You can only decrypt your Sync data if you know your Sync password, and not even Mozilla knows your Sync password. Thankfully, Sync 1.5 is designed with that concern in mind. Are people aware of this? This is a major MAJOR flaw.
MOZILLA FIREFOX 56 MASTER PASSWORD RESET PASSWORD
So no matter how secure firefox sync/encrypotion is, it doesn’t matter anyone with access to my email account or who can hack it or guess my email password can have access to my life. If I can reset my sync account password by just giving my email, then doesn’t it mean anyone with access to my email passowrd (including my mail provider, eg gmail) can then access all my sync data (which contains every password I’ve ever used in my life). There’s more information on why this wasn’t resolved for Firefox 29 in my comment below. Thanks for the comment! Issues around Sync 1.5 + Master Passwords are currently being tracked in Bug 995268. I am not an expert in security/encryption but why can’t the passwords (encrypted with master password) be synced so that on the new sync device the user can decrypt the passwords by providing the master password. Master password is a important and recommended security feature and I am not happy with this limitation in the Sync. Also this sync is easy to setup and to pair devices.īut, one think I would like to have is the ability to sync my passwords with master password. The ability to recover data when all the sync devices are lost, is a very important feature. I am a Sync user for few months now and just upgraded to the new Sync. Special thanks to Brian Warner for his contributions to this post. Try it out today and let us know about your experience in the comments! We hope you’ll agree that this is a step in the right direction for Sync. You can read more about the protocol in its technical description on GitHub. Neither your password nor the derived “unwrapping” key are ever transmitted to Mozilla. Instead, Firefox first strengthens the password through client-side stretching with PBKDF2, and then derives several purpose-specific keys via HKDF. Given the importance of your password, we’ve designed Firefox Accounts such that Mozilla’s services never see your password’s clear text. Of course, the best passwords are randomly generated. If your password is guessable, somebody else could connect to your account and decrypt your data. The security of your data now depends upon your password. This is a significant change from the previous Firefox Sync. Setting up a new device only requires typing your Firefox Account email and password into it. This means you can recover all your data, even if you lose all your devices at the same time. However, instead of using pairing, a “wrapped” version of your secret key, protected by your password, is stored alongside your Firefox Account. The security goals remain the same: there is still a strong random secret key, and Mozilla’s servers cannot decrypt your data. The new Firefox Sync is the first service to use Firefox Accounts. This year, the Services group introduced Firefox Accounts, which are based on a traditional email address and a password, just like the hundreds of other account systems you’re already familiar with.
MOZILLA FIREFOX 56 MASTER PASSWORD RESET CODE
Pairing presented other usability issues as well: you had to be near two devices when setting it up, and many people mistook the pairing code for some sort of computer-generated password that they would need to remember. If you lost your only device, you probably also lost the only copy of your secret key, and without that key, there was no way to recover your Sync data. The greatest is that it didn’t do you much good if you only had one device: pairing is about pairs (or threes or fours). In the last four years, we’ve seen many problems with this scheme. Through some crypto magic, the recovery key and everything else necessary to set up Sync was safely copied to the new device, ensuring that both devices knew the secret key and could talk securely about your bookmarks and other data. You (almost) never saw this key, known as the “recovery key,” because the normal way to set up a new device was with a technique called “pairing.” When you set up a new device, you saw a single-use, 12-character “pairing code,” which you could then type into the other device. Even the Mozilla servers which held your data could not decrypt the contents. The only way to get at your data was to know this key. Since its 2010 debut in Firefox 4, Firefox Sync had been powered by a distinctive encryption system which didn’t use passwords: instead it created a unique secret key, which was used to encrypt and decrypt all your data. How does the new Sync differ from the old? Read on! Yesterday’s release of Firefox 29 features a brand new Firefox Sync experience that is much easier to use while maintaining the high standard of safety, security, and openness that you expect from Mozilla.
0 kommentar(er)
