Firefox has decided it’s time to burn the browser’s FTP connections.
In a March 19 post on the mozilla.dev.platform list, developer Michal Novotny announced “We plan to remove FTP protocol implementation from our code.”
But the change will be slow. The unencrypted protocol will remain in place but be turned off by default for Firefox 77, due in May 2020. But it will remain on by default in Firefox’s extended support release version 78. Version 99 is due in early 2021!
Novotny’s explanation for FTP’s removal is that “FTP is an insecure protocol and there are no reasons to prefer it over HTTPS for downloading resources.
“Also, a part of the FTP code is very old, unsafe and hard to maintain and we found a lot of security bugs in it in the past.”
FTP becoming Forgotten Transfer Protocol as Debian turns it offREAD MORE
Firefox developers have known this for almost two years: The Register reported in April 2018 that the team decided to block FTP requests from inside web pages way back in version 61. And if they didn’t remember that, there’s also the example of Chrome binning FTP in February 2020.
Your humble vulture occasionally hears of ancient mainframe apps using FTP within the walls of some organisations. In those environments the buggy FTP codebase and its use of plaintext data transmission might be acceptable risks. But out here on the Internet? Get the FTP outta here! ®