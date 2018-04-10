Firefox Follows Chrome and Blocks the Loading of Most FTP Resources (bleepingcomputer.com) 18
Mozilla says it will follow in the steps of Google Chrome and start blocking the loading of FTP subresources inside HTTP and HTTPS pages. From a report: By FTP subresources, we refer to files loaded via the FTP protocol inside img, script, or iframe tags that have a src="ftp://". FTP links placed inside normal angle bracket links or typed directly in the browser's address bar will continue to work. The reasoning is that FTP is an insecure protocol that doesn't support modern encryption techniques and will inherently break many other built-in browser security and privacy features, such as HSTS, CSP, XSA, or others. Furthermore, many malware distribution campaigns often rely on compromising FTP servers and redirecting or downloading malware on users' computers via FTP subresources. Mozilla engineers say FTP subresource blocking will ship with Firefox 61, currently scheduled for release on June 26.
Why FTP? Why not an HTTPS CMS site? (Score:2)
Making money, tracking cookies. (Score:4, Interesting)
Google, Facebook, Amazon, Apple, Microsoft, and many others wish to end the hobbyist Internet.
FTP lacks cookies to track views. And FTP is hard for search engines to index with useful metadata for advertisers.
(Remembers Gopher. Feels old.)
It's doesn't need to be easier or better -- it's just another attack surface that CAN be compromised, meaning that there are plenty of FTP servers out there which are misconfigured and can be used to serve malware. Due to the latency logging in and requesting a file via FTP, no webmaster should purposely configure a site to pull a page's resources from an FTP, so it makes sense to cut it off.
As for why it's easier or better, a badly configured FTP server is probably more likely to stay that way because the
There are still ftp servers.
Seriously, why not move to block HTTP traffic? It's not secure, it can serve malicious pages, and spoof real sites...
Not that big a fan of ftp in html, but... (Score:2)
I'm not sure I grasp the logic of treating ftp distinct from http (no s) from a security perspective?
I don't think they are. This is just the same as blocking http: resources that are loaded from an https: page (mixed content blocking).
That's the only information I need. I'll decide whether I want to visit an FTP link or not, thanks.
