2020-09-02
In March of this year, Mozilla followed in the steps of Google and announced the upcoming end to support for the ftp protocol in its browser. That is a very good thing!
The ftp URI is the mechanism for browsers to use FTP (the File Transfer Protocol) to send and receive data from servers supporting that protocol. FTP first appeared in TCP/IP environments in 1980, but was developed in 1971 and used NCP, the TCP/IP predecessor. The protocol is not considered secure in any way, sending data, usernames, and passwords in the clear.
To understand why the had insecure protocols such as FTP in its early days, we need to look a bit at history. In the early 1980s - and more so in the 1970s - computers and networks were very slow compared those of today. Other than large computers and military hardware, encrypting most data was fundamentally impractical. In addition, what we now know as the Internet was still controlled by the US Department of Defence. In those early days, unencrypted data transfer was impractical and not a huge risk. Today encrypting data (e.g. with TLS using https) is the standard.
Mitigation
There are five common more secure methods of uploading and downloading files over the internet or another TCP/IP network.
- Web pages can allow uploading and downloading of files. A page can request the upload or download. Mozilla has a Javascript example one could include in a web page.
- This is the FTP protocol over TLS, as HTTPS is HTTP over TLS. That means it is encrypted the same way web page access is encrypted. It is sadly not an approved protocol for a URI (i.e. to use in the browser), and requires a separate tool to use.
- This is the Secure File Transfer Protocol. It is part of the SSH (Secure Shell) suite. Implementations of SSH generally include an SFTP installation. It is described in an Internet-Draft, not an RFC.
- Usually referred to as "scp", this is a simpler protocol than SFTP and only supports file transfer, not the other ftp features provided by FTP.SFTP and scp are generally available on Linux and other UNIX-like systems. Windows users will find them in WinSCP (free) and other tools, potentially not for free. The WinSCP interface is intuitive for most Windows users.
- By using file-sharing tools. Google, Dropbox, Box, Amazon S3, and others allow users to share files or folders. Some can share with specific users and some allow information to be shared with anyone. The latter can be formatted (e.g. as a web page) or raw data.
I use scp when I manage web sites. Sometimes I store data on Amazon S3. I use other sites to share data depending on with whom I share them. I sometimes use those services to share files with myself, allowing access to the data from different devices.
In Learning Tree's Cyber SecurIty introduction, Course 468 participants use hands-on activities to experience the issues with FTP and see how other tools are more secure.