A Better Firefox Sync

mmayo

22

We’re pleased to announce that the new version of Firefox Sync is available to test in Firefox Aurora. Current Firefox Sync users love the service, but have given us feedback that it wasn’t easy enough to setup or add devices, and in particular recover from a lost device. We listened to this feedback and built an easier way to safely synchronize data between the desktop and mobile versions of Firefox.

The new Firefox Sync makes it much easier to do initial setup and to add multiple devices. To test the new Firefox Sync you can simply enter an email address and choose a strong, memorable password in Firefox for Windows, Mac or Linux. Then you can easily add more computers or Android devices to sync.

welcome-to-sync

How do I use the new Firefox Sync?
The new Firefox Sync feature is available in Firefox Aurora. For more details on how to test Firefox Sync, read this Sumo article.

Strong Security

We believe in trust through transparency, that’s why we’ve worked in the open to develop a strong security system around the new sync.

In simplifying the Firefox Sync set up and sign in flow, it was important not to compromise on the security of a user’s data. This release brings the same level of end to end encryption our current sync product employs, but is much easier to set up.

The key to improved convenience in the new Firefox Sync is data encryption based on a key that is derived from your password. This means the stronger your password is, the better your protection. We’ve taken this basic approach and hardened it in three ways:

First, client side key stretching is a technique that allows us to protect against man in the middle attacks, even when SSL credentials are compromised.

Second, end to end encryption means even if our servers are compromised, it is extremely difficult to access a user’s data.

And finally, public key cryptography and the BrowserID protocol allow for separation between authentication, authorization, and data storage servers – minimizing the number of servers that handle authentication material, and reducing our attack surface.

You can read a whole lot more about the security architecture of new sync in the technical documentation on github.

onepw-create

As with the previous version of Firefox sync, users still have the option to take their data with them and host their own sync service using the open source server-side software.

As we gain experience with this new security architecture, we’re eager to continue to find the best way to have both convenient data access and whole-system security.

What’s Next?
We’re currently in the process of preparing the new Firefox Sync feature to ship to our browser users. After that, we’ll integrate synchronization features into Firefox OS.

Finally, to help build out additional Firefox Sync features more easily, we’ve created a robust account system for Firefox users and for partners to build on our user relationships. We are excited to explore what new services we can build on top of this system, to bring new interesting features to Firefox users. We promise to keep the Mozilla mission goals about putting users first, and advancing the open Web, in all service work we and our partners do.

Mark Mayo and Cloud Services Team

22 responses

  1. Pingback from Introducing Mozilla Firefox Accounts | The Mozilla Blog on ::

    […] Mozilla Services blog post […]

  2. praveen wrote on :

    please add online sevice just to login and access the data on any device without conncecting the device

  3. Julien wrote on ::

    Great news Mark. Is there any plan to sync the apps/extensions as well?

  4. Steve Phillips wrote on ::

    This sounds great, but how about making it (way) easier to set up one’s own Firefox Sync _server_ to house one’s own data? Is anyone working on this? Thanks.

  5. Adrian wrote on :

    Will I be able to sync Firefox Nightly as well, on Windows XP and Adroid 4.3, following the instructions in
    https://support.mozilla.org/en-US/kb/how-sync-works-old-version-firefox?as=u&utm_source=inproduct

    Thanks,
    Adrian

  6. Sean B. wrote on :

    I work in “account security” for a large web service and I’ve seen login issues en-mass.

    While the original Firefox Sync has some issues with account recovery and the setup was hard to understand for a lot of people, the new system is deeply flawed. Just like all web services that rely on a password username(email) pair. And all the problems begin and end with the weakest link in this system, the users.

    There are lots of email, password lists from hacked web services (Linkedin,Yahoo Voices, Gawker, etc.) in the wild and users all too commonly reuse their weak passwords across multiple services. This leads to attackers simply running through their lists, and it works for a surprising large percentage of accounts.

    Storing passwords and bookmarks is a sensitive service and the quality of the Firefox Sync architecture reflects this. However implementing a one factor, password based auth puts the accounts security in the users hands, that’s frightening from my perspective.

    I’ll leave with this. If a user couldn’t figure out how to set up Firefox Sync previously by following the instructions and taking a set of digits from one device and entering them into another, what hope have they of picking a strong and unique password?

  7. Adrian wrote on :

    Will this also work in Firefox Nightly right now?

  8. Adrien wrote on :

    I think I am hardly concerned by the increased simplicity of the process, but thanks for making it simpler AND available as a self-hosted option.
    I do appreciate not to depend on another party. In the case of Mozilla, not because I fear for my personal data (after all, I trust your browser), but because I really trust in a web where everyone can be a real actor, not just a consumer.
    And when I keep my data under my control, it’s a tougher job, but I am the only one to blame when it stops working ;)

  9. Bill Gianopoulos wrote on ::

    I don;t think this is a good idea at all. Why should I be forced to use the same password to buy app that I use to protect all of my web passwords??????

  10. Mark wrote on :

    When will the new Sync server code be released so we can run our own instances?

  11. Alex wrote on ::

    It would be great to be able to switch between profiles too so I can flip between “Work” and “Home” and it would change my bookmarks etc on the fly.

  12. Stefan wrote on ::

    I haven’t red the details of the new sync but I hope is at least as secure as the old one.
    Although the old one was a bit of a hassle the security feature was it’s main advantage for me.

  13. Eamon Nerbonne wrote on ::

    Is there going to be some kind of migration possibility to upgrade from old-sync to new sync? The linked page https://support.mozilla.org/en-US/kb/how-sync-works-old-version-firefox?as=u&utm_source=inproduct describes a procedure with quite a lot of steps if you have a few machines and/or accounts.

  14. Michael Kaply wrote on ::

    Did you provide an easy way to disable the entire functionality this time around?

    With the old Sync, it is quite difficult to disable/remove.

  15. Rolf wrote on :

    Thanks for keeping the “own server” feature!

  16. Kyle Alm wrote on ::

    This is great news. Love what Mozilla has been up to with Firefox OS too, very exciting stuff that will hopefully close some security gaps.

  17. Gabe wrote on :

    Really hope you look at full-on password managers like LastPass and provide us with not only sync services, but a way to manage our identities across the web.

  18. Peter Nuding wrote on ::

    Please NOT!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    All i want is a SIMPLE (!!!) FTP-Sync fpr my LAN. I don’t want to send my personal data into a f…ing cloud! Some Years ago i could use some FTP-Sync-Plugins. After MONTHS I have an own FSyncMS Server running. And NOW you will change the sync options again? REALLY????

    If a new update (i am scared of it every time!!!! Because Firefox Uopdates means: Thinks you like dosn’t work any longer) is comming out, i pray that FSyncMS will still work.

    A SIMPLE Sync on an private FTP Server in my LAN. Thats All I want! Instead of that cloud shit.

  19. Al wrote on :

    I’ve created an account (through FF nightly), but it doesn’t log in for some reason. It keeps asking me to reconnect to sync, no matter how many times I log in

  20. Maggie F wrote on ::

    Thanks for simplyfying the process. This will make business so much easier.

  21. Michael Kaply wrote on ::

    Is there an easy way to turn off the new Sync for enterprises?

  22. zdig one wrote on ::

    hello
    Do you have a project to enhance the firefox social API
    i mean we all know the ICQ surf that allow all ppl navigating on same domaine to communicate , ppl having same interest, same hobbies

    so why not allowing this function not olny to connect via social but also to allow different conected ppl on same domaine to chat