[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #16778 [Tor Browser]: "Set Up Sync..." still appears in TBB 5.0 Tools menu and Prefs

#16778: "Set Up Sync..." still appears in TBB 5.0 Tools menu and Prefs
-------------------------+-------------------------------------------------
     Reporter:  teor     |      Owner:  mcs
         Type:  defect   |     Status:  needs_information
     Priority:  normal   |  Milestone:
    Component:  Tor      |    Version:
  Browser                |   Keywords:  TorBrowserTeam201508R, tbb-
   Resolution:           |  usability
Actual Points:           |  Parent ID:
       Points:           |
-------------------------+-------------------------------------------------
Changes (by mikeperry):

 * status:  needs_review => needs_information


Comment:

 IMO, how much we hide Sync is fully dependent on the password recovery
 flow. The original Sync used to be fully end-to-end encrypted, but Mozilla
 had a lot of problems with people losing their passwords/device pairings.
 The new Sync claims to "derive the key securely from the password", but
 it's not clear what that means:
 https://support.mozilla.org/en-US/kb/firefox-sync-upgrade-frequently-
 asked-questions#w_are-there-any-security-concerns-with-upgrading-to-the-
 new-system

 If Mozilla's new key derivation scheme means that they can be compelled to
 reset the password or otherwise recover the end-to-end key, then I think
 we should hide this as much as possible. Until then I'm on the fence.
 Based on this password reset FAQ entry, it does sound like they can't
 recover your sync data in that case, which is a good sign:
 https://support.mozilla.org/en-US/kb/ive-lost-my-firefox-sync-account-
 information

 This appears to be the new spec:
 https://wiki.mozilla.org/Services/Sync/KeyRetrieval.

 After reading that, the final question in my mind is "How is the user's
 password actually handled when authenticating to Firefox Accounts either
 for Sync or for other stuff?"

 If the user password is just posted to the Firefox account server over
 HTTPS in some auth flow, I'm back to not feeling very comfortable about
 this, because then Mozilla is regularly being given the info they need to
 decrypt sync data upon every Firefox Accounts login. If, OTOH, Accounts
 auth is being done over some JS-based or browser-builtin HMAC/challenge-
 response protocol where the actual password is never actually sent to the
 server for any type of login (or account creation), then it's probably OK.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16778#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs