TNO - Trust No One.

Sun, 11 Sep 2011 19:14:23 GMT

First of all: This is not a security analysis, and no statement about the actual security of firefox sync. It's merely an analysis of the description given in the FAQ and my conclusion from that. And a brief one as well. I do not want to downplay the security of Firefox Sync. It's merely an example of how to read and judge claims of security features - documentation! I did not even look at the technical background of sync, I didn't try to use it - and I don't want to. Read on to know why.

[Update: From the comments below it seems that technically everything is well designed: Keys get generated on the client. Still, as this is about reading security information literally, the comment holds. I hope the FAQ will be updated to state this sooner or later]

Handling passwords

I know that I can save my passwords in firefox. In fact, I use this feature for certain sites. I implicitly trust the algorithm that's used for encrypting the password vault with the passphrase that I have to enter (the so called master password). Of course, this is the first thing I do after installing Firefox to a new machine. And I trust my passphrase to provide enough security for the purpose of the passwords that I save in there. And I trust that my passphrase never leaves my computer.

However, now, on a new system with the latest and greatest Firefox, Firefox not only offers to store my password, but also to sync it to Mozilla's servers. This is from a component called Sync, has been a plugin previously, but is now in the core. I guess many people might use it due to this fact.

Being the security conscious wisenheimer (why do I want my passwords to be stored on a third party computer?), I looked up "firefox sync", and got directed to Mozilla's FAQ. There it states, among other information

What is a Sync Key and why do I need one?

When you set up a Sync account we generate a long string of numbers and letters that we call a Sync Key. The Sync Key is used to encrypt your data before it's sent to the Mozilla servers. Think of it as a key that locks your information in a vault that only you can open. This means that neither Mozilla nor anyone else can read your information without having your Sync Key to unlock it.

Where's all my data?

It's encrypted with your Sync Key and safely stored on the Mozilla servers. Because Sync uses advanced security measures your information is never vulnerable to online bad guys or companies that will sell your information.

Sounds good? Well, very convenient at least. Let me emphasize the parts that caught my attention:

What is a Sync Key and why do I need one?

When you set up a Sync account we generate a long string of numbers and letters that we call a Sync Key. The Sync Key is used to encrypt your data before it's sent to the Mozilla servers. Think of it as a key that locks your information in a vault that only you can open. This means that neither Mozilla nor anyone else can read your information without having your Sync Key to unlock it.

Where's all my data?

It's encrypted with your Sync Key and safely stored on the Mozilla servers. Because Sync uses advanced security measures your information is never vulnerable to online bad guys or companies that will sell your information.

As I said, I never analyzed sync! I only read the linked FAQ article. And these two paragraphs make me want to uninstall it immediately. But I can't - it's in the core now. Well, at least I can "not use" it.

Just in case there is someone who didn't get my point from the emphasis above, here's some reasoning:

Mozilla generates a key, and nobody who does not have it can access my data. This should imply that nobody but me can access my data. But what keeps the party that generates such a key to keep a copy? I have been somewhat wary even before I started to listen to the Security Now netcast, but from Steve Gibson I learnt the term "Trust No One" (TNO), which give a name to my suspicions.

Well, and being never vulnerable is probably a bit too far fetched and would need a few disclaimers. But this is merely a small detail, not the core of my problem.

It's not that I don't trust Mozilla (I'm running their software loyally since the Netscape age, and you know that software running locally can do), but this description is hiding the underlying problems from the ingenuous reader. I know that the FAQ is a wiki - I could edit it or the discussion - but the underlying problem is not so much in this documentation, it's rather the principle that's broken (if the documentation is correct). Yes, it's a convenient solution, but no, there's no way I accept the described mode of operation as a security feature for knowingly storing data like my passwords on any third party server. I know that other's might accept this, but it really turns me down and away from this.

Even if the FAQ is incorrect ant the Sync Key is generated locally and never leaves my computer (unless I install it on another computer myself), this article shall still ask for reading such documentations accurately.

And, to finish this with another disclaimer: For the foreseeable future Firefox will stay to be my preferred browser. I'm a geek of habit, and it's easy to work around this issue by not using sync. After all, it takes some work to activate it. And I love Firefox (and the plugin zoo that I have assembled and that I'm trusting implicitly). Oh, and did I mention that I love Security Now?

Pebble 2.5 RC 1 released

Wed, 08 Sep 2010 18:42:00 GMT

A big Thank You goes to James Roper for continuing to bring pebble forward. Last week he released pebble 2.5 RC 1 - go ahead, download and test.

Major new features to test in this release include:

New plugin manager - the old entering class names and property names manually is gone, and is replaced by a new interface with inline documentation for each plugin. See http://open.jira.com/wiki/display/PEBBLE/Plugin+Development for more information.

XSRF protection - Pebble should now be safe from XSRF attacks. If while using Pebble normally, you reach an error page saying "No Security Token", then you have probably encountered a bug. Read http://open.jira.com/wiki/display/PEBBLE/XSRF+Prevention for more information.

Facebook OpenID comment authors. This plugin can be enabled in the plugin administration (make sure you read the docs carefully, you need to setup a Facebook application for your blog and enter the ID for it into Pebble for this to work).

Twitter integration

Read his original announcement on the pebble mailing list.

Pebble 2.4 released

Sun, 13 Dec 2009 19:54:00 GMT

Finally: Pebble 2.4 is out. Are you looking for a lightweight, java based blogging engine that's extremely easy to install? Pebble most likely has what you need.

Pebble 2.4 rc2 released

Thu, 03 Dec 2009 21:50:00 GMT

I've just released pebble 2.4rc2. It's been a while since 2.4rc1 and some bugs have been fixed as well as a few small features included. This is the first release since we moved svn to open.jira.com and started to use Jira as a bugtracker.

I expect 2.4 to be identical unless there's something very unexpected showing up or somebody can reproduce PEBBLE-3. Thanks for all the contributions and your patience with this release. Expect the final version before Christmas. This year!

Note to self: Eclipse freezing during startup

Fri, 13 Nov 2009 09:48:00 GMT

Today my main workspace in Eclipse froze during startup. This is a note to my future self and to whomever finds it how I fixed the issue. Skip it, if you don't use eclipse. Otherwise read on...

Mehr...

grounded - software tag

TNO - Trust No One.

Handling passwords

What is a Sync Key and why do I need one?

Where's all my data?

What is a Sync Key and why do I need one?

Where's all my data?

Pebble 2.5 RC 1 released

Pebble 2.4 released

Pebble 2.4 rc2 released

Note to self: Eclipse freezing during startup