Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Follows Chrome and Blocks the Loading of Most FTP Resources (bleepingcomputer.com)

Posted by msmash on from the shape-of-things-to-come dept.

Mozilla says it will follow in the steps of Google Chrome and start blocking the loading of FTP subresources inside HTTP and HTTPS pages. From a report: By FTP subresources, we refer to files loaded via the FTP protocol inside img, script, or iframe tags that have a src="ftp://". FTP links placed inside normal angle bracket links or typed directly in the browser's address bar will continue to work. The reasoning is that FTP is an insecure protocol that doesn't support modern encryption techniques and will inherently break many other built-in browser security and privacy features, such as HSTS, CSP, XSA, or others. Furthermore, many malware distribution campaigns often rely on compromising FTP servers and redirecting or downloading malware on users' computers via FTP subresources. Mozilla engineers say FTP subresource blocking will ship with Firefox 61, currently scheduled for release on June 26.

14 of 89 comments (clear)

  1. TIL by bobstreo · · Score: 2

    There are still ftp servers. /s

    Seriously, why not move to block HTTP traffic? It's not secure, it can serve malicious pages, and spoof real sites...

  2. Making money, tracking cookies. by OrangeTide · · Score: 5, Interesting

    Google, Facebook, Amazon, Apple, Microsoft, and many others wish to end the hobbyist Internet.

    FTP lacks cookies to track views. And FTP is hard for search engines to index with useful metadata for advertisers.

    --
    “Common sense is not so common.” — Voltaire
    1. Re:Making money, tracking cookies. by xxxJonBoyxxx · · Score: 3, Insightful

      >> FTP is hard for search engines to index

      (Remembers Gopher. Feels old.)

    2. Re:Making money, tracking cookies. by thegarbz · · Score: 2

      Horseshit, more importantly there was no reason at all to serve live content in a HTTP page via FTP in the first place. All you effectively do is break the efforts to optimise HTTP by introducing a random and woefully slow and inefficient protocol into part of the page rendering.

      Really this should have been blocked from the onset.

    3. Re:Making money, tracking cookies. by OrangeTide · · Score: 2

      There are reasons, even if none of them apply to your own situations.

      --
      “Common sense is not so common.” — Voltaire
  3. Re:Not that big a fan of ftp in html, but... by whoever57 · · Score: 2

    I'm not sure I grasp the logic of treating ftp distinct from http (no s) from a security perspective?

    I don't think they are. This is just the same as blocking http: resources that are loaded from an https: page (mixed content blocking).

    --
    The real "Libtards" are the Libertarians!
  4. Re:Why FTP? Why not an HTTPS CMS site? by CreamyG31337 · · Score: 4, Interesting

    It's doesn't need to be easier or better -- it's just another attack surface that CAN be compromised, meaning that there are plenty of FTP servers out there which are misconfigured and can be used to serve malware. Due to the latency logging in and requesting a file via FTP, no webmaster should purposely configure a site to pull a page's resources from an FTP, so it makes sense to cut it off.
    As for why it's easier or better, a badly configured FTP server is probably more likely to stay that way because the hackers hide the files and are only using disk space and bandwidth. Something like a CMS will tell you "please update me" every time you log in as admin to patch holes. Your FTP isn't going to tell you that you're a shitty admin.

  5. Re:How do you turn it off? by thegreatbob · · Score: 3, Informative

    Doesn't appear to be blocking <a href= tags, but rather things such as iframes that automatically load content.

    --
    There is no XUL, only WebExtensions...
  6. Good. Kids should stay in their cribs. by Seven+Spirals · · Score: 2

    The Chinese, Russians, and Indians are constantly beating on my FTP server. Well, they would be if I hadn't GeoIP blocked them (proftpd module feature). Hopefully, not being able to use FTP sites as a pivot, their interest will wane (but I'm not counting on it). I dislike FTP's mult-port design, but it's got far more full-featured servers versus something like a web server will give you (compare ProFTPd with Apache - no contest for file service, not even at all close). I hope the newschool Internet folks will just stay on their smart phones and fuck off and forget FTP exists. The problem is that when masses of idiots decide something is "the new way" they will try crap on "the old way" despite it still being useful or even required. So, I expect ISPs will think they need to block it or whatever. If it won't load up with lynx/elinks then I'm not interested anyway, HTML stopped serving normal people and started serving corporations and graphic designers after HTML 1.1.

    1. Re:Good. Kids should stay in their cribs. by rahvin112 · · Score: 3, Informative

      Every time you log in to your FTP server remotely you pass your login credentials in the clear. FTP is ancient and unsecure and should be abandoned.

  7. Only FTP? by eneville · · Score: 3, Insightful

    This makes no sense to me whatsoever. I fear there is a greater quantity of exploited HTTP(S) servers out there than FTP. Is this not akin to removing telnet from Windows? The loss of functionality does not match the gain in security (is there any?). Surely the first step should be to prevent malicious content, not prevent a protocol.

    Are Mozilla thinking to block FTPS too? What about sftp (if it were ever to be introduced), would that count too?

    If the argument is that the protocol is plaintext, then HTTP should be dropped.

    --
    Why UNIX?
  8. Re:Not that big a fan of ftp in html, but... by thegarbz · · Score: 2

    HSTS means nothing to http (no s)

    HSTS means everything *specifically* to HTTP when there's no S. That's the fundamental point of HSTS to prevent protocol downgrade away from secure, and something that by nature does not work with FTP because there's no equivalent.

    And before you dismiss this just remember that half of the attacks on encrypted connections via the internet in the past several years have been due to downgrade attacks, and every single protocol change and advancement has specifically attempted to mitigate this.

    FTP wasn't mitigated.

    FTP in this scenario also serves zero purpose what so ever.

    No one is sad about this change. Your FTP server will continue to work just fine when you're using FTP, something that fundamentally should never serve content within a HTTP page anyway.

  9. Re:Oy by RightwingNutjob · · Score: 2

    The browser's job is to display a page as written in conformance with standards. If the standards allow protocols besides http or https for fetching resources, then too fucking bad if the protocols are not to your liking, it's still valid.

  10. Re:Oy by thegarbz · · Score: 2

    And that is precisely the point. The HTTP standard says nothing about using FTP to fetch content mid page. That entire functionality is the curious quirk that started with a browser becoming an FTP client so that it could download files that were presented as links rather than having to open a separate app. It is not and was never meant to be in any way shape or form a way of delivery content within a page.

    The standards don't allow for it.
    The standards don't forbid it.
    That doesn't mean we should just blindly do it because it makes no fucking sense, breaks attempts at preventing cross-site scripting, data injection and protocol downgrades, and above all it's the most laggy and inefficient way to fetch and display content. It doesn't break a standard, but it prevents standards from being implemented properly.