Root Causes 97: Firefox to Deprecate Support for FTP
Mozilla has announced its intention to remove support for FTP from the Firefox browser, citing concerns about security and the degree of effort required to keep this functionality current. Join our hosts as they discuss this announcement and its potential effects as well as the considerations that go into choosing when to drop support for outdated, unpopular, or sub-optimal capabilities in technology products.
- Original Broadcast Date: June 4, 2020
Episode Transcript
Lightly edited for flow and brevity.
-
Tim Callan
So, today, we want to talk about a recent announcement from Mozilla, that Firefox, that in the Firefox browser, they are going to deprecate support for FTP. So, remember FTP?
-
Jason Soroko
You know, it's, one of those things, it's one of those, it's one of those file transfer protocols, FTP that, of course, was used for an awfully long time and, in fact, it was a great, great tool back in the earlier days of the internet, and right up until today.
-
Tim Callan
Absolutely. Like even before you had reliable use of web pages, you could be using FTP and in the early days, certainly the early days of the world-wide web, you would get lots of FTP addresses. Instead of saying http://, it would FTP://. And it's kind of fallen out of favor. It's gone away. And so, the reasons that Mozilla is stating their intent to deprecate it is they say that it is an old and fundamentally insecure protocol, that to bring it up to contemporary security standards would be pointless considering that you can accomplish all the same things other ways and those other ways are almost all of how it's done and I think what they're doing now is they're trying to signal well in advance that this is going to go away to get people who are still dependent on FTP to move to those other methods so that when they turn it off, they're not going to break any more people than they have to.
-
Jason Soroko
Yeah. That's right, Tim. So, there's just there are just so many newer, better ways of doing it, not the least of which is SFTP, or SSHFTP, FTP/ TLS. You know, frankly, Tim, whenever I'm having to move a file from a Linux server to, you know, somewhere local, probably the go-to for me is to just set up an SSH session, which I might already be in and then use SEP, which is the secure file copy. Right? So, the ways to transfer files now for a technical person are just so much better than traditional FTP, which really did not have that level of security.
-
Tim Callan
Yeah.
-
Jason Soroko
And additionally, if you're really non-technical, you're not having to, you're not dealing with a Linux to local, you know, file copy situation, there's just so many services like Dropbox, Box, Google Drive. You know, so in the traditional browser environment, which is what you'd be doing with Firefox, the number of online cloud services available to you to transfer files is definitely there and they're generally more secure.
-
Tim Callan
Yeah. And so, the concerns that people have been raising on Bugzilla, and the like, are mostly about systems that have been built, software that depends on FTP, things along those lines, right? There is a certain software application that is used by a very specific industry niche and people have this and they’re installed in lots of places, it's been around a long time, and there's nothing wrong with it, and it uses FTP, and all the sudden that's going to stop working, right, and that sort of thing. And so, part of what, because you're right, for the average person, we just use a file sharing service. We just use Box or Dropbox or something and it works just fine and that's what people do, but you maybe can't do that for these hard-coded legacy systems that are out there that have been in use for the last 15 years, you know.
-
Jason Soroko
Yeah. And for those guys, you know, if you do have a legacy system that you don't have a choice, you have to FTP to it, just don't use Firefox as your client. I mean, there's tons and tons of really, really good FTP clients out there and nobody is stopping that.
-
Tim Callan
Yeah. I would say so there's a couple nuances to put on that. One is, so this is, this change is coming as of the next release of Firefox. Version 77, which is a June release, but you will be able to go into your individual Firefox browser and configure it to accept FTP. So, what they're doing is they're doing kind of a soft deprecation. So, they're going to turn it off as the default - We've seen them do this with other things. They're going to turn it off with the default and then they've already projected, they've already announced that sometime in the future, that option is going to go away, but there's no announced timeframe for that option. So, what they're what they're going to do is they're going to try to phase it down as much as they can, but they want to give you an emergency out in case you really need this or you're just plain sunk and at the same time, they're trying to strongly message, look, this is not secure, and we need to, you know, we need to use methods that are secure and this is just not one of them.
-
Jason Soroko
That's right, Tim. It's about time. I would say that this is - - it's funny how sometimes when the big browsers talk about deprecating things, people kind of get up in arms. I'm not sure too many people are in upper arms about this. It's really great that the browsers supported FTP for this long, but something that was created back - and I look just looked it up - back in 1971.
-
Tim Callan
Nice!
-
Jason Soroko
Yeah.
-
Tim Callan
Wow!
-
Jason Soroko
Yeah. It's amazing.
-
Tim Callan
Older than I thought.
-
Jason Soroko
So, you know, something that was built out long ago, really just, it’s just - -
-
Tim Callan
Yeah.
-
Jason Soroko
It was never built for security mechanisms that we have today.
-
Tim Callan
Yeah. They couldn't even fathom the challenges that we have today when people were originally creating FTP. So, you know, and, yeah, you're right, and this is where it's always tough, right? Because on the one hand, there are valid, worthwhile, productive, honorable uses of these old technologies, right? And forcing people to take their attention away from the important work they're doing, in order to change the way one of their backend IT systems works is detrimental to the fundamental mission of an organization, which is surely something other than that and it's maybe even worse for institutions and organizations that aren't necessarily super technical to begin with. So, you know, for us in the IT world, we have teams that do this kind of thing all day, every day. But imagine you're not for profit or an educational or something. That may not be the case, right? So that is where it's tough, but on the other hand, things that are outdated are outdated, right? And we just saw this play out, by the way, really, interestingly, with the TLS story, right?
So, we talked about this just a few episodes ago, but just as a reminder to everybody, Mozilla had already deprecated support for TLS, 1.0 and 1.1 in Firefox, and other browsers had announced plans to follow, including Google and Microsoft, and then the COVID-19 pandemic hit and it turned out that lots and lots and lots and lots of government sites that were important for disseminating essential information about the pandemic, we're still sitting on these old versions of TLS and the other browsers suspended their plans to deprecate these old versions of TLS and Mozilla actually put it back into Firefox. So, that's kind of the extreme case of what can happen when you do deprecate off this old legacy stuff that's just been built in and people have depended on for so long. But on the other hand, you got to do it, because somewhere along the line, that stuff just doesn't work anymore.
-
Jason Soroko
Yeah. You have to call a point. I think that the what you mentioned about the TLS protocol versions, that's important. I think after this pandemic gets to the point where we're more stable and people can be more assured that they have time and resources to get their patching done, I think that we're all going to move forward to the more recent versions of TLS in our browsers, and they'll all be supported. In other words, the deprecation of the older ones will occur.
-
Tim Callan
Right.
-
Jason Soroko
But what we're talking about today with FTP, I really, you know, I'd love to know if there's anybody who is seriously having to use their browser and I'm trying to think even when you brought first brought this up, Tim, the deprecation of FTP, I'm thinking back to the old, old days, when you might have been handed a file that you would get you were going to browse, you know, it's normal worldwide web browsing and then there was a reference to an FTP that you would click on and then you would immediately go to the FTP directory.
-
Tim Callan
Right.
-
Jason Soroko
And all of that rendering would happen within the browser. I remember back in those days, but I cannot remember the last time I had to do that or even wanted to do that.
-
Tim Callan
Yeah. I can't - - I honestly can't remember the last time I FTP’d anything. I think it was probably the 90s and so, yeah, there certainly are other ways to do it and that's part of the point also, um, but, you know, they have a - - they have a very, very, very large set of people who depend on them - these major browsers and especially, you know, Mozilla takes this very seriously and even ruining things for a few of them is considered to be a very bad outcome. So, you know, it's tough. It's a tough balancing act, and I understand that, but, yeah, I do agree with you these sorts of changes need to happen. The TLS one is a great example. All the browsers who have suspended their effort to deprecate these old versions of TLS have made it clear that this is temporary. It's only because of the pandemic and when we've moved beyond that they're going to do it. So, you know, there's no question. And part of that also is I know major browsers feel like to some degree, the only way they can completely force a switch over to a newer paradigm, or a newer principle or a newer algorithm, or whatever it is, is by just plain shutting off the old one. Like you can talk about it forever and you can talk about it for years, and you can socialize it, and some of it just isn't going to move and somewhere along the line, you just have to force it and they've decided that this is the time to do that for FTP and they had decided that that was the time to do that for TLS 1.0. I think they're going to continue to act that way. I don't see anything here that suggests that that will not continue to be how the major browsers make these kind of decisions.
-
Jason Soroko
Yeah. That's right, Tim. It's the right thing and with my ear to the wall, I really can't hear any complaints about this so far. So, it's a good move.
-
Tim Callan
Yeah. All right. Good move. So that's it. Nice, quick episode. As always, good to talk to you, Jay.
-
Jason Soroko
Thank you, Tim.
-
Tim Callan
And thank you, Listeners. This has been Root Causes.