[wtbob]

> If they're not, it falls back to storing passwords itself with obfuscation, which is the best it can do.

No, the best it could do is to have a master password, provided at launch.

I'm really concerned about the extent to which neither Google nor Mozilla actually cares about user security. No plaintext password should ever live somewhere outside of the user's head; no password encrypted with a user-memorable password should live outside of a computer under the user's physical control. Thus, passwords (and other private data) on remote systems should always be encrypted with secure keys, themselves generated on the user's device and encrypted on his device with his memorable password.

The facts that by default Google will store your website and WiFi passwords (along with your emails and pictures) in plaintext on their servers, and that Mozilla utterly destroyed the security of their sync system, are utterly sickening.

[carussell]

> Google will store your website and WiFi passwords (along with your emails and pictures) in plaintext on their servers

You're going to need to qualify that statement.

> Mozilla utterly destroyed the security of their sync system

You're going to need to qualify that statement.

[wtbob]

> > Google will store your website and WiFi passwords (along with your emails and pictures) in plaintext on their servers

> You're going to need to qualify that statement.

They store that information such that they can read it. Yes, it may actually be encrypted with a key they have access to, but it's effectively plaintext because they can read it.

> > Mozilla utterly destroyed the security of their sync system

> You're going to need to qualify that statement.

https://blog.mozilla.org/services/2014/04/30/firefox-syncs-n...

Your master key is stored on their servers, encrypted with a key derived from your password. That's pretty bad already, since user-memorable passwords are highly susceptible to guessing. It gets worse though, since they use Mozilla-served JavaScript to log you into your Firefox account—which means Mozilla could choose to serve someone different JavaScript and steal his password.

All it would take is a court order, and they could be forced to do it.

[kuschku]

About the first thing: he means that Google stores them in a way so that they can access the data – instead of doing end to end crypto with a password derived key.

[asuffield]

It's only true because he's stuck the words "by default" in there. The button to set a password-based key is in the menu and then it does end-to-end crypto.

If you don't give it a key, it does the best it can with an impossible problem.

[kuschku]

Technically, due to having a Google Account, there would be a way for that.

And if you set a master password for Chrome mobile, you can still access everything without this password on desktop chrome, and in reverse.

As you are logged into your Google account anyway, though, they should just use your account identifier as seed for the key if no other option is available.

[newuser88273]

Expecting privacy (or privacy-preserving security) from Google products has always been folly.

Mozilla used to be different. However, when Brendan was purged, first doubts may have arisen. Now that we also see cyber-bully Klabnik on their payroll, the probability has risen sharply that Mozilla has been successfully subverted into a political pressure group.

Since Mozilla now is enrolled in support of the dominant ideology, it has no incentive for supporting privacy anymore, either: The dominant ideology wants minority opinion holders to be outed and ostracised.

[lolpep8]

How could I not think of that! Hiring a kind of SJW-ey guy to write Rust docs is just a small step in the direction of clear-text passwords and the removal of HTTPS from Firefox. Better switch to Gnome Web, then.

[newuser88273]

If Mozilla was a-political, Klabnik couldn't work there if Brendan couldn't. He can, and Mozilla isn't.

Actually, the politicalization of Mozilla means that everything technical will lose priority over time.

[icebraining]

There's no such thing as an apolitical organization; their very structure is based on underlying political beliefs.

[rmrfrmrf]

Mmk.