Chrome Security

Google developers have wanted to remove FTP support from Chrome for years and an upcoming change in how files stored on FTP servers are rendered in the browser may be the first step in its ultimate removal. 

Currently when a user opens a file on a FTP server using Chrome, it will try and render that file in the browser. For example, if you go to the URL ftp://ftp.hp.com/pub/extaccel/landing.jpg, it will render the image directly in the browser as shown below.

Rendering an image via an FTP url
Rendering an image via an FTP url

In a recent conversation between Chrome developers, the intent was to change Chrome so that it would no longer render images or other file types located on an ftp:// URL directly in Chrome.  Instead if you open a ftp:// URL, Chrome will download the file rather than opening it in the browser. For FTP directory indexes, though, Chrome will continue to display them.

"Rather than rendering resources requested via FTP, we should download them," stated the conversation. "We should continue to render directory listings, but we will not render anything else. That is, ftp://ftp.hp.com/ will render the same, exciting directory listing you see today; while ftp://ftp.hp.com/pub/test2/test2 will result in a `test2` file being downloaded.

FTP is a non-securable, legacy protocol. We've WONTFIXed FTP support on iOS, but its usage in Blink-based Chrome is high-enough that it seems difficult to remove all at once. This seems like a reasonable way of reducing its viability as an attack surface as a stepping stone to more complete removal."

Based on bug tickets and discussions read by BleepingComputer, Google developers have advocated for the removal of FTP support in Chrome for over 4 years due to its little usage and it adds an additional attack surface that Chrome cannot properly secure compared to offering the same files over a HTTPS connection.

It started, in January 2014 when a prior Chrome developer created a Chrome bug report to discuss the removal of FTP support in the browser.

"We should consider removing built-in support for FTP from Chrome and move it out to an app.

Over a 7-day period, only .1-.2% of users end up navigating to any FTP URL (with slightly higher numbers amongst Linux desktop users). This has been fairly stable over the last year, so it doesn't look there are trends for FTP to disappear altogether.

With the combination of the sockets API and the downloads API it may be possible to construct a Chrome App which handles this well. Also would need a way to be able to register an app/extension to handle a particular URL scheme so that navigations would be seamless for users of FTP apps.

This isn't urgent priority, but might be a nice code cleanup for a little-used feature.

While this bug report never went anywhere, over the years further bug reports were opened to block ftp:// requests on https pages, force PDF files to download from FTP, disable JS on FTP sites, disable rending of FTP resources in the browser, and finally to not support  FTP in iOS at all. 

Deciding not to support FTP in Chrome for iOS
Deciding not to support FTP in Chrome for iOS

With it's support slowly being chipped away, the decision to no longer support FTP in iOS, Kernel.org disablng FTP services, the privacy and security risks associated with FTP, and its lack of usage, we should expect to see it eventually removed altogether.

Quote

Firefox wants to remove FTP support as well

The Chrome developers are not alone in their desire to remove FTP support from browsers. In a Bugzilla issue opened over 18 years ago about adding support for FTP over SSL, recent comments posted 5 months ago explain that the ultimate goal is to remove FTP support from Firefox as well.

Due to this the developers closed the issue while stating "Since we (sooner or later) would like to deprecate FTP completely, we should not add more code in that area to our codebase."

Firefox to deprecate FTP support as well
Firefox to deprecate FTP support as well

If both Chrome and Firefox decide to eliminate FTP from their browsers, we will most likely see other browsers suit in order to reduce the complexity of their codebase and to remove rarely used features.

Related Articles:

Chrome 71 Released With Abusive Ad Filtering and Audio Blocking

Google is Adding Force-Installed Extension Removal to the Chrome Cleanup Tool

Speech Synthesis API Being Restricted in Chrome 71 Due to Abuse

Internal Chrome Page Shows All Google Interstitial Warnings

Chrome 71 Will Warn Users about Deceptive Mobile Billing Pages