TNO - Trust No One.
Exploring firefox sync
First of all: This is not a security analysis, and no statement about the actual security of firefox sync. It's merely an analysis of the description given in the FAQ and my conclusion from that. And a brief one as well. I do not want to downplay the security of Firefox Sync. It's merely an example of how to read and judge claims of security features - documentation! I did not even look at the technical background of sync, I didn't try to use it - and I don't want to. Read on to know why.
[Update: From the comments below it seems that technically everything is well designed: Keys get generated on the client. Still, as this is about reading security information literally, the comment holds. I hope the FAQ will be updated to state this sooner or later]
Handling passwords
I know that I can save my passwords in firefox. In fact, I use this feature for certain sites. I implicitly trust the algorithm that's used for encrypting the password vault with the passphrase that I have to enter (the so called master password). Of course, this is the first thing I do after installing Firefox to a new machine. And I trust my passphrase to provide enough security for the purpose of the passwords that I save in there. And I trust that my passphrase never leaves my computer.
However, now, on a new system with the latest and greatest Firefox, Firefox not only offers to store my password, but also to sync it to Mozilla's servers. This is from a component called Sync, has been a plugin previously, but is now in the core. I guess many people might use it due to this fact.
Being the security conscious wisenheimer (why do I want my passwords to be stored on a third party computer?), I looked up "firefox sync", and got directed to Mozilla's FAQ. There it states, among other information
What is a Sync Key and why do I need one?
When you set up a Sync account we generate a long string of numbers and letters that we call a Sync Key. The Sync Key is used to encrypt your data before it's sent to the Mozilla servers. Think of it as a key that locks your information in a vault that only you can open. This means that neither Mozilla nor anyone else can read your information without having your Sync Key to unlock it.
Where's all my data?
It's encrypted with your Sync Key and safely stored on the Mozilla servers. Because Sync uses advanced security measures your information is never vulnerable to online bad guys or companies that will sell your information.
Sounds good? Well, very convenient at least. Let me emphasize the parts that caught my attention:
What is a Sync Key and why do I need one?
When you set up a Sync account we generate a long string of numbers and letters that we call a Sync Key. The Sync Key is used to encrypt your data before it's sent to the Mozilla servers. Think of it as a key that locks your information in a vault that only you can open. This means that neither Mozilla nor anyone else can read your information without having your Sync Key to unlock it.
Where's all my data?
It's encrypted with your Sync Key and safely stored on the Mozilla servers. Because Sync uses advanced security measures your information is never vulnerable to online bad guys or companies that will sell your information.
As I said, I never analyzed sync! I only read the linked FAQ article. And these two paragraphs make me want to uninstall it immediately. But I can't - it's in the core now. Well, at least I can "not use" it.
Just in case there is someone who didn't get my point from the emphasis above, here's some reasoning:
Mozilla generates a key, and nobody who does not have it can access my data. This should imply that nobody but me can access my data. But what keeps the party that generates such a key to keep a copy? I have been somewhat wary even before I started to listen to the Security Now netcast, but from Steve Gibson I learnt the term "Trust No One" (TNO), which give a name to my suspicions.
Well, and being never vulnerable is probably a bit too far fetched and would need a few disclaimers. But this is merely a small detail, not the core of my problem.
It's not that I don't trust Mozilla (I'm running their software loyally since the Netscape age, and you know that software running locally can do), but this description is hiding the underlying problems from the ingenuous reader. I know that the FAQ is a wiki - I could edit it or the discussion - but the underlying problem is not so much in this documentation, it's rather the principle that's broken (if the documentation is correct). Yes, it's a convenient solution, but no, there's no way I accept the described mode of operation as a security feature for knowingly storing data like my passwords on any third party server. I know that other's might accept this, but it really turns me down and away from this.
Even if the FAQ is incorrect ant the Sync Key is generated locally and never leaves my computer (unless I install it on another computer myself), this article shall still ask for reading such documentations accurately.
And, to finish this with another disclaimer: For the foreseeable future Firefox will stay to be my preferred browser. I'm a geek of habit, and it's easy to work around this issue by not using sync. After all, it takes some work to activate it. And I love Firefox (and the plugin zoo that I have assembled and that I'm trusting implicitly). Oh, and did I mention that I love Security Now?