grounded

TNO - Trust No One.

Sun, 11 Sep 2011 19:14:23 GMT

First of all: This is not a security analysis, and no statement about the actual security of firefox sync. It's merely an analysis of the description given in the FAQ and my conclusion from that. And a brief one as well. I do not want to downplay the security of Firefox Sync. It's merely an example of how to read and judge claims of security features - documentation! I did not even look at the technical background of sync, I didn't try to use it - and I don't want to. Read on to know why.

[Update: From the comments below it seems that technically everything is well designed: Keys get generated on the client. Still, as this is about reading security information literally, the comment holds. I hope the FAQ will be updated to state this sooner or later]

Handling passwords

I know that I can save my passwords in firefox. In fact, I use this feature for certain sites. I implicitly trust the algorithm that's used for encrypting the password vault with the passphrase that I have to enter (the so called master password). Of course, this is the first thing I do after installing Firefox to a new machine. And I trust my passphrase to provide enough security for the purpose of the passwords that I save in there. And I trust that my passphrase never leaves my computer.

However, now, on a new system with the latest and greatest Firefox, Firefox not only offers to store my password, but also to sync it to Mozilla's servers. This is from a component called Sync, has been a plugin previously, but is now in the core. I guess many people might use it due to this fact.

Being the security conscious wisenheimer (why do I want my passwords to be stored on a third party computer?), I looked up "firefox sync", and got directed to Mozilla's FAQ. There it states, among other information

What is a Sync Key and why do I need one?

When you set up a Sync account we generate a long string of numbers and letters that we call a Sync Key. The Sync Key is used to encrypt your data before it's sent to the Mozilla servers. Think of it as a key that locks your information in a vault that only you can open. This means that neither Mozilla nor anyone else can read your information without having your Sync Key to unlock it.

Where's all my data?

It's encrypted with your Sync Key and safely stored on the Mozilla servers. Because Sync uses advanced security measures your information is never vulnerable to online bad guys or companies that will sell your information.

Sounds good? Well, very convenient at least. Let me emphasize the parts that caught my attention:

What is a Sync Key and why do I need one?

When you set up a Sync account we generate a long string of numbers and letters that we call a Sync Key. The Sync Key is used to encrypt your data before it's sent to the Mozilla servers. Think of it as a key that locks your information in a vault that only you can open. This means that neither Mozilla nor anyone else can read your information without having your Sync Key to unlock it.

Where's all my data?

It's encrypted with your Sync Key and safely stored on the Mozilla servers. Because Sync uses advanced security measures your information is never vulnerable to online bad guys or companies that will sell your information.

As I said, I never analyzed sync! I only read the linked FAQ article. And these two paragraphs make me want to uninstall it immediately. But I can't - it's in the core now. Well, at least I can "not use" it.

Just in case there is someone who didn't get my point from the emphasis above, here's some reasoning:

Mozilla generates a key, and nobody who does not have it can access my data. This should imply that nobody but me can access my data. But what keeps the party that generates such a key to keep a copy? I have been somewhat wary even before I started to listen to the Security Now netcast, but from Steve Gibson I learnt the term "Trust No One" (TNO), which give a name to my suspicions.

Well, and being never vulnerable is probably a bit too far fetched and would need a few disclaimers. But this is merely a small detail, not the core of my problem.

It's not that I don't trust Mozilla (I'm running their software loyally since the Netscape age, and you know that software running locally can do), but this description is hiding the underlying problems from the ingenuous reader. I know that the FAQ is a wiki - I could edit it or the discussion - but the underlying problem is not so much in this documentation, it's rather the principle that's broken (if the documentation is correct). Yes, it's a convenient solution, but no, there's no way I accept the described mode of operation as a security feature for knowingly storing data like my passwords on any third party server. I know that other's might accept this, but it really turns me down and away from this.

Even if the FAQ is incorrect ant the Sync Key is generated locally and never leaves my computer (unless I install it on another computer myself), this article shall still ask for reading such documentations accurately.

And, to finish this with another disclaimer: For the foreseeable future Firefox will stay to be my preferred browser. I'm a geek of habit, and it's easy to work around this issue by not using sync. After all, it takes some work to activate it. And I love Firefox (and the plugin zoo that I have assembled and that I'm trusting implicitly). Oh, and did I mention that I love Security Now?

Radio Liferay

Fri, 19 Aug 2011 18:46:00 GMT

I've started podcasting again. It's all on liferay.com and feedburner. The current working title is "Radio Liferay" and it covers all things noteworthy about Liferay.

It's been a while

Mon, 23 May 2011 04:25:00 GMT

It's been a while since I updated this blog. During this time James Roper has been busy with a few more pebble releases. At the time of this writing, we're at 2.6.2, see the change log on open.jira.com for a summary on what's new and noteworthy.

Also, James has taken over the lead developer role for pebble. It was obvious for a while - I didn't find enough time to quickly answer to issues that he typically jumped on immediately. A big thanks for this, now I'll just need to set aside the time to upgrade this installation here. Luckily all versions of pebble have shown to be quite more stable than some (php-based) blog engines, so there's no immediate need to upgrade - one of the reasons I chose pebble in the beginning.

Finding time is a nice reminder: Being on the road quite often now (for Liferay), I've started to do Liferay community meetings where I'm travelling to. They are announced on my Liferay Blog, feel free to subscribe there to get a chance to meet, typically somewhere in europe. Even if you're not (yet?) working with Liferay, feel free to show up.

Social Bookmarks :

Pebble 2.5 RC 1 released

Wed, 08 Sep 2010 18:42:00 GMT

A big Thank You goes to James Roper for continuing to bring pebble forward. Last week he released pebble 2.5 RC 1 - go ahead, download and test.

Major new features to test in this release include:

New plugin manager - the old entering class names and property names manually is gone, and is replaced by a new interface with inline documentation for each plugin. See http://open.jira.com/wiki/display/PEBBLE/Plugin+Development for more information.

XSRF protection - Pebble should now be safe from XSRF attacks. If while using Pebble normally, you reach an error page saying "No Security Token", then you have probably encountered a bug. Read http://open.jira.com/wiki/display/PEBBLE/XSRF+Prevention for more information.

Facebook OpenID comment authors. This plugin can be enabled in the plugin administration (make sure you read the docs carefully, you need to setup a Facebook application for your blog and enter the ID for it into Pebble for this to work).

Twitter integration

Read his original announcement on the pebble mailing list.

Verpackungsweisheiten

Sat, 14 Aug 2010 12:51:49 GMT

Verpackungen begeistern mich immer wieder. Diese präzise Sprache: "komplett mit feinem Buttergeschmack", "ohne künstliche Aromastoffe", "dermatologisch getestet", "kann Spuren von Nüssen enthalten".

In diesem Kartoffelpüree "komplett mit feinem Buttergeschmack" ist jedenfalls laut Zutatenliste kein bisschen Butter enthalten. Steht ja auch nicht drauf. Ausschnitt aus der Zutatenliste, die vielleicht mehr oder weniger zum "feinen Buttergeschmack" beitragen (in umgekehrter Reihenfolge): Aroma, Milcheiweiß, Milchzucker.

Ich liebe sowas ja. Oder es frustriert mich. Kann ich nicht so genau sagen. Gleich noch ein Beispiel, dieses Mal keine Lebensmittel:

"Dermatologisch bestätigt: ph-Wert 5.5". Nun ja - das hätte nicht unbedingt ein Dermatologe bestätigen müssen. Ein durchschnittlicher Chemielaborant, vielleicht auch ein Schüler mit Zugang zu den Chemieräumen seiner Schule hätte das wohl auch gekonnt. Hätte aber nicht so gut geklungen...

Oder kann mich jemand aufklären und da steckt tatsächlich was bemerkenswertes dahinter, das ich bisher übersehen habe? Ich will ja nicht sagen, dass es keine Hautverträglichkeitsprüfungen gegeben hat, aber die Verpackung sagt zumindest darüber nichts aus.

Was mich am meisten fasziniert: Viele Menschen scheinen aus solchen Etiketten nicht das gleiche zu lesen wie ich - sonst würde z.B. bei Lebensmitteln der unverhohlene Hinweis auf den Ersatz von hochpreisigen Inhaltsstoffen durch billige Aromastoffe ja nicht wirken. Oder ist die Grundeinstellung da draußen tatsächlich "Hauptsache es schmeckt - egal wodurch"? Dann wundern mich plötzlich auch die ganzen vergangenen Gammelfleischskandale nicht mehr. Apropos: War lange keiner mehr, oder?