The changing face of software quality

Stuart Philp

TL;DR

QA as a function in software is and has been changing. It is less about validating changes and writing test plans and more about pushing quality forward through tools, automation, and process refinement. We must work to improve the QA phase (everything between “dev complete” and “ready for deployment”), and quality throughout the whole life-cycle. In doing so QA becomes a facilitator, an ambassador, a shepherd of code, providing simple, confident, painless ways of getting things out the door. We may become reliability engineers, production engineers, tools engineers, infrastructure engineers, and/or release engineers. In smaller teams you may be many of these things, in bigger ones they may be distinct roles. The line between QA and Ops may blur, as might the line between Dev and QA. Manual QA still plays a large role, but it is in addition to, not the standard. It is another tool in the toolbox.

What is QA and Software Quality really?

In my mind the purpose of QA is not merely to find bugs or validate changes before release, but to ensure that the product that our users receive is of high quality. That can mean many different things, and the number of bugs is definitely a part of it, but I think that is a simplification of the definition of software quality. QA is changing in many companies these days, and we’re making a big push this year in Mozilla’s Cloud Services team to redefine what QA and quality means.

Quality software, to me, is about happy users. It is users who love and care about your product, users who will evangelize your product, and users that contribute feedback to make your product better. If you have those users, then you have a great product.

As QA we don’t write code, we don’t run the servers, we don’t decide what to build nor how it should look, but we do make sure that all of those things are up to the standards that we all set for ourselves and our products. If our goal in software is to make our users happy then giving them a quality experience that solves a problem for them and makes their lives easier is how we achieve that goal. This is what software is all about, and is something that everyone strives for. Quality really is everyone’s concern. It should not be an afterthought and it shouldn’t fall solely on QA. It is a mindset that needs to be ingrained in engineers, product managers, designers, managers, and operations. It is a part of company culture.

Aspects of Quality

When talking about quality it helps to have a clear idea what we mean when we say software should be of high quality.

  • Performance
    • load times
    • animation/ui smoothness
    • responsiveness to interactions
  • Stability
    • consistency, is it the same experience every time I use the product
    • limited downtime
  • Functionality
    • does it do what we said it would
    • does it do so ‘correctly’ (limited bugs)
    • does it solve a problem
  • Usability
    • is it simple, attractive, unobtrusive
    • does it frustrate or annoy
    • does it make sense
    • does it do what the user wants and expects

These aspects involve everyone. You can lobby for other aspects that you find important, and please do, this list is by no means exhaustive.

Great, so we’re thinking about ways that we can deliver quality software beyond test runs and checklists, and what it means to do so, but there’s a bit of an issue.

The Grand Quality Renaissance

A lot of what we do in traditional QA is 1:1 interactions with projects when there are changes ready to be tested for release. We check functionality, we check changes, we check for regression, we check for performance and load. This is ‘fine’, by most standards. It gets the job done, the product is validated, and it goes for release. All is good… Except that it doesn’t scale, the work you do doesn’t provide ongoing value to the team, or the company. As soon as you complete your testing that work is ‘lost’ and then you start from scratch with the next release.

In Cloud Services we have upwards of 20 projects that are somewhere between maintenance mode, active, or in planning. We simply don’t have the head count (5 currently) to manage all of those projects simultaneously, and even if we did, plans change. We have to react to the ongoing changes in the team, the company, and the world (well, at least as it relates to our products). Sometimes we won’t be able to react because 1:1 interactions aren’t flexible enough. Okay, simple answer: lets grow the team. That may work at times, but it also takes a lot of time, a lot of money, and even worse you might put yourself in a position where you have the head count to manage 20 projects, but suddenly there’s only 10 projects that we care about going forward and then we have to let some people go. That’s not fair to anyone – we need a better solution.

What we’re talking about, really, is how can we do more with less, how can we be more effective with the people and resources that we have. We need to do work that is effective and applicable to either:

  • many projects at once (which can be hard to do for tests, unless there is a lot of crossover, but possible with things like infrastructure and build tools), or
  • can be reused by the same project each time a change comes up for release (much more realistic for testing).

Once we have that work in place, then we know that if we grow the team it is deliberate, not reactionary. Being in control is good!

That doesn’t really mean anything concrete, so let’s put some goals in place give us something to work towards.

  • Improve 1:1 Person:Project effectiveness, scale without sacrificing quality
  • Implement quality measurement tooling and practices to track changes and improvements
  • Facilitate team scaling by producing work of ongoing value via automated tests and test infrastructure
  • Reduce deployment time/pain by automating build and release pipeline
  • Reduce communication overhead and back and forth between teams by shorten feedback loops
  • Increase confidence in releases through stability and results from our build/tools/test/infrastructure work
  • Reframe what quality means in cloud services through leadership and driving forward change

Achieving those goals means we as QA are more effective, but the side effects to the entire organization are numerous. We’ll see more transparency between teams, developers will receive feedback faster and be more confident in their work, they take control of their own builds and test runs removing back and forth communication delays, operations can one-click release to production with fewer concerns about late nights and rollbacks, more focus can be applied to upholding the aspects of quality by all rather than fighting fires, and ideally productivity, quality, and happiness go up (how do we gather some telemetry on that?).

We’re putting together the concrete plan for what this will look like at Mozilla’s Cloud Services. It will take a while to achieve these goals, and there will undoubtedly be issues along the way, but the end result is much more stable, reliable, and consistent. That last one is particularly important. If we’re consistent then we can measure ourselves, which leads to us being predictable. Being predictable, statistically speaking, means our decision making is much more informed. At a higher level, our focus shifts to making the best product we can, delivering it quickly, and iterating on feedback. We learn from our users and integrate their feedback into our products, without builds or bugs or tools or process getting in the way. We make users happy. When it comes down to it, that’s really what this is all about – that’s the utopia. Let’s build our utopia!

Combain Deal Helps Expand Mozilla Location Service

Andy McKay

Last week, we signed an agreement with Combain AB, a Swedish company dedicated to accurate global positioning through wireless and cell tower signals.

The agreement lets Mozilla use Combain’s service as a fallback for Mozilla Location Service. Additionally, we’re exchanging data from our stumbling efforts to improve the overall quality of our databases.

We’re excited about both parts of this deal.

  • Having the ability to fall back to another provider in situations where we feel that our data set is too sparse to provide an acceptable location gives Mozilla Location Service users some extra confidence in the values provided by the service. We have also extended the terms of our deal with Google to use the Google Location Service on Firefox products, giving us excellent location tools across our product line.
  • Exchanging data helps us build out our database. Ultimately, we want this database to be available to the community, allowing companies such as Combain to focus on their algorithmic analysis, service guarantees and improvements to geolocation without having to deal with the initial barrier of gathering the data. We believe this data should be a public resource and are building it up with that goal in mind. Exchange programs such as the one we’ve engaged in with Combain help us get closer to the goal of comprehensive coverage while allowing us to do preliminary testing of our data exchange process with privacy-respecting partners.

We’ve got a long way to go to build out our map and all of Mozilla Location Service, and we hope to announce more data exchange agreements like this in the future. You can watch our progress (fair warning – you can lose a lot of time poking at that map!) and contribute to our efforts by enabling geolocation stumbling in the Firefox for Android browser. Let’s map the world!

February Show and Tells

Andy McKay

Each week the Cloud Services team hosts a “Show and Tell” where people in the team share the interesting stuff they’ve been doing. This post wraps up months show and tells so that we can share them with everyone.

Jan 28

  • Andy talks about blogging the show and tells
  • Zach showed his work putting avatars in the browser UI
  • Kit showed using Go interfaces to mock network interfaces

Jan 28th recording (29 min, 21 seconds)

Feb 11

  • Ian showed how to super power the permissions on your site via an addon
  • Sam discussed error handling results from usenix.

Feb 11th recording (12 min, 45 seconds)

Unfortunately the next two show and tells were cancelled. Hoping for a more full list in March.

What’s Hawk authentication and how to use it?

Alexis Metaireau

At Mozilla, we recently had to implement the Hawk authentication scheme for a number of projects, and we came up creating two libraries to ease integration into Pyramid and Node.js apps.

But maybe you don’t know Hawk?

Hawk is a relatively new technology, crafted by one of the original OAuth specification authors, that intends to replace the 2-legged OAuth authentication scheme using a simpler approach.

It is an authentication scheme for HTTP, built around HMAC digests of requests and responses.

Every authenticated client request has an Authorization header containing a MAC (Message Authentication Code) and some additional metadata, then each server response to authenticated requests contains a Server-Authorization header thatauthenticates the response, so the client is sure it comes from the right server.

Exchange of the hawk id and hawk key

To sign the requests, a client needs to retrieve a token id and a token key from the server.

The excellent team behind Firefox Accounts put together a scheme to do that, if you are not interested in the details, jump directly to the next section.

When your server application needs to send you the credentials, it will return it inside a specific Hawk-Session-Token header. This token can be derived to split this string in two values (hawk id and hawk key) that you will use to sign your next requests.

In order to get the hawk credentials, you’ll need to:

First, do an HKDF derivation on the given session token. You’ll need to use the following parameters:

key_material = HKDF(hawk_session, "", 'identity.mozilla.com/picl/v1/sessionToken', 32*2)

The identity.mozilla.com/picl/v1/sessionToken is a reference to this way of
deriving the credentials, not an actual URL.

Then, the key material you’ll get out of the HKDF need to be separated into two parts, the first 32 hex caracters are the hawk id, and the next 32 ones are the hawk key.

HTTPie

To showcase APIs in the documentation, we like to use HTTPie, a curl-replacement with a nicer
API, built around the python requests library.

Luckily, HTTPie allows you to plug different authentication schemes for it, so we created a wrapper around mohawk to add hawk support to the requests lib.

Doing hawk requests in your terminal is now as simple as:

$ pip install requests-hawk httpie
$ http GET localhost:5000/registration --auth-type=hawk --auth='id:key'

In addition, it helps crafting requests using the requests library:

Alternatively, if you don’t have the token id and key, you can pass the hawk session token presented earlier and the lib will take care of the derivation for you.

Integrate with python pyramid apps

If you’re writing pyramid applications, you’ll be happy to learn that Ryan Kelly put together a library that makes Hawk work as an Authentication provider for them. I’m shocked how simple it is to use it.

Here is a demo of how we implemented it for Daybed, a form validation and data storage API:

The get_hawk_id function is a function that takes a request and a tokenid and returns a tuple of (token_id, token_key).

How you want to store the tokens and retrieve them is up to you. The default implementation (e.g. if you don’t pass a decode_hawk_id function) decodes the key from the token itself, using a master secret on the server (so you don’t need to store anything).

Integrate with node.js Express apps

We had to implement Hawk authentication for two node.js projects and finally came up factorizing everything in a library for express, named express-hawkauth.

In order to plug it in your application, you’ll need to use it as a middleware:

If you pass the createSession parameter, all non-authenticated requests will create a new hawk session and return it with the response, in the Hawk-Session-Token header.

If you want to only check a valid hawk session exists (without creating a new one), just create a middleware which doesn’t have any createSession parameter defined.

Some reference implementations

As a reference, here is how we’re using the libraries I’m talking about, in case that helps you to integrate with your projects.

Transitioning Legacy Sync users to Firefox Accounts

Ryan Kelly

3

It has been almost a year since the release of Firefox Accounts and the new Firefox Sync service, and the response from users has been very positive.  The simplified setup process has made it easier to get started with the system, to connect new devices, and to recover data if a device is lost — all of which has lead to the new system quickly gathering more active daily users than its predecessor.

During this time we have kept the legacy Sync infrastructure in place and working as usual, so that users who had set up Sync on older versions of Firefox would not be disrupted.  As we begin 2015 with renewed focus on delivering cloud-based services that support the Mozilla mission, it’s time to help transition these users to the new Sync system and to Firefox Accounts.

Users on legacy Sync will be prompted to upgrade to a Firefox Account beginning with Firefox 37, scheduled for release in early April.  There is a guided UI to make the experience as seamless as possible, and once complete the upgrade will be automatically and securely propagated to all connected devices.  Users on older versions of Firefox will see a warning notice and will be able to upgrade manually.

The legacy Sync servers will remain available during this time to help ensure a smooth transition.  We will monitor their ongoing use and decide on a timeline for decommissioning the hardware based on the success of our transition strategy.

We’re looking forward to introducing more users to the improved Sync system, and to rolling out more services for your Firefox Account in 2015.  Don’t hesitate to reach us on sync-dev@mozilla.org or in #sync on IRC with any questions or comments.

 

FAQ

 

  •  When will the legacy Sync servers be switched off?

We expect to decommission this infrastructure before the end of 2015, but no firm date has been set.  This decision will be based on ongoing monitoring of its use and the success of our transition strategy.

  •  What about Extended Support Release (ESR)?

Users on the ESR channel will start seeing the upgrade prompts in Firefox 38, which is scheduled for release in early May.  We are committed to maintaining the legacy sync infrastructure until previous ESR versions reach end-of-life on August 4.

  • Will my data be automatically migrated to the new servers?

No, the strong encryption used by both Sync systems means that we cannot automatically migrate your data on the server.  Once the account upgrade process is complete, Firefox will re-upload your data to the new system (so if you have a lot of bookmarks, you may want to ensure you’re on a reliable network connection).

  •  Are there security considerations when upgrading to the new system?

Both the new and old Sync systems provide industry-leading security for your data: end-to-end encryption of all synced data, using a key known only to you.

In legacy Sync this was achieved by using a complicated pairing flow to transfer the encryption key between devices.  With Firefox Accounts we have replaced this with a key securely derived from your account password.  Pick a strong password and you can remain confident that your synced data will only be seen by you.

  •  Is the new Sync system compatible with Firefox’s master password feature?

Yes.  There was a limitation in previous versions of Firefox that prevented Sync from working when a master password was enabled, but this has since been resolved.  Sync is fully compatible with the master password feature in the latest version of Firefox.

  •  What if I am running a custom or self-hosted Sync server?

This transition affects only the default Mozilla-hosted servers.  If you are using a custom or self-hosted server setup, Sync should continue to work uninterrupted and you will not be prompted to upgrade.

Although we have no plans or timeline for doing so, it’s likely that support for the legacy Sync protocol will be entirely removed from Firefox at some point in the future.  You should consider migrating your server infrastructure to use the new protocols; see below.

  •  Can I self-host the new system?

Yes, either by hosting just the storage servers or by running a full Firefox Accounts stack.  We welcome feedback and contributions on making this process easier.

  •  What if I’m using a different browser (e.g. SeaMonkey, Pale Moon, …)?

You should consider hosting your own server to ensure uninterrupted functionality.

Marketplace migration to Firefox Accounts

Andy McKay

In the last year the Firefox Marketplace migrated from Persona to Firefox Accounts. This was done for a couple of reasons, perhaps the biggest being that Firefox OS was switching to Firefox Accounts. On a Firefox OS phone, you will log in once, to the phone and then be automatically logged into the Marketplace.

The migration for the Marketplace had a few unique challenges that some other projects do not have:

  • the Marketplace app supports Firefox OS all the way back to 1.1
  • the Marketplace site supports Android and Desktop clients
  • in the past unverified emails were allowed from Persona
  • Marketplace provides Payments which use the Trusted UI

Firefox Accounts has two different ways to login, a native flow in Firefox OS and an OAuth based flow for Desktop and Android clients. The number of dependencies to complete all that quickly grew out of control, so we focused on the first milestone of ensuring that an OAuth flow worked for all users on all devices.

Migration from a database point of view wasn’t too complicated at first. We store the users email from Persona, all we had to was look at the users email from Firefox Accounts … if a user already existed with that account then they logged in as that account. If not we created a new account.

The unverified emails were a problem to us, because it meant that a user or developer could have an email address that wasn’t routable, accessible or in any way usable. When they migrated to Firefox Accounts an email would be sent to that old email address and they were stuck. We really couldn’t see any around this other than manually verifying accounts as best as possible and moving them over as needed.

For users that already had a Firefox Account through sync and wanted to re-use that on the Marketplace, the Firefox Accounts team added the ability to use a pre-verified token. This allowed a user to start the registration flow as a user, but in the Firefox Accounts sign up use a different email address. At the end of the flow the Marketplace would then detect the difference in the email address, but know which account the flow came from and hook it up correctly.

This then gave birth to a flow chart and after lots of work, but we had a plan:

Screenshot 2015-01-27 11.52.36

Of course the road was not that smooth as the bug list will probably reveal. The biggest difference to any other Firefox Accounts implementors is that the OAuth flow is not the same as the Persona flow. An obvious statement, we thought we had covered until we hit elements like the Trusted UI – at that point it got complicated.

Screenshot 2015-01-30 13.53.23

Once deployed we sent out an email to everyone and waited for the users to come in. Sure enough they did and we saw a large number of transitions within 48 hours.

During this process we made sure emails came out with an email address that could be replied to, I was then able to follow up personally with anyone who had any issues. We also logged login attempts and when we found a bug, I was able to email those people while we fixed and deployed the bug – there were only two people who had a problem at that step, but it felt good to be able to help them.

Firefox Accounts has now been active for over 3 months and this week we turned off the special transition flow and deleted the transition flow as felt enough users and developers had migrated.

What’s next?

  • Getting the native flow deployed for Firefox OS 2.1
  • Moving to an iframe based flow and removing the popup based flow
  • Deeper integration with upcoming Firefox Accounts features, like avatars

Big thanks to the Marketplace team who implemented this and the Firefox Accounts team who did an awful lot of work helping us out.

Heka Log Parsing Perfomance

Rob Miller

I’ve been experimenting with Heka throughput recently, and have discovered a few log parsing tips and tricks that I thought were worth sharing.

I ran tests on my Lenovo Thinkpad W530 laptop, which has four 2.8GHz cores, showing up as 8 cores to my Linux OS thanks to hyperthreading. From our ops team I got a couple of Nginx log files, each with over 6 million entries. I made three copies of each log file, and put each copy in a separate directory, emulating the common use case of having to parse output from multiple hosts and/or domains. I configured Heka with a single LogstreamerInput set up to concurrently load all six files, using our Nginx access log decoder, which ultimately uses Lua’s LPEG engine to handle the actual parsing. Not a scientifically rigorous test, but I’m just trying to get some ballpark throughput numbers.

For my first run I set Go’s maxprocs value to 1, which makes only one core available for Heka to use. With that setting, I was processing in the neighborhood of 31K events per second (eps); so far so good. Then I cranked maxprocs up to 4. I ran the tests again and my throughput jumped all the way up to about 33K eps. Wait… what!?! I know that sometimes lock contention and other issues can cause poor performance across multiple cores, but we’re processing six distinct streams here; this should parallelize fairly well. I was seeing almost no improvement. What the heck was going on?

Nothing to do but roll up my sleeves and dig in. I busted out the Go profiling tools, but nothing obvious jumped out at me. So I took a look at the source code, and was temporarily stunned by the force of my palm slamming into my forehead at high velocity. While the LogstreamerInput was correctly spinning up a separate goroutine for each unique log stream, it was only spinning up a single decoder to be shared by all of them. That meant that no matter how many cores were available to Heka as a whole, all of the parsing was happening in a single goroutine, which would only be running on a single core.

Luckily this was an easy fix. In about 30 minutes, I had a working Heka that would spin up a separate decoder instance for each log stream; these changes have since landed in the v0.8.3 release. Running this with maxprocs of 1 ran slightly slower than before, about 30K eps. This wasn’t surprising, since now the single core was context switching through six different decoder goroutines whereas before there was just one. But cranking maxprocs up to 4 and trying again gave me around 85K eps. Now we’re talking! Not linear improvement, but still a much better number. I got my best results with maxprocs set to 7, where I was consistently processing approximately 118K log lines per second.

I was actually able to do even better than that. In prior experimentation with log parsing performance, we’ve realized that parsing timestamps is a very processor intensive part of the job. We can lighten this load by configuring our Nginx servers to log timestamps using `$msec` instead of `$time_local` or `$time_iso8601` in the `log_format` setting. This means our log files contain Unix timestamps (seconds-since-epoch format) rather than more complicated date strings. The difference is significant. When I tested versions of the log files using the `$msec` timestamp format, my single core throughput jumped to around 36K eps. Four cores gave me 105K eps, and using 7 cores had me consistently parsing about 143K lines per second. Not too shabby!

It’s worth noting that there is still a lot of room for improvement. For instance, due to details of the runtime layers, pushing text from Go through C and into Lua (and then back again) involves more memory copies than it probably should. The Lua sandbox that Heka uses is implemented as a separate project, in pure C. It would be possible for us to get much higher parsing throughput by writing a thinner wrapper around the sandbox using a language that doesn’t require copies to talk to C, such as C++, Rust, or C itself. This removes us from the rest of the Heka pipeline, of course, but since a considerable amount of the data processing that we do in Heka is also happening in a sandbox, we’d still be able to do a lot of crunching, we’d just have to set up a bespoke pipeline with Lua code instead of using Heka’s routing infrastructure.

Even so, the full Heka stack is fast enough for most use cases, and is ready to be used today. I hope you’ll try it out, and come find us in the #heka channel on irc.mozilla.org, or on the Heka mailing list to ask questions and/or tell us about your experience.

Mozilla Stumbler 1.0 geolocation crowd-sourcing app now in Google Play Store

Hanno Schlichting

Mozilla Stumbler is an open-source wireless network scanner that collects GPS data for the Mozilla Location Service, our crowd-sourced location database. We have just released version 1.0 on the Google Play Store, making it easier for users to install Mozilla Stumbler and stay updated. If you prefer the alternative f-droid catalog, you can also get Mozilla Stumbler on f-droid.

As you move around, the app “stumbles” upon new Wi-Fi networks and cell towers. The Mozilla Location Service combines these wireless observations to provide geolocation services such as showing your location on a map and Find My Device for Firefox OS. The Stumbler’s own map view shows our database coverage (as blue clouds) on your Android device, so you can see which individual streets are yet to be stumbled. For more information about the service visit our project page.

How to use Mozilla Stumbler

  • Go to un-stumbled areas (not covered in blue) to fill in the coverage map
  • Try walking, biking, or driving new routes with Mozilla Stumbler every day.
  • Start with major streets and intersections, then explore side streets. But make sure you stay safe and away from shady places.
  • Your contributions will take a day to show up on the coverage map.
  • The app stops automatically when your battery is low.

Competitive contributors can enter an optional nickname in Stumbler’s settings and track their progress on our leaderboard. The weekly leaderboards are very active. New contributors, because they are often stumbling in new areas and reporting undiscovered wireless networks, have a good chance of ranking at the top of weekly leaderboards.
To conserve cellular data usage, the Stumbler’s map view only shows high resolution map tiles on Wi-Fi. To always show the high resolution maps, you can change the Stumbler’s Developer Settings.

Please report bugs on our GitHub bug tracker or the #geo IRC channel on Mozilla’s IRC server. Mozilla Stumbler is open-source software. The code is available on GitHub.

Firefox Accounts, Sync 1.5, and Self Hosting

Dan Callahan

2

Firefox Sync offers best-in-class security and privacy: Mozilla’s servers never see your raw password, and all of your Sync data is encrypted locally, before it leaves your computer. However, some users want to go one step further and host all of their Sync data themselves. The ability to self-host is central to Mozilla’s mission, as it ensures that the convenience of Sync doesn’t come with hidden costs like strict lock-in.

With Sync 1.1, self-hosting was as easy as setting up ownCloud, using one of several Python modules, or for the more intrepid users, running the same code that Mozilla used in production. OpenBSD even includes a Sync 1.1 server in its ports tree!

With Sync 1.5’s recent release, we’re back to square one: all of Mozilla’s code is open source, and people are already running their own Sync 1.5 stacks, but it will take a few months before easier-to-use, self-contained projects emerge.

Of course, if you’re currently using using a self-hosted Sync 1.1 server, Firefox will continue to work with it for several months while we sort out self-hosting of Sync 1.5.

The Relationship Between Sync and Firefox Accounts

One challenge with self-hosting Sync 1.5 is understanding the relationship between Sync 1.5 and Firefox Accounts (FxA). Indeed, this is a frequent topic in the #sync IRC channel.

The Firefox Accounts system serves two purposes:

  1. It is a single, common authentication system for Mozilla services like Sync, the Firefox Marketplace, and Firefox OS’s find-my-device feature.
  2. It stores a password-wrapped version of your Sync key, so that you (and only you) can recover your data, even if you lose all of your devices.

By keeping authentication in one well-defined place, and sharing that infrastructure between projects, we’re able to dramatically reduce complexity and maintenance costs associated with running many services. Sync can focus on Sync, while letting Firefox Accounts handle accounts.

Unfortunately, this happens to increase complexity if all you care about is self-hosting a single service, like Sync.

The Moving Parts

Right now, the Firefox Accounts system is mostly comprised of a database and three servers written in Node.JS:

  1. fxa-auth-server, which handles the Firefox Accounts backend and API, including provisioning identity certificates for users.
  2. fxa-content-server, which serves up static content, like the UI that you see when you visit about:accounts in Firefox.
  3. browserid-verifier, which makes it easy for services like Sync to verify identity certificates issued by the auth server.

Sync has a database and two servers written in Python:

  1. tokenserver, which handles incoming auth requests, issues long-lived bearer tokens, and directs the browser to an appropriate storage server.
  2. syncstorage, which accepts bearer tokens and allows the browser to store and retrieve encrypted Sync data.

Sync and FxA are decoupled, which leads to two interesting self-hosting options:

Method 1: Just the Data

It’s possible to host just the Sync components, while still relying on Mozilla’s hosted Firefox Accounts infrastructure for authentication.

With this method, you still store all of your encrypted Sync data on your own server, but you use Mozilla’s servers for authentication and for backing up a password-wrapped version of your Sync key.

Because Sync uses client-side (PBKDF2 + HKDF) key stretching, Mozilla never learns your plaintext password, and thus cannot unwrap your Sync key. Additional server-side stretching (scrypt + HKDF) further protects against brute-force attacks if the Firefox Accounts database is ever compromised.

Method 2: Full Stack

Alternatively, you could host both the Sync and Firefox Accounts components, completely removing any dependence on Mozilla for Sync.

Self-hosting is limited to browser-based services like Sync. Web sites, like the Firefox Marketplace, may require an additional account with the centralized Firefox Accounts server before allowing you to log in.

The Plan

Right now, we’re focusing on getting Method 1 working as well and as quickly as possible. Most of that work is happening in the syncserver repo, which is a Python project that combines both the tokenserver and syncstorage projects into a single package.

We also need to resolve Bug 1003877, which is currently preventing either method from working on Firefox for Android.

Lastly, we need to ensure that the work we do to facilitate self-hosted Sync is the right work. Namely, how do we go from “technically possible” to “reasonably easy” for advanced users? To get this right, we’ll need to draw on the experience of projects like ownCloud, which is at the forefront of making Sync 1.1 easy to self-host, as well as users who have self-hosted in the past or who are interested in self-hosting now.

If you want to roll up your sleeves and get involved, please join the sync-dev mailing list and introduce yourself in #sync on irc.mozilla.org!

Firefox Sync’s New Security Model

Dan Callahan

37

Yesterday’s release of Firefox 29 features a brand new Firefox Sync experience that is much easier to use while maintaining the high standard of safety, security, and openness that you expect from Mozilla.

How does the new Sync differ from the old? Read on!

Sync 1.0

Since its 2010 debut in Firefox 4, Firefox Sync had been powered by a distinctive encryption system which didn’t use passwords: instead it created a unique secret key, which was used to encrypt and decrypt all your data. The only way to get at your data was to know this key. Even the Mozilla servers which held your data could not decrypt the contents.

You (almost) never saw this key, known as the “recovery key,” because the normal way to set up a new device was with a technique called “pairing.” When you set up a new device, you saw a single-use, 12-character “pairing code,” which you could then type into the other device. Through some crypto magic, the recovery key and everything else necessary to set up Sync was safely copied to the new device, ensuring that both devices knew the secret key and could talk securely about your bookmarks and other data.

Problems with Sync

In the last four years, we’ve seen many problems with this scheme. The greatest is that it didn’t do you much good if you only had one device: pairing is about pairs (or threes or fours). If you lost your only device, you probably also lost the only copy of your secret key, and without that key, there was no way to recover your Sync data.

Pairing presented other usability issues as well: you had to be near two devices when setting it up, and many people mistook the pairing code for some sort of computer-generated password that they would need to remember.

The New Firefox Sync

This year, the Services group introduced Firefox Accounts, which are based on a traditional email address and a password, just like the hundreds of other account systems you’re already familiar with.

The new Firefox Sync is the first service to use Firefox Accounts. The security goals remain the same: there is still a strong random secret key, and Mozilla’s servers cannot decrypt your data. However, instead of using pairing, a “wrapped” version of your secret key, protected by your password, is stored alongside your Firefox Account. This means you can recover all your data, even if you lose all your devices at the same time. Setting up a new device only requires typing your Firefox Account email and password into it.

This is a significant change from the previous Firefox Sync. The security of your data now depends upon your password. If your password is guessable, somebody else could connect to your account and decrypt your data. Of course, the best passwords are randomly generated.

Given the importance of your password, we’ve designed Firefox Accounts such that Mozilla’s services never see your password’s clear text. Instead, Firefox first strengthens the password through client-side stretching with PBKDF2, and then derives several purpose-specific keys via HKDF. Neither your password nor the derived “unwrapping” key are ever transmitted to Mozilla. You can read more about the protocol in its technical description on GitHub.

We hope you’ll agree that this is a step in the right direction for Sync. Try it out today and let us know about your experience in the comments!

Special thanks to Brian Warner for his contributions to this post.