox and I couldn't copy-paste a ftp:// URL in FileZilla. I wonder why these FTP clients don't adopt a browser-like interface. It would be more friendly. Now I mostly use command-line lftp, which is better than the GUI clients I have tried but still not as convenient as browsers.
You should be able to paste a full ftp://server.tld/path into the host field and upon connection it'll drop you right into that folder.
As for why the GUIs aren't that great I think it's precisely because FTP was made with CLI in mind and by the time good GUIs came around there were better protocols to plug into them.
There are times when HN seems to become very negative to a particular topic. In the past I’ve seen it with Kubernetes, systemd or GCP/AWS. I feel it’s that way with Mozilla/Firefox. More often than not, comments on Mozilla/Firefox are very negative then create a feedback loop of negativity. Obviously subjective, but just what I see
When Google or MS does something shitty with their browsers I pretty much expect it from them and I'm partially insulated from their bad behaviors since I avoid using those browsers. When Mozilla acts badly though I'm often personally impacted.
I'm actually okay with them getting rid of FTP support (although I think leaving it there, but disabled by default was a better way to go - FTP links are pretty common out there) but I'm not at all surprised by the backlash.
Please elaborate. In excruciating detail.
> A modern web browser is probably some of the most complex software humanity has invented yet, besides a full-scale OS.
And whose fault is that, if not WHATWG?
Embrance. Extend. Extinguish.
--------------------- ^ [The web is here]
People bitched when Firefox added a stupid non-standard thing, yes. Now, the few who still use Firefox, will bitch because they have arbitrarily removed a standard thing.
That said some functionality has been included in bookmarks such as clicking favorite button saves directly in unsorted, clicking twice opens a menu where tags can be added, and can see all bookmarks through menu. A secondary bookmarks tree can be added with extra features being read status, and simple status change and deletion from menu without requiring right click. Kinda like Chrome did it.
Transferring files.
There's a hint right there in the protocol name.
Browsers never had decent ftp support, true. They just allow you to list directories and download stuff. But on the other hand, the FTP support doesn't cost anything. Don't know much about Pocket to be honest, but this form of integration is much worse than to support a protocol.
Aside from that, maybe using http for downloads is the better alternative today.
The epitome of corporate speak: "we're taking away a feature of this software. You're welcome."
I expect that kind of talk from Google; hearing it from Mozilla makes me a little sad.
I remember back when the Spread Firefox campaign was still around - at the time, Firefox and Mozilla in general felt grassroots, fun, and human. Like a club anyone could join and that anyone would want their friends, family, coworkers, and even strangers or people they didn't like to get in on: an all-in-this-together effort for a better internet.
Anymore, Mozilla feels more and more corporate, more like a company - even as Google Chrome (and the many browsers built from Chromium) eats away more and of their market share and they move toward being "the little guy" again - and less and less like a group of people.
I think what I really miss is having a browser that made me care about it beyond just wanting alternatives.
That was long long time ago. I think something like early 00s when Firefox was just launched. Things changed. Mozilla is no longer the same.
But, hey, if you are not yet a FF user, here's where you can download it, in case you're looking for a browser that... lacks FTP support. Something many users are likely to be seeking out.
I do not see the benefit of removing FTP. For security concerns, a big warning as with expired TLS certificates would be an acceptable compromise, IMHO.
But as someone who knows what FTP is and still uses it on occasion, I don't think FF dropping FTP support is going to impact me very much.
However, there is no need to characterizes FTP being dangerous by jumping from FTP is old and is in plaintext, to FTP servers are being exploited and used to distribute malware, to FUD-type statement implying that there are [unspecified] exploits now available to attack Firefox if FTP was enabled.
This is just plain disgusting and it leaves a bad taste in my mouth.
maintaining features is cost
Maintenance-free code is a chimera.
I'm not saying there weren't good reasons to get rid of ftp support, but that doesn't seem like one.
What would happen if they rip it out?
What should be done is push for things like ftps or add big warnings around it.
That wasn't the decision. Maintaining this was.
Edit: not sure why this is being downvoted... if you read the actual link, it says they intend to deprecate HTTP.
Show me an example of actual FTP MITM hack in the wild.
Sure loading FTP resources from HTTP(S) context is not a good idea (as would be downloading executables over FTP), but did they actually make any effort to inform the public and owners of FTP servers? I do not think so, I haven't seen it.
Mozilla these days has very weird priorities. Their decisions should not feel so unilateral or "because Chrome does it". There should be more emphasis on widely understood infrastructure even at the cost of "soft" projects/campaigns [1] - these could be served by the EFF after all. I can't understand why shedding MDN was a good idea in their heads.
[1] Like this one: https://foundation.mozilla.org/pl/blog/mozilla-investigation...
I agree. The attempts to be more and more like Chrome are especially confusing to me. Maybe they just want to copy what's popular but the thing they seem to miss is that if people wanted a browser that was just like chrome they'd probably just use chrome. The removal of choice, customization, and control over Firefox is what's going to drive people away. Those are the features that attracted most of us to Firefox in the first place.
Then they can use an FTP client which will perform better anyways. This is Mozilla removing it from their web browser, not L3 black holing port 21 traffic.
Why do you need to use a web browser?
Just yesterday I found a link to FTP while researching something. Was pretty annoying to go get another FTP client up and running to get it.
Anyway, the movement away from unencrypted protocols to TLS-only is moving us closer to a fully censored internet. Sure, an unencrypted internet did not have any integrity guarantees, and thus was easy to censor (and worse) by totalitarian nation states.
However, a TLS-only internet is very easily censorable by our new global central planners (FAANG). This way, they'll have much more control than was available to the common MITMing nation state.
Malware vector, really? When was the last time FTP was a major malware distribution channel as opposed to, you know, plain http? And I don't buy the "save programming resources" argument either. FTP is an old, simple and stable protocol, it's not like there's much need to touch that code.
We would have encrypted communication with privileged government access. I think it is actually competition that keeps TLS trustworthy.
FTP is a horrible kludge that needs to be depreciated. SFTP is better. The number of ports needed, holes punched in firewalls, everything sent in plain-text, inability to traverse NAT without more kludge and hacky work-arounds. We only tolerate it because it was the only thing that worked.
There are better/newer methods that should be embraced.
We don't bemoan the death of Gopher, or Finger do we? Hell no. FTP does have it's uses, but I'd dare wager that every-single-instance could be upgraded to SFTP and the world would move on.
Legacy, ancient apps that haven't been touched in 40 years; will break. Let them.
It's sad, but not surprising.
That barrier seems pretty porous these days. Being that you can access serial ports via JS, for example :)
Yes.. well, they can do the same by compromising servers that offer the payload via HTTP(S). At least when the payload is ftp, it stands out and you can catch it in your gateway/firewall devices.
With https you now need https inspection at the border in order to be able to do that. These MITM devices do tend to cause a lot of trouble.
explorer: right click "my computer" -> map network drive. (or just ctrl+L and type an FTP url.)
finder: go -> connect to server
nautilus/dolphin: network -> connect to server (or just ctrl+L and type an FTP url.)
One can argue that servers should upgrade, and that’s valid. But they don’t and they likely won’t do this just harms Firefox’s user base and is one more reason I no longer recommend Firefox. They just don’t seem user friendly as they once were.
I would expect Mozilla to advocate for more FTP as a cheap way of distributing files.
Define "lots". Chrome dropped FTP support in late 2020 and basically nobody noticed. The vast majority of the remaining public FTP servers are also accessible over HTTP.
> I would expect Mozilla to advocate for more FTP as a cheap way of distributing files.
In what sense is FTP "cheap"? What makes it any different from HTTP in that regard?
Maybe people outside of the tech world failed to notice, but it was discussed here at the time:
a ton of government and scientific datasets are provided over FTP
It saves a lot of confused users at other government / scientific institutions, where the firewall blocks FTP.
It's one thing to have your password stolen, but another thing entirely to have your download and its shasum/md5sum/whatever sidecar file replaced in-flight
Sure, there might be a user that doesn't know how to get a good FTP tool. But how many FTP servers are they accessing? Probably not enough of those to justify the maintenance effort.
Now they have to be handled by an external protocol handler, and I'd bet most of us don't have one set up, so things will be a little bumpy for a bit
It removes a malware vector going through Firefox.
But seriously, who's serving FTP but doesn't serve HTTPS?
It's commercial infrastructure, not a fetish.
You saw the same arguments when the Python Cryptography library started adopting Rust to replace memory-unsafe C code in their C library. People running, like, DEC Alphas in their basements for sport were furious. It was on the front page of HN for several days. It blew over, because nobody really cares about those people in a durable, meaningful way.
Same situation with FTP. It's dead. Stick a fork in it.
I've used FTP, fairly heavily back at an old job that required it, but I have an FTP client. They are a dime a dozen for every platform. But I haven't used FTP at all in at least a decade.
Mozilla should focus their efforts in their web browser on web browsing. If you need to FTP, Gopher, or torrent over the internet, you can grab a client that does those things.
Why are people still using ftp rather than http?
"But why wouldn't you use some other method to manage your files? Why combine the two?" I dunno, but WordPress is basically that (managing your blog's/site's appearance, content, and server-side plugins, over the same interface/protocol that serves the blog/site) but for blogs & websites, and it's damn near the most successful Web project ever, so there must be something to it unless that's not a big reason for its success (and I'm pretty sure it is).
I can certainly see the appeal if your main focus is serving files, or providing file-serving hosting to others (say, other departments, or to paying clients, or whatever). One daemon to configure for the whole task.
I do use FTP every now and then, but I do so from the command line or file manager like mc (or far manager when I am on Windows). Even there, it has been declining steadily, though, because ssh/sftp works pretty well as a drop-in replacement, unless one of the endpoints is so low-end the encryption becomes a throughput bottleneck. But it's been many years since I've had that problem.
It also doesn't really do a good job of transferring files - the protocol is slow and is incompatible with lots of firewall setups.
This is why we can't have nice things and why the internet is going to become Chrome-first.
[0] Principle 6: The effectiveness of the internet as a public resource depends upon interoperability (protocols, data formats, content), innovation and decentralized participation worldwide. https://www.mozilla.org/en-US/about/manifesto/
This whole ordeal kind of reminds me of IE8. Whether good or bad, companies stuck to what they knew and what tools they used to carry out their day-to-day. I can easily see updates being avoided to keep FTP functionality at the expense of newer security issues being patched.
Browser support is important here because those files are often not explored from command line etc, but rather the FTP links are placed on individual pages as a quick download. At least for me, it's much more convinient to click and wget, than reading a page then switch window to query from API/client...
And you aren't using Firefox anyway, it has never supported FTP uploads.
To address your concerns though: meter data is not ingested via FTP. That's done using other protocols. It's transferred b2b via FTP over private tunnels. And you're correct Firefox is not used for uploading data. If it were possible it wouldn't even be a good choice given the volume of data we deal with. It is, however, used heavily for accessing the uploaded data by Operations and other teams.
https doesn't let you also manage your files with the same protocol/daemon without other stuff on top of, or alongside, it.
WebDAV lets you manage files over the same protocol (but.. why?)
For software project with size and age of Firefox, deleting obsolete or redundant code is universally good. It is hard but necessary task. I am okay with completely stop using FTP for that cause. Or eventually fire up Chrome FWIW.
Mozilla's explanation/justification here for removing ftp is quite flimsy. It presumes there could never, ever be any possible situation in which a user wants to use a browser for ftp. Whether now or in the future. It just does not add up. There are no specific references to ftp-based exploits, or other examples of how ftp is harmful. Who uses ftp for transfers of unencrypted files containing sensitive data over the open internet. ftp can be useful for stuff that is not sensitive and for transfers over the local network between devices (no internet connection required).
It makes sense to remove ftp if the web is just for advertising and sales. Why would any "consumer" need ftp.
Fortunately the text-only browser I use is probably not going to remove ftp. But any decline in ftp use that results from the decisions of these advertising-dependent organisations is concerning.
You can see here where the GUI didn't support FTP over SSL, and then eventually got marked WONTFIX because they decided to deprecate FTP entirely instead: https://bugzilla.mozilla.org/show_bug.cgi?id=85464
That's just how you do big changes these days. Especially if you're Mozilla.
Here's a step-by-step guide to how it works:
1. Decide that you want to drop something because it's not shiny anymore.
2. Scream "OMG WE NEED TO DO THIS FOR SECURITY!!!"
3. Watch while people commend you for taking such a brave stance for "teh security"
See also: webextensions.
This decision seems like a no-brainer, but I’ve found I’m always surprised how much use legacy features like this can have.
Luckily I could convince him to use ProFTPD with sftp http://proftpd.org/docs/contrib/mod_sftp.html . This is very neat as the service runs on their own ssh-alike port.
the sheer lack of awareness here sometimes, I swear.
