Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If firefox really cared about its users maybe it should stop force-feeding "value-adds" like Hello and Pocket down everyone's throat by default.


If Firefox really cared about its users maybe it shouldn't have broken the security of Firefox Accounts and Sync. It used to be secure; it no longer is.


Source?


See my comment at https://news.ycombinator.com/item?id=11684378.

The short version is that Mozilla now uses one's Firefox account password to secure one's synced data — but there are places one enters one's Firefox account password which load JavaScript from Mozilla servers, which means that Mozilla, an employee or a government (or anyone else who can act as mozilla.com …) can serve malicious JavaScript and steal one's Firefox password and all synced data, including browsing history and passwords.

This is flat-out unacceptable.


[I edited my answer, because now I read that new system is claimed to be end-to-end secure as well]

https://support.mozilla.org/en-US/kb/sync-your-firefox-bookm...

In the old system your data was encrypted with a key that was only stored on your devices. Adding a new device meant that you had to do a kind of key exchange process (which was perceived as complicated[1]).

When Mozilla introduced the new system there was very little information on how the data was encrypted. I think the documentation only said that they used TLS (or something like that). But when reading their current documentation I see that it's not the case; they are apparently encrypting your data with a key derived from your password. So if you use a (cryptographically) strong password it should be secure[2]. Assuming that it works as documented of course.

[1] http://www.cnet.com/news/mozilla-adopts-plain-vanilla-passwo...

[2] https://support.mozilla.org/en-US/kb/firefox-sync-upgrade-fr...


The new system encrypts one's secrets with a function of one's Firefox account password and stores it on Mozilla's servers. That has two effects: one, an insecure Firefox account password (i.e., a password it is possible to remember) can compromise one's entire synced data; two, anywhere one enters one's Firefox account password is a potential danger.

As it turns out, Mozilla serves JavaScript files which are used to handle Firefox account passwords. Any government Mozilla is beholden to could compel them to serve malicious versions of those files and steal one's Firefox account password (and then decrypt all of one's synced data, including passwords). Likewise, a malicious Mozilla employee could do the same.

As a result Mozilla Sync may no longer be used by anyone who cares about the privacy of his browsing history and/or passwords.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: