30 Jul 2021
Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Maintained by Hanno Böck.
With the recent release of Mozilla Firefox version 90, all support for the FTP protocol was removed from the browser. Mozilla followed the lead of Chrome, which also removed all FTP support.
The removal of FTP goes along with the increasing efforts of browsers to default to encrypted connections with HTTPS. In theory, TLS support for FTP is possible, but browsers never supported that. Thus browser downloads via the FTP protocol were never protected against manipulation and eavesdropping.
Some may ask why browsers didn’t instead decide to support FTP with TLS. It turns out that this is quite problematic and prone to security bugs. This stems from the fact that FTP uses a control channel and a separate channel for file transfers, and their interaction is quite fragile.
In 2015, the cross-protocol attacks discovered by Jann Horn showed those weaknesses. Chris Evans, who maintained vsftpd, noted this at that time when he wrote about the “horrors of FTP over SSL.” The recently published ALPACA attack, which we covered last month, shows some variations of these vulnerabilities.
Given these weaknesses, and the fact that there are not many advantages to using FTP these days, it’s understandable that browsers decided to completely remove FTP support.
This subscription is just for the newsletter; we won't send you anything else.
Designed by Ivan Ristić, the author of SSL Labs, Bulletproof SSL and TLS, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.
Remote and trainer-led, with small classes and a choice of timezones.
Join over 1,500 students who have benefited from more than a decade of deep TLS and PKI expertise.