Firefox Follows Chrome and Blocks the Loading of Most FTP Resources

Mozilla says it will follow in the steps of Google Chrome and start blocking the loading of FTP subresources inside HTTP and HTTPS pages. From a report: By FTP subresources, we refer to files loaded via the FTP protocol inside img, script, or iframe tags that have a src="ftp://". FTP links placed inside normal angle bracket links or typed directly in the browser's address bar will continue to work. The reasoning is that FTP is an insecure protocol that doesn't support modern encryption techniques and will inherently break many other built-in browser security and privacy features, such as HSTS, CSP, XSA, or others. Furthermore, many malware distribution campaigns often rely on compromising FTP servers and redirecting or downloading malware on users' computers via FTP subresources. Mozilla engineers say FTP subresource blocking will ship with Firefox 61, currently scheduled for release on June 26.

Making money, tracking cookies.

[OrangeTide]

Google, Facebook, Amazon, Apple, Microsoft, and many others wish to end the hobbyist Internet.

FTP lacks cookies to track views. And FTP is hard for search engines to index with useful metadata for advertisers.

Re:Making money, tracking cookies.

[xxxJonBoyxxx]

>> FTP is hard for search engines to index

(Remembers Gopher. Feels old.)

Re:Why FTP? Why not an HTTPS CMS site?

[CreamyG31337]

It's doesn't need to be easier or better -- it's just another attack surface that CAN be compromised, meaning that there are plenty of FTP servers out there which are misconfigured and can be used to serve malware. Due to the latency logging in and requesting a file via FTP, no webmaster should purposely configure a site to pull a page's resources from an FTP, so it makes sense to cut it off.
As for why it's easier or better, a badly configured FTP server is probably more likely to stay that way because the hackers hide the files and are only using disk space and bandwidth. Something like a CMS will tell you "please update me" every time you log in as admin to patch holes. Your FTP isn't going to tell you that you're a shitty admin.

Re:How do you turn it off?

[thegreatbob]

Doesn't appear to be blocking <a href= tags, but rather things such as iframes that automatically load content.

Re:Good. Kids should stay in their cribs.

[rahvin112]

Every time you log in to your FTP server remotely you pass your login credentials in the clear. FTP is ancient and unsecure and should be abandoned.

Only FTP?

[eneville]

This makes no sense to me whatsoever. I fear there is a greater quantity of exploited HTTP(S) servers out there than FTP. Is this not akin to removing telnet from Windows? The loss of functionality does not match the gain in security (is there any?). Surely the first step should be to prevent malicious content, not prevent a protocol.

Are Mozilla thinking to block FTPS too? What about sftp (if it were ever to be introduced), would that count too?

If the argument is that the protocol is plaintext, then HTTP should be dropped.