|
|
|
|
|
|
by samuellb
3695 days ago
|
|
|
[I edited my answer, because now I read that new system is claimed to be end-to-end secure as well] https://support.mozilla.org/en-US/kb/sync-your-firefox-bookm... In the old system your data was encrypted with a key that was only stored on your devices. Adding a new device meant that you had to do a kind of key exchange process (which was perceived as complicated[1]). When Mozilla introduced the new system there was very little information on how the data was encrypted. I think the documentation only said that they used TLS (or something like that). But when reading their current documentation I see that it's not the case; they are apparently encrypting your data with a key derived from your password. So if you use a (cryptographically) strong password it should be secure[2]. Assuming that it works as documented of course. [1] http://www.cnet.com/news/mozilla-adopts-plain-vanilla-passwo... [2] https://support.mozilla.org/en-US/kb/firefox-sync-upgrade-fr... |
|
|
As it turns out, Mozilla serves JavaScript files which are used to handle Firefox account passwords. Any government Mozilla is beholden to could compel them to serve malicious versions of those files and steal one's Firefox account password (and then decrypt all of one's synced data, including passwords). Likewise, a malicious Mozilla employee could do the same.
As a result Mozilla Sync may no longer be used by anyone who cares about the privacy of his browsing history and/or passwords.