[josteink]

I see this as a reaction to the competition they're facing with Google Chrome.

With Google Chrome you log into your Google account. email + password and all is good. It's simple, but fundamentally insecure. Google, NSA and whoever else they partner with can poke at all your data without restriction because it is based on a centralized authentication model.

Firefox always based its sync on a secure model where no data was stored unencrypted at Mozilla's sync-servers. There was no traditional "account" which Mozilla had to validate. You could also chose to use your own sync server. Either way, they can not peek at your data.

You gave Firefox your email and a "password" and from that it generated some private keys used to encrypt the data sent to Mozilla. Private keys which you then had to distribute to other Firefox'es one way or another.

They attempted to ease the pain by having some "pair this device" wizards with 3 simple values you could copy from device A to device B, but in the end it still meant that the superior security came at a cost.

No non-technical people I know use Firefox's sync, but everyone I know who use Chrome also use its sync feature.

When comparing browser, some people literally list out "sync" as thing Chrome does and Firefox doesn't. That tells you a lot about how a simple and in your face implementation can drive adaptation. (I think Chrome's approach is too in-your-face, but that's another discussion.)

I honestly believe Firefox's original model is superior once you get past the initial warts, but I can see why they are making the changes they do.

[dochtman]

This isn't really accurate.

The problem with Firefox's current/old sync model is recovery. I.e., users think they're getting their stuff (history, passwords, etc) backed up, but when they lose their device, their data is gone forever, because almost none of them will have bothered to write down the long random string that functioned as their sync key. Also, the pairing was relatively hard to use for "normal" users.

In the newer Firefox Accounts model, yes, Mozilla will use a username/password model for users. However, the password is never sent to Mozilla in the clear, and data is still encrypted with a password-derived key before being sent to Mozilla. However, users can still recover their data because they know (something that can be used to generate) the key used to encrypt their data.

See here for more details: https://github.com/mozilla/fxa-auth-server/wiki/onepw-protoc...

I do think Mozilla would have promoted Sync more if it didn't have the recovery/UX issues I mentioned, so in that sense it might be a response to Google's model, but Mozilla's model still has a very well thought-out privacy strategy.

For those who actually liked the previous random key model + pairing, I think they might reinstate that as an option within the newer protocol/implementation at some point.

[haakon]

I really hate that this new model requires trust, whereas the old one did not. Even if I trust Mozilla not to peek, I have to accept that all my data, including all my passwords, now become subpoenable.

I get that the old model is too complicated for most people, but I really like it and am able to handle it just fine. I don't want to trust the NSA, damnit.

[ordinary]

This is incorrect. Both in the new scheme and the old, sensitive data is encrypted. In the old scheme, this key was randomly generated, while in the new, it is derived from a password. Either way, you do not need to trust Mozilla.

The main security concern (as far as I can tell, and I'm far from an expert) seems to be that the KDF used in the new protocol is not as strong as the one used in the current Sync protocol.

You should read the link posted in the post you replied to, especially the security analysis. It is quite readable and might allay some of your fears.

[pgeorgi]

Can you still host your own easily under the new model? That aspect of Firefox Sync was already deemphasized before, and that this is lost is what I fear the most with such changes.

My data silo is a box 80cm to my right. No need to start a new one at Mozilla Inc/Org.

[dochtman]

All the software for running a server is open source, I think, so in that sense it should be possible. Whether there will still be enough prefs such that you can get Firefox to sync against a different host, I'm not sure, but it seems likely that that will be possible.

[GrinningFool]

> ut when they lose their device, their data is gone forever, because almost none of them will have bothered to write down the long random string that functioned as their sync key. Al

This hasn't been true in my experience. I can initiate a sync from any previously synced device, so as long as I have one sync'd device available I can still get my data back.

[sp332]

Lucky you, having lots of devices.

[blueskin_]

Agreed. I don't use either sync, but I know Firefox's is secure (at least, the old private key one - not sure if that's about to be removed) and would consider it if I had a use case of many browsers, while Google's probably just dumps all my bookmarks etc (even saved passwords, if I saved them in the browser...) onto a google/NSA server.