Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Chrome IT Technology

Google Removes Support for FTP and Old-gen U2F Security Keys in Chrome 95 (therecord.media) 62

Google today released Chrome v95, the latest version of its popular web browser and a version that contains several changes that will likely cause problems for a considerable part of its users. The problematic changes include: removing support for File Transfer Protocol (FTP) URLs -- ftp://
removing support for the Universal 2nd Factor (U2F) standard, used in old-generation security keys (Chrome will only support FIDO2/WebAuth security keys going forward)
adding file size limits for browser cookies
removing support for URLs with non-IPv4 hostnames ending in numbers, such as http://example.0.1

In addition to breaking changes, Chrome 95 also comes with a new UI component called the "Side Panel," which can be used to view the Chrome browser's Reading List and Bookmarks.

This discussion has been archived. No new comments can be posted.

Google Removes Support for FTP and Old-gen U2F Security Keys in Chrome 95

Comments Filter:
  • No more Yubikeys? (Score:2, Interesting)

    by Anonymous Coward

    Hopefully this doesn't lock out everything but Titan keys, as those are completely sold out.

    • by Average ( 648 )

      Hardware won't be an issue. Websites may be. U2F refers to both a USB (or BLE, NFC, etc) web format AND a web API you can call from JS. It's the latter that's going away. WebAuthN works with newer and older security keys. So a 2013 original U2F key will continue to work just fine with WebAuthN sites, but there are a number of sites that and some point did implement U2F (the old way) and haven't upgraded to WebAuthN.

  • Chrome can gargle my balls.

    What was half a browser is now about a quarter of one now.

  • Own a pair of Yubico 4 key from 2018 so this means I am OOL. Nothing against the relentless forward progress, but suspect little if any better security will be obtained from this.

  • by Kremmy ( 793693 ) on Wednesday October 20, 2021 @04:05PM (#61911339)
    This trend of removing support for basic internet protocols from mainline browsers is incredibly chilling.
    • I don't understand the hate for FTP support in browsers. It's extremely handy. Looks like I need to dust off WS_FTP.
      • Admittedly it is an unusual protocol, needing a separate command and data connection. Hell I remember old clients that didn't support the Passive FTP option which required a connection from the server back to the client. In the days of NAT that's practically impossible without some unusual tricks.

        • by Megane ( 129182 )
          In addition to the goofy data channels that are a pain in the ass for firewalls when passive mode is not available, it also sends passwords completely in the clear.
      • we still have support for certificate authorities (CA's) so basically they are restricting the intercept ability to states
        a plain-text protocol is useful and desirable in many instances

      • I don't even remember the last time I enabled an FTP daemon on a server. Unless you're running it over an encrypted tunnel like SSH, it's an insanely insecure protocol from a gentler time. On the server side, it's pretty trivial to set up a web server like Apache as a file browser if you so desire.

        • I just don't see any real place for FTP. If I need to offer files to download, HTTP is quite good. If I need authorized people to transfer data, that is what SSH sftp is for.

          The only real use case I can think of is anonymous FTP is uploading something to a server, say for support bundles or test cases, but even that can be done via HTTP or SSH sftp.

          FTPS (FTP with TLS) is at best a stopgap. The entire FTP protocol has been pretty much obsoleted by SSH and its transfer protocols.

    • by mysidia ( 191772 )

      What's very bothersome is the sudden and whimsical breaking of functionality.

      So what if FIDO keys are not in the majority? It's a rather problematic thing to go to your computer one day and find that it's not possible to login to your critical accounts anymore. because your browser had a security update happen in the background that you didn't even get a warning about..

      • Anyone that uses Thunderbird and movemail for email will be in a for a nasty surprise with the last update if your distribution is set for automatic updates. Developers simply don't care about users anymore.

        -Yep we broke it and it is now gone, it is your problem now.
      • FIDO/U2F keys are still supported via the WebAuthn api which is what the vast majority of.websites supporting hardware security keys use. The only thing being removed is the U2F protocol which is obsolete and not really relevant anymore except maybe in some rarely updated internal corporate portals (the kind of things that were using ActiveX into the 2010s.

    • FTP clashes with the realities of the modern internet, e.g. NAT and firewalls, and it doesn't encrypt or authenticate transfers or the control messages, at least not in the browser implementations. You might think you don't need that anyway, because you have nothing to hide and all your transfers are openly available from public file archives anyway, but generally you want to be sure that nobody tampers with your transfers, and FTP doesn't offer that assurance. FTP's future is serving as an example of bad p
      • by Anonymous Coward

        NAT is the hack that IPv6 was supposed to eliminate. Firewalls can be built to work properly with FTP. If you need to verify your files against MiM attacks, that's what hashes are for. People put hashes on the web site, even when you're downloading via https, and you should still check that hash on your machine (but I have to admit I usually don't).

      • I don't know about bad. FTP was first developed in 1985, back when the Internet/Arpanet was a lot smaller and security of traffic was a lot less of a concern. There's precious little we can do with SMTP because it's ubiquitous and any significant new mail transport protocol would require updating millions, if not billions of devices, and it's pretty difficult to see how you could a better MTP that functioned like SMTP. So in that case, we just keep throwing bubble gum in the cracks. But FTP has largely fade

        • by sconeu ( 64226 )

          Uh, FTP actually dates back to 1971, RFC 114.

          • My mistake. I was looking at the 1985 RFC.

            But heck, I remember my first introduction to the Internet being a mail and Usenet feed delivered via UUCP. The first email I ever sent out was via my OS/2 workstation running a DOS version of UUCP in a VDM around 1991. I got my first shell account through some dial-in service out of Seattle, and discovered the glories of FTP, Gopher and Links-based browsing. I remember sending an email to someone in New Zealand and being totally floored that I got a reply back in a

      • FTP clashes with the realities of the modern internet, e.g. NAT and firewalls

        I haven't had a firewall problem with FTP for years and years, and I am double-firewalled and double-natted. That's a lame excuse.

    • by AmiMoJo ( 196126 )

      What is the benefit of FTP over HTTPS?

      • Well if you're given the choice between the two, you get to feel a lot more l33t if you use the FTP link.

      • by Anonymous Coward

        You can get a (machine readable) directory listing with FTP. You can't with plain HTTP. WebDAV can do it in theory with the PROPFIND command, but I have never seen that used in the wild for plain file hosting.

      • FTP is going to be faster for files that are compressed already
        it does not have the overhead of encryption
        potentially your network optimises for the transfer because it understands the protocol (witness 5G optimisations)

        so basically yes it has speed going for it and reliability since most servers and clients have worked out the kinks

      • by Gavino ( 560149 )
        FTP is better than HTTPS because with FTP, your passwords travel in the clear. Everything you download also travels in the clear. This gives hackers lots and lots of targets. And targets create vulnerabilities. And vulnerabilities lead to hacks. And hacks lead to issues for businesses. And businesses having issues leads to jobs for IT security staff. So what, you want to suddenly just put loads and loads of people out of a job?! How dare you! (said Greta-style)

        DEY TUK UR JERRRB!! DURRA DURR!!
        • by Calydor ( 739835 )

          If it is, for example, a repository of old driver versions you don't need passwords. It's open to the public to peruse and download whichever file they want with minimal upkeep from whoever's hosting it.

          On HTTPS you need to update the index page every single time there's a new driver.

          • On HTTPS you need to update the index page every single time there's a new driver.

            Last I checked, HTTPS servers came with a configuration means to automatically generate an index page in specified directories. Under Apache, for example, use Options +Indexes

    • by vadim_t ( 324782 )

      No it isn't. FTP is an awful protocol.

      It was made for humans and not for machines, so there's about a dozen possible formats for the directory listing, including "ls" and "dir" (as in what Windows produces). Anonymous access is a hack grafted on top.

      It opens a new connection per transfer which is actually inefficient in this day and age, because it takes time for TCP to ramp up, so transferring many small files is slow. There's the issues with NAT. There's the standard lack of SSL. There's that you don't kn

  • by Gabest ( 852807 ) on Wednesday October 20, 2021 @11:58PM (#61912547)

    It was okay several years ago, but they added so many useless things no one asked for... shortened URLs (which complete and shift under the cursor when you want to select a word), annoying tab tooltips, icons-only links on the newtab, hard-to-click very slim scrollbars, alien UI elements overriding the OS design, the backspace, and those things they showed down my throat hoping that I would forget, and I did.

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...