[pmontra]

At least Sync can be self hosted https://github.com/mozilla-services/syncserver and is there any open standard for that kind of syncing?

I'm about to self host sync myself so I'm interested in your claim about it being insecure. I won't sync passwords or form fields, because I don't store them in the browser. Only browsing history and maybe tabs, but for sure I don't want to send all my desktop tabs to my phone. Most of them won't make any sense there.

[drdaeman]

In short, the crypto itself looks okay (I'm not a cryptographer!), but the auth form you see is served over the network. It doesn't send password back - just passes it to browser runtime, so it would run KDFs on it - but you won't know what you'll get served next time.

As for the protocol - there is WebDAV. Seriously. It's functionally equivalent to what their blob storage does, except simpler, vendor independent, and doesn't mandate any particular auth schemes. Oh, and their auth protocols are total mess (BrowserID, HAWK _and_ OAuth - three different protocols are necessary to just talk to the damn system!). I get it, three teams were working on different pieces (accounts, tokenserver and the actual sync blob storage), but they could've at least tried to not invent that up, but use something standard. Or, at the very least, settle on a single protocol.

I'm saying this as someone who had spend some time reading docs and reversed engineering the rest, and had implemented almost-working (sans some undocumented oddities and a few lazy omissions leading to glitches, but it mostly works-for-me) standalone sync1.5 server - same functionality could've been done in a much more saner and simpler way.