| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by carussell 4025 days ago

> Google will store your website and WiFi passwords (along with your emails and pictures) in plaintext on their servers

You're going to need to qualify that statement.

> Mozilla utterly destroyed the security of their sync system

You're going to need to qualify that statement.

2 comments

wtbob 4025 days ago

> > Google will store your website and WiFi passwords (along with your emails and pictures) in plaintext on their servers

> You're going to need to qualify that statement.

They store that information such that they can read it. Yes, it may actually be encrypted with a key they have access to, but it's effectively plaintext because they can read it.

> > Mozilla utterly destroyed the security of their sync system

> You're going to need to qualify that statement.

https://blog.mozilla.org/services/2014/04/30/firefox-syncs-n...

Your master key is stored on their servers, encrypted with a key derived from your password. That's pretty bad already, since user-memorable passwords are highly susceptible to guessing. It gets worse though, since they use Mozilla-served JavaScript to log you into your Firefox account—which means Mozilla could choose to serve someone different JavaScript and steal his password.

All it would take is a court order, and they could be forced to do it.

link

kuschku 4025 days ago

About the first thing: he means that Google stores them in a way so that they can access the data – instead of doing end to end crypto with a password derived key.

link

asuffield 4025 days ago

It's only true because he's stuck the words "by default" in there. The button to set a password-based key is in the menu and then it does end-to-end crypto.

If you don't give it a key, it does the best it can with an impossible problem.

link

kuschku 4025 days ago

Technically, due to having a Google Account, there would be a way for that.

And if you set a master password for Chrome mobile, you can still access everything without this password on desktop chrome, and in reverse.

As you are logged into your Google account anyway, though, they should just use your account identifier as seed for the key if no other option is available.

link