Firefox maker Mozilla has dropped support for the File Transfer Protocol (FTP) in version 90 of the browser.
FTP has long been used to exchange files between computers on a network, but it’s burdened by enough security issues that browser makers are dropping support for the protocol because the exchange happens without encrypting data in transit between two points.
“The biggest security risk is that FTP transfers data in cleartext, allowing attackers to steal, spoof and even modify the data transmitted,” Mozilla’s security team note.
“To date, many malware distribution campaigns launch their attacks by compromising FTP servers and downloading malware on an end user’s device using the FTP protocol.”
Google dropped support for FTP in Chrome 88, which it released in December. Google had the same rationale for cutting FTP out of Chrome.
It noted that FTP in Chrome had no support for encrypted connections (FTPS), nor proxies. Google has been advocating for HTTPS everywhere and FTP undermined this effort.
Google also found that FTP usage in the browser was “sufficiently low that it is no longer viable to invest in improving the existing FTP client” and suggested people can use more capable FTP clients on various operating systems.
“Aligning with our intent to deprecate non-secure HTTP and increase the percentage of secure connections, we, as well as other major web browsers, decided to discontinue support of the FTP protocol,” Mozilla notes.
The move to kill FTP in Firefox is also an evolution of Mozilla’s effort to completely remove FTP support. It already disabled FTP by default in Firefox 88 in April.
“As soon as your Firefox auto-updates to version 90, any attempt to launch an attack relying on the insecure FTP protocol will be rendered useless because Firefox does not support FTP anymore,” Mozilla notes.