New Sync should have an option to encrypt data with a secret that's not used for anything else and never entered into a Web page
Categories
(Firefox :: Sync, enhancement, P3)
Tracking
()
People
(Reporter: hsivonen, Unassigned)
References
Details
(Keywords: sec-want)
Comment 1•10 years ago
|
||
Reporter | ||
Comment 2•10 years ago
|
||
Comment 3•10 years ago
|
||
Comment 4•10 years ago
|
||
Comment 5•10 years ago
|
||
Reporter | ||
Comment 6•10 years ago
|
||
Comment 7•10 years ago
|
||
Comment 8•10 years ago
|
||
Updated•9 years ago
|
Updated•9 years ago
|
Updated•9 years ago
|
Updated•8 years ago
|
Comment 11•8 years ago
|
||
Comment 12•7 years ago
|
||
Comment 13•7 years ago
|
||
Comment 15•6 years ago
|
||
Comment 16•6 years ago
|
||
Comment 17•6 years ago
|
||
Comment 18•6 years ago
|
||
Comment 19•6 years ago
|
||
Updated•6 years ago
|
Comment 20•5 years ago
|
||
How do you protect against a court order compelling Mozilla to serve malicious JS to a user in order to phish the password ?
Comment 21•5 years ago
|
||
How do you protect against a court order compelling Mozilla to serve malicious JS to a user in order to phish the password ?
It's unclear to me if it's any different from getting a court order to land malicious client-side code to extract keys directly from the browser or to phish an encryption passphrase.
I think that in either case, it will be a legal question more than a technical one.
Here is a great example on how it's less of a technical problem and more of a legal one:
https://en.wikipedia.org/wiki/FBI%E2%80%93Apple_encryption_dispute
Reporter | ||
Comment 22•4 years ago
|
||
The "obvious" approach of adding a second passphrase just for Firefox Sync remains off the table; as discussed a bit
in [1] it's a bad user experience, and it's contagiously bad - it forces you to enter two passphrases on every device where
you want to access your sync data.
As a user, I'd like to be able to make the decision whether the UX badness is unacceptably bad for me. For example, I was very happy with the PAKE pairing of the original Sync, but others deemed it a UX problem, so now it's been six years without it. :-(
(As a developer, I totally recognize that this is the usual "why don't you just add another pref?" argument.)
Although a pairing-based approach may be awkward between desktop computers in different locations, the computer+phone use case would work rather well with Firefox on the computer exposing the requisite data as a QR code and Firefox on the phone scanning the QR code. You could also hold a phone that shows a QR code in such a way that a laptop's camera sees the QR code.
In the years since Old Sync's removal, the UX pattern of scanning a QR code to establish a TOTP key in Google Authenticator has become common enough, that I believe there'd be an addressable audience of security-minded users who would be able to perform pairing by QR code.
Comment 23•4 years ago
|
||
For example, I was very happy with the PAKE pairing of the original Sync, but others deemed it a UX problem, so now it's been six years without it. :-(
And in fact we do now point people to set up sync on their android device using a QR code, but it's not used to share the kind of separate secret you and I want it to.
Comment 24•4 years ago
|
||
(In reply to Alex Davis [:adavis] from comment #21)
How do you protect against a court order compelling Mozilla to serve malicious JS to a user in order to phish the password ?
It's unclear to me if it's any different from getting a court order to land malicious client-side code to extract keys directly from the browser or to phish an encryption passphrase.
I think that in either case, it will be a legal question more than a technical one.
This isn't true, you can turn it into a technical problem. If the only code that handles my password is in a browser which is compiled from source then a government forcing Mozilla to add code is a hugely different question than asking Mozilla to serve different code in a webpage (possibly only to particular IP addresses).
The former has many people looking over the tarballs, confirming that they came from Mozilla's source repos and the commits that add these changes. The second can be done with little to no public visibility. Furthermore there are literally hundreds of CAs that can be compromised to issue certs for accounts.mozilla.org such that Mozilla doesn't even need to be involved. (I acknowledge that the web PKI system is getting more secure but it is still far behind the security of distributing Firefox)
Comment 26•3 years ago
|
||
(In reply to Alex Davis from comment #21)
How do you protect against a court order compelling Mozilla to serve malicious JS to a user in order to phish the password ?
It's unclear to me if it's any different from getting a court order to land malicious client-side code to extract keys directly from the browser or to phish an encryption passphrase.
I think that in either case, it will be a legal question more than a technical one.
Here is a great example on how it's less of a technical problem and more of a legal one:
https://en.wikipedia.org/wiki/FBI%E2%80%93Apple_encryption_dispute
The technical different are:
1- Check-sum of a hard coded sign-in form (Firefox installation file) can be compared to other sources/websites
2- In cases like if China government make a deal with Mozilla for Chinese citizens (or my government, Iran). A signed copy of installation file (which include sign-in form) would give user assurance that he/she would have an evidence in hand if Mozilla did an illegal action
Please post you reply below (@rfkelly incorrectly considered these two requests duplicate) :
https://bugzilla.mozilla.org/show_bug.cgi?id=1700275
Updated•3 years ago
|
Updated•2 years ago
|
Description
•