Google Removes Support for FTP and Old-gen U2F Security Keys in Chrome 95

Google today released Chrome v95, the latest version of its popular web browser and a version that contains several changes that will likely cause problems for a considerable part of its users. The problematic changes include: removing support for File Transfer Protocol (FTP) URLs -- ftp://
removing support for the Universal 2nd Factor (U2F) standard, used in old-generation security keys (Chrome will only support FIDO2/WebAuth security keys going forward)
adding file size limits for browser cookies
removing support for URLs with non-IPv4 hostnames ending in numbers, such as http://example.0.1

In addition to breaking changes, Chrome 95 also comes with a new UI component called the "Side Panel," which can be used to view the Chrome browser's Reading List and Bookmarks.

Re:"Removing support"

[Sique]

Because for 25 years, this was how many people used FTP servers. Someone put an ftp:// [ftp] link into his page, and people clicked on it to download the file. Web servers automatically generated linked lists from FTP links pointing to directories etc.pp..

It just worked.

Re:

[JustOK]

Internet Browser versus Web Browser.

Re:

[Sique]

I am too (I was first online sometimes around 1990, and I remember downloading GNU emacs packages via 64 kbit/sec lines by starting the download on Friday evening and returning to the office Monday in the morning hoping the download went through), but I used the browser quite often to download stuff via FTP, because many vendors had their support sites link to images via ftp.

I still don't see your point.

Re:

[quenda]

You missed my point, or I didn't make it very well, I'm from the pre-browser generation & use ftp from the cli.

You should check out this new tool called Mosaic. It's a great way to browse the RFCs in FTP archives, as well as Usenet and Gopherspace.

Re:

[The123king]

You'll have to pry the WWW from my cold, dead, NeXTcube

FTP

[JBMcB]

Because some sites still have links to FTP servers to download files, and it's convenient to not launch another app to handle the URL.

Re:

[smooth wombat]

If all you're doing is going to a site to get a file, a browser is perfectly fine. Uploading isn't all that difficult either with a browser.

Re:

[Kisai]

Because at one point in time, the only FTP client the OS had was "ftp.exe"

Until Filezilla came along, most ftp clients were unusable.

Re:

[Finallyjoined!!!]

"Until Filezilla came along, most ftp clients were unusable."

Utter rubbish. ftp is used from the command line.

ftp was/is eminently useable.

Re:

[tepples]

I have some questions about the practicality of command-line programs for the specific purpose of handling navigation in a web browser to a URL using the ftp: scheme.

1. Under Windows, to what extent can a command-line program act as a URL handler?
2. Under macOS, to what extent can a command-line program act as a URL handler?

macOS GUI is not exactly standard

[tepples]

macOS contains an OpenStep-derived GUI environment running on top of a certified UNIX operating system. In particular, this GUI is emphatically not the standardized CDE on Motif on X Window System. To what extent can a command-line program act as a URL handler for a GUI web browser running in this environment?

Re: "Removing support"

[Z00L00K]

/bin/ftp ftw.

Re:

[Zak3056]

Until Filezilla came along, most ftp clients were unusable.

[citation needed]

I don't recall having any problems using ftp before 2001. I'll definitely grant that Filezilla brought some great features to the table with transparent resumes and being able to do multiple streams, but there was nothing wrong with the standard berkeley ftp client.

Re:

[lucasnate1]

Why would you ftp using a browser?

It's like trying to ride a bicycle using a Mack Truck's steering & control system.

Why would you run apps through a browser? That should have been the question

Re:

[tepples]

You run apps through a browser because the ability to use an app is superior to a page displaying "Sorry! This application is not yet available for your device."

A developer can reach more users by making a web application than by making a native application for one operating system. For example, it's easier for a user of Windows or desktop Linux to run a web app in a web browser than to run a macOS app at all, even if compiled from source code, because GNUstep is so incomplete at replicating Cocoa.

Re:

[computer_tot]

Because it's super easy. People could just put FTP links on their website and people click on them. No need for another application or command line use. It's why virtually every software project and OEM provided FTP links on their websites for things like drivers and tarballs. Now this change (and the similar change from other browsers) breaks all these links. Now users need to know how to use a proper FTP client or the websites need to update their pages to use another protocol. It's been a bit of a pain

Re:

[Megane]

Or if they were using Firefox, they already couldn't use FTP links.

Download-only FTP is completely stupid. The protocol sucks balls, and offers no advantage in a browser over HTTP downloads. The only advantage is that in a real FTP client you can use mget. (Yes, I actually had a need to wholesale download an old FTP site recently, and I also noticed that had Apple had removed the client from OS X 10.13. Fortunately I had a server I could SSH into and run the FTP client from there.)

Re:

[DarkVader]

It's easy to put back.

https://brew.sh/ [brew.sh]

Re:

[tepples]

What makes HTTP "lighter less chatty"? For one thing, it requires two connections, one of them fairly stateful. For comparison, HTTP GET is a couple lines of ASCII text for the request, several lines of ASCII text for the response, the response body, and (optionally since HTTP 1.1) a closed connection.

In the latter situation, the host running the download server could handle URLs of the form "http://ftp.example.com". Many did, and for the reasons described in the essay "Cool URIs don't change" [w3.org], they didn't

No more Yubikeys?

[Anonymous Coward]

Hopefully this doesn't lock out everything but Titan keys, as those are completely sold out.

Re:

[Average]

Hardware won't be an issue. Websites may be. U2F refers to both a USB (or BLE, NFC, etc) web format AND a web API you can call from JS. It's the latter that's going away. WebAuthN works with newer and older security keys. So a 2013 original U2F key will continue to work just fine with WebAuthN sites, but there are a number of sites that and some point did implement U2F (the old way) and haven't upgraded to WebAuthN.

Feh

[Mister Transistor]

Chrome can gargle my balls.

What was half a browser is now about a quarter of one now.

Re:

[lactose99]

Chrome can gargle my balls.

You'll need the beta release for that.

Yubico & others keys from 2018 are then out.

[pmsr]

Own a pair of Yubico 4 key from 2018 so this means I am OOL. Nothing against the relentless forward progress, but suspect little if any better security will be obtained from this.

Re:Yubico & others keys from 2018 are then out

[jarkus4]

I think its not an issue.
"Somewhat confusingly, U2F is the name for both the web-facing API and a USB security key wire protocol. The WebAuthn API supports security keys speaking either the U2F (CTAP1) or FIDO2 (CTAP2) wire protocol. The proposal here is only to remove the U2F API. Users can continue to use their U2F security keys via the WebAuthn API"
https://groups.google.com/a/ch... [google.com]

FTP is a better protocol for raw file archives

[Kremmy]

This trend of removing support for basic internet protocols from mainline browsers is incredibly chilling.

Re:

[RitchCraft]

I don't understand the hate for FTP support in browsers. It's extremely handy. Looks like I need to dust off WS_FTP.

Re:

[lactose99]

Admittedly it is an unusual protocol, needing a separate command and data connection. Hell I remember old clients that didn't support the Passive FTP option which required a connection from the server back to the client. In the days of NAT that's practically impossible without some unusual tricks.

Re:

[Megane]

In addition to the goofy data channels that are a pain in the ass for firewalls when passive mode is not available, it also sends passwords completely in the clear.

the argument against FTP is bogus

[johnjones]

we still have support for certificate authorities (CA's) so basically they are restricting the intercept ability to states
a plain-text protocol is useful and desirable in many instances

Re:

[MightyMartian]

I don't even remember the last time I enabled an FTP daemon on a server. Unless you're running it over an encrypted tunnel like SSH, it's an insanely insecure protocol from a gentler time. On the server side, it's pretty trivial to set up a web server like Apache as a file browser if you so desire.

Re:

[ctilsie242]

I just don't see any real place for FTP. If I need to offer files to download, HTTP is quite good. If I need authorized people to transfer data, that is what SSH sftp is for.

The only real use case I can think of is anonymous FTP is uploading something to a server, say for support bundles or test cases, but even that can be done via HTTP or SSH sftp.

FTPS (FTP with TLS) is at best a stopgap. The entire FTP protocol has been pretty much obsoleted by SSH and its transfer protocols.

Re:

[mysidia]

What's very bothersome is the sudden and whimsical breaking of functionality.

So what if FIDO keys are not in the majority? It's a rather problematic thing to go to your computer one day and find that it's not possible to login to your critical accounts anymore. because your browser had a security update happen in the background that you didn't even get a warning about..

Re:

[Fly Swatter]

Anyone that uses Thunderbird and movemail for email will be in a for a nasty surprise with the last update if your distribution is set for automatic updates. Developers simply don't care about users anymore.

-Yep we broke it and it is now gone, it is your problem now.

Re:

[north_by_midwest]

FIDO/U2F keys are still supported via the WebAuthn api which is what the vast majority of.websites supporting hardware security keys use. The only thing being removed is the U2F protocol which is obsolete and not really relevant anymore except maybe in some rarely updated internal corporate portals (the kind of things that were using ActiveX into the 2010s.

Re:

[Arnonyrnous Covvard]

FTP clashes with the realities of the modern internet, e.g. NAT and firewalls, and it doesn't encrypt or authenticate transfers or the control messages, at least not in the browser implementations. You might think you don't need that anyway, because you have nothing to hide and all your transfers are openly available from public file archives anyway, but generally you want to be sure that nobody tampers with your transfers, and FTP doesn't offer that assurance. FTP's future is serving as an example of bad p

Re:

[Anonymous Coward]

NAT is the hack that IPv6 was supposed to eliminate. Firewalls can be built to work properly with FTP. If you need to verify your files against MiM attacks, that's what hashes are for. People put hashes on the web site, even when you're downloading via https, and you should still check that hash on your machine (but I have to admit I usually don't).

Re:FTP is a better protocol for raw file archives

[Anonymous Coward]

Worse than that, there's no way to advertise over it, and it doesn't have tracking support. This violates Googles deeply held beliefs.

Re:

[vadim_t]

Um, yes there is?

FTP can be easily monitored server-side just like HTTP is, and FTP was a command-line oriented system that often spat a banner at you at login time -- where you could easily put some ads.

Now of course a web browser is going to skip the banner, but it can also skip the ads.

Re: FTP is a better protocol for raw file archives

[Grokew]

Bingo!

Re:

[MightyMartian]

I don't know about bad. FTP was first developed in 1985, back when the Internet/Arpanet was a lot smaller and security of traffic was a lot less of a concern. There's precious little we can do with SMTP because it's ubiquitous and any significant new mail transport protocol would require updating millions, if not billions of devices, and it's pretty difficult to see how you could a better MTP that functioned like SMTP. So in that case, we just keep throwing bubble gum in the cracks. But FTP has largely fade

Re:

[sconeu]

Uh, FTP actually dates back to 1971, RFC 114.

Re:

[MightyMartian]

My mistake. I was looking at the 1985 RFC.

But heck, I remember my first introduction to the Internet being a mail and Usenet feed delivered via UUCP. The first email I ever sent out was via my OS/2 workstation running a DOS version of UUCP in a VDM around 1991. I got my first shell account through some dial-in service out of Seattle, and discovered the glories of FTP, Gopher and Links-based browsing. I remember sending an email to someone in New Zealand and being totally floored that I got a reply back in a

Re:

[drinkypoo]

FTP clashes with the realities of the modern internet, e.g. NAT and firewalls

I haven't had a firewall problem with FTP for years and years, and I am double-firewalled and double-natted. That's a lame excuse.

Re:

[AmiMoJo]

What is the benefit of FTP over HTTPS?

Re:

[serviscope_minor]

Well if you're given the choice between the two, you get to feel a lot more l33t if you use the FTP link.

Re:

[Anonymous Coward]

You can get a (machine readable) directory listing with FTP. You can't with plain HTTP. WebDAV can do it in theory with the PROPFIND command, but I have never seen that used in the wild for plain file hosting.

Speed - FTP is faster

[johnjones]

FTP is going to be faster for files that are compressed already
it does not have the overhead of encryption
potentially your network optimises for the transfer because it understands the protocol (witness 5G optimisations)

so basically yes it has speed going for it and reliability since most servers and clients have worked out the kinks

Re:

[Gavino]

FTP is better than HTTPS because with FTP, your passwords travel in the clear. Everything you download also travels in the clear. This gives hackers lots and lots of targets. And targets create vulnerabilities. And vulnerabilities lead to hacks. And hacks lead to issues for businesses. And businesses having issues leads to jobs for IT security staff. So what, you want to suddenly just put loads and loads of people out of a job?! How dare you! (said Greta-style)

DEY TUK UR JERRRB!! DURRA DURR!!

Re:

[Calydor]

If it is, for example, a repository of old driver versions you don't need passwords. It's open to the public to peruse and download whichever file they want with minimal upkeep from whoever's hosting it.

On HTTPS you need to update the index page every single time there's a new driver.

Options +Indexes

[tepples]

On HTTPS you need to update the index page every single time there's a new driver.

Last I checked, HTTPS servers came with a configuration means to automatically generate an index page in specified directories. Under Apache, for example, use Options +Indexes

Re:

[vadim_t]

No it isn't. FTP is an awful protocol.

It was made for humans and not for machines, so there's about a dozen possible formats for the directory listing, including "ls" and "dir" (as in what Windows produces). Anonymous access is a hack grafted on top.

It opens a new connection per transfer which is actually inefficient in this day and age, because it takes time for TCP to ramp up, so transferring many small files is slow. There's the issues with NAT. There's the standard lack of SSL. There's that you don't kn

Every version is worse

[Gabest]

It was okay several years ago, but they added so many useless things no one asked for... shortened URLs (which complete and shift under the cursor when you want to select a word), annoying tab tooltips, icons-only links on the newtab, hard-to-click very slim scrollbars, alien UI elements overriding the OS design, the backspace, and those things they showed down my throat hoping that I would forget, and I did.