Firefox to remove support for the FTP protocol

Mozilla: "We're doing this for security reasons. FTP is an insecure protocol."

firefox-ftp.png

Viewing the content of a FTP server inside Firefox

Image: ZDNet

Mozilla has announced plans today to remove support for the FTP protocol from Firefox. Going forward, users won't be able to download files via the FTP protocol and view the content of FTP links/folders inside the Firefox browser.

"We're doing this for security reasons," said Michal Novotny, a software engineer at the Mozilla Corporation, the company behind the Firefox browser.

"FTP is an insecure protocol and there are no reasons to prefer it over HTTPS for downloading resources," he said.

"Also, a part of the FTP code is very old, unsafe and hard to maintain
and we found a lot of security bugs in it in the past."

Novotny says Mozilla plans to disable support for the FTP protocol with the release of Firefox 77, scheduled for release in June this year.

Users will still be able to view and download files via FTP, but they'll have to re-enable FTP support via a preference inside the about:config page.

However, Novotny says that Mozilla will eventually remove the entire code that supports the FTP protocol inside Firefox, in the end. This is scheduled for the start of 2021, Novotny said, when there will be no workaround for re-enabling FTP support, and Firefox will stop handling FTP content altogether.

Similar plans for Chrome

Mozilla's move comes after Google took a similar decision in regards to the FTP protocol in Chrome last year.

In August 2019, Google announced plans to remove the ability to access and view FTP links from Chrome.

FTP support will be disabled by default in Chrome v81 -- currently delayed due to the coronavirus outbreak -- and all traces of the FTP protocol will be removed from the Chrome codebase in Chrome 82, scheduled for release in late spring, early summer this year.

When it announced it was removing FTP support from Chrome, Google said that only a small percentage of its userbase was accessing/using FTP links, a major factor in its decision.