Firefox Sync’s New Security Model

Dan Callahan

37

Yesterday’s release of Firefox 29 features a brand new Firefox Sync experience that is much easier to use while maintaining the high standard of safety, security, and openness that you expect from Mozilla.

How does the new Sync differ from the old? Read on!

Sync 1.0

Since its 2010 debut in Firefox 4, Firefox Sync had been powered by a distinctive encryption system which didn’t use passwords: instead it created a unique secret key, which was used to encrypt and decrypt all your data. The only way to get at your data was to know this key. Even the Mozilla servers which held your data could not decrypt the contents.

You (almost) never saw this key, known as the “recovery key,” because the normal way to set up a new device was with a technique called “pairing.” When you set up a new device, you saw a single-use, 12-character “pairing code,” which you could then type into the other device. Through some crypto magic, the recovery key and everything else necessary to set up Sync was safely copied to the new device, ensuring that both devices knew the secret key and could talk securely about your bookmarks and other data.

Problems with Sync

In the last four years, we’ve seen many problems with this scheme. The greatest is that it didn’t do you much good if you only had one device: pairing is about pairs (or threes or fours). If you lost your only device, you probably also lost the only copy of your secret key, and without that key, there was no way to recover your Sync data.

Pairing presented other usability issues as well: you had to be near two devices when setting it up, and many people mistook the pairing code for some sort of computer-generated password that they would need to remember.

The New Firefox Sync

This year, the Services group introduced Firefox Accounts, which are based on a traditional email address and a password, just like the hundreds of other account systems you’re already familiar with.

The new Firefox Sync is the first service to use Firefox Accounts. The security goals remain the same: there is still a strong random secret key, and Mozilla’s servers cannot decrypt your data. However, instead of using pairing, a “wrapped” version of your secret key, protected by your password, is stored alongside your Firefox Account. This means you can recover all your data, even if you lose all your devices at the same time. Setting up a new device only requires typing your Firefox Account email and password into it.

This is a significant change from the previous Firefox Sync. The security of your data now depends upon your password. If your password is guessable, somebody else could connect to your account and decrypt your data. Of course, the best passwords are randomly generated.

Given the importance of your password, we’ve designed Firefox Accounts such that Mozilla’s services never see your password’s clear text. Instead, Firefox first strengthens the password through client-side stretching with PBKDF2, and then derives several purpose-specific keys via HKDF. Neither your password nor the derived “unwrapping” key are ever transmitted to Mozilla. You can read more about the protocol in its technical description on GitHub.

We hope you’ll agree that this is a step in the right direction for Sync. Try it out today and let us know about your experience in the comments!

Special thanks to Brian Warner for his contributions to this post.

37 responses

  1. Mohan G wrote on :

    I am a Sync user for few months now and just upgraded to the new Sync. The ability to recover data when all the sync devices are lost, is a very important feature. Also this sync is easy to setup and to pair devices.

    But, one think I would like to have is the ability to sync my passwords with master password. Master password is a important and recommended security feature and I am not happy with this limitation in the Sync. I am not an expert in security/encryption but why can’t the passwords (encrypted with master password) be synced so that on the new sync device the user can decrypt the passwords by providing the master password.

    1. Callahad wrote on ::

      Thanks for the comment! Issues around Sync 1.5 + Master Passwords are currently being tracked in Bug 995268. There’s more information on why this wasn’t resolved for Firefox 29 in my comment below.

  2. Matt wrote on :

    If I can reset my sync account password by just giving my email, then doesn’t it mean anyone with access to my email passowrd (including my mail provider, eg gmail) can then access all my sync data (which contains every password I’ve ever used in my life). So no matter how secure firefox sync/encrypotion is, it doesn’t matter anyone with access to my email account or who can hack it or guess my email password can have access to my life. Are people aware of this? This is a major MAJOR flaw. Or have I missunderstood something here?

    1. Callahad wrote on ::

      That’s a great point. Thankfully, Sync 1.5 is designed with that concern in mind. You can only decrypt your Sync data if you know your Sync password, and not even Mozilla knows your Sync password.

      So while you can reset your Firefox Account password via email, that doesn’t (and can’t!) give an attacker access to your previously stored Sync data. There’s more detail in the protocol description, if you’re interested. Where it says “Class B data” think “Sync.”

      Edit: Of course, this is why it’s very important to use a strong, unique password for your Firefox Account!

      1. pensioners at the head office wrote on :

        “Note that, since the forgotten-password client never learns kB, any class-B data will be lost. This is necessary to protect class-B data from attackers who can read the users’s email but do not know the account password…”

        “The idea is that users can choose which browser data goes into each class. Sensible defaults would probably put Password Manager data into class-B, and bookmarks into class-A, but users should have the option of putting everything into class-C if they like (to behave like current FF Sync)…”

        if I do an fresh installation of windows and Firefox but forget sync account password, can i get all passwords back? (yes/no)

        how do I protect all my passwords in Firefox with sync on?

        sync for added/removed searchengines and dictionaries?

        1. Callahad wrote on ::

          if I do an fresh installation of windows and Firefox but forget sync account password, can i get all passwords back? (yes/no)

          No.

          If you forget or lose your Sync password, you can not decrypt any Sync data. This is because your password is required to transform wrap(kB) into your encryption/decryption key, kB.

          Because Mozilla never learns your Sync password, and Mozilla never learns kB, we can’t help help you decrypt any of your data if you lose your password. At best, we can reset your account and let you start again with a new password.

          “The idea is that users can choose which browser data goes into each class. Sensible defaults would probably put Password Manager data into class-B, and bookmarks into class-A, but users should have the option of putting everything into class-C if they like (to behave like current FF Sync)…”

          This quote is slightly outdated. Firefox Accounts were initially designed with 3 data classes in mind, but right now all data is “class B:” Mozilla stores an encrypted version of kB, which can only be decrypted with your password.

          1. pensioners at the head office wrote on :

            ok, thank you for the good answer as long

  3. Joe T wrote on :

    I’m with Mohan G on this one: I have been a Sync user for years now and I used to have it set up on every device I own, plus a few business devices I control. The master password feature gave me at least some security in case one of those devices was stolen.

    Since I can no longer sync my passwords and use a master password at the same time, I will be using Sync *less*. No way am I setting Sync up on a company-owned device that I might lose or have to surrender (remember: it’s mine to use, but I do not own the device, only some of the data within).

    Sorry, but as far as I am concerned, this is a step in the wrong directory! Sacrificing security in the name of usability is a no-go for me.

  4. Callahad wrote on ::

    (Just a heads up — I’ll respond to the master password questions later today. Gathering bug numbers for reference.)

    Edit: Sorry for the delay. See my comment below for more on the current situation of Sync 1.5 + Master Passwords.

    1. jon wrote on :

      This needs to be fixed are you kidding me? This is a step back in security terms and I do not know who thought this was a good idea… Now anybody can just kick off firefox and start logging into my items… totally worthless.

      1. Darren wrote on :

        Totally agree this is a step back. Wish I’d know before upgrading my sync account :(

        Still waiting for the post “later today” regarding this.

    2. Fedor wrote on :

      Have you any news for us?

  5. jaymack (Julian M) wrote on :

    Liking the new Firefox accounts.. however,

    Hating not being able to define a Master Password on either Windows or Android, without losing the ability to Sync. Are you kidding me?

    Mozilla have collectively missed the point as to why people use the feature (to quickly share their browser session with a trusted person but not their private passwords).

    We don’t create a Firefox profile for everyone who might hop on our desktop or laptop to check their webmail. Think about the same situation on a smartphone or tablet?

    Suggest the Master Password feature should be treated as a lock of the Saved Passwords function rather than a password decrypter.

    Not being given an option to Sync when a Master Password is enabled is a thoroughly inconvenient and mind numbing step backward.

    1. Callahad wrote on ::

      Hating not being able to define a Master Password on either Windows or Android, without losing the ability to Sync. Are you kidding me?

      I’m sorry this isn’t working for you. Unfortunately, Sync on Android has never worked in conjunction with a Master Password (Bug 711636), so that hasn’t changed.

      See my comment below for more on the current situation of Sync 1.5 + Master Passwords.

  6. moritzthecat wrote on :

    since the discussion on the new account security model is still going on, could you pls. re-enable the device pairing for existing installations using FF Sync 1.1. External FF sync 1.5 Server solutions are not ready yet and the pruning of the pairing function is causing an issue. Currently I had to go back to ESR to keep my users served e.g. with ownCloud Mozilla Sync which currently only supports FF Sync 1.1.
    For security reasons we do prefer to have our own sync server though.

    1. Callahad wrote on ::

      If you configure Sync 1.1 in Fx 28 or earlier, it should continue working (including using self-hosted servers like ownCloud), even after upgrading to Fx 29. If this is not working for you, please file a bug and CC me (:callahad).

      We won’t remove Sync 1.1 support from existing, configured clients until we’ve resolved issues around self-hosting.

  7. SM wrote on :

    Set up the new sync. Doesn’t work. The sync tab just sits there on my Android device completely empty. It also says I have no bookmarks. No history. Firefox really seems to have trouble with new technology. Chrome’s sync works pretty reliably for the most part. I’ve never really even had to think about it. I sign in and it syncs. Firefox requires a bunch of fiddling going on more than an hour now and it still doesn’t work. At least the old sync worked sometimes sort of, although even then I usually had to go in and manually sync it, which kind of defeats the purpose of having a sync option in the first place. And Firefox was completely baffled by iOS so it’s not even an option on that system. Yes, I realize what the issues were there, but to storm off like a child and refuse to provide a browser at all kind of shows you the ridiculous mindset of the Firefox crew.

    Oh well, back to Chrome. It lacks a lot of the features I like about Firefox, but it actually works reliably, so that’s a big feather in its cap. I’ll check back in another year to see if Firefox has figured out syncing.

    1. Callahad wrote on ::

      Ack! I’m sorry this isn’t working for you. I’d really appreciate it if you could help us solve the problem before you go. Could you please file a bug against the Android Background Services :: Android Sync component listing your OS and Firefox versions?

      A copy of adb logcat FxAccounts:V FxSync:V *:S during Sync setup on your Android device would be especially helpful, as would watching the browser console (Ctrl-Shift-J) on Desktop when you initiate a sync (Tools → Sync Now — you may need to tap Alt to reveal the menu bar on Windows or Linux).

  8. Callahad wrote on ::

    Sorry for the delay, it took me a little longer to grok the situation around master password and Sync than I expected.

    The general sentiment that I’m finding is the belief that Firefox’s Master Password function isn’t actually serving peoples’ needs, and that the previous “support” required gnarly hacks that we didn’t re-implement for Sync 1.5.

    A few specific issues:

    – Sync literally has no access to the passwords when the password store is locked, so we were previously waiting for the password store to unlock, grabbing the plaintext passwords, re-encrypting them with your Sync key, and then uploading that. Gross.

    – Because of the above, you can end up in a situation where you had different master passwords on different devices. Reconciling that is likely to be difficult and error-prone.

    – Sync has never worked with a Master Password on Firefox for Android (Bug 711636), so we have to worry about weird, heterogeneous interactions between different platforms.

    – Master Passwords are likely creating a false sense of security, since they only protect your passwords, not your cookies or other session state, which means a local attacker can likely still get what they want. Chrome has avoided to implementing Master Passwords for this same reason.

    – Master Passwords are likely creating a false sense of security, since your password is not significantly strengthened (Bug 973759).

    That doesn’t mean that these issues aren’t going to get fixed, just that the problem was messy enough that we punted in favor of shipping a better Sync experience for most Firefox users. To quote Chris Karlof, the Firefox Accounts lead, “We were unable to address adequately these issues in time for the new Sync in Fx 29, so we did the simplest thing possible: disable password sync if MP is turned on. That’s not ideal, but if you read through Bug 675883, you can see that not addressing this properly can also lead to some bad user experiences.”

    If you’re interested in tracking what’s going on, please read and subscribe to:

    Bug 995268 — Firefox Sync and Master Passwords are now mutually exclusive

    Bug 711636 — Master password support for Android Sync

    Bug 973759 — Master password should be protected with stronger cryptography

    1. Fedor wrote on :

      The opinion that we will reduce your security but it will be more simple for you, it’s not trustful at all. Look’s like tales about unicorns just nothing more than bla-bla.

    2. Gianluca Sini wrote on :

      Hi All,
      any password removal is a potential security breach. I use a master password also to avoid people using my accounts when I leave my computer for a while, simply closing Firefox.

      A possible solution for your “sync issue” will be to sync only after entering the master password.

      Please note: I have moved two devices from the “old sync”; is there any way to know how many devices was authorized, and to remove them all?

  9. pensioners at the head office wrote on :

    “Sync literally has no access to the passwords when the password store is locked, so we were previously waiting for the password store to unlock, grabbing the plaintext passwords, re-encrypting them with your Sync key, and then uploading that. Gross…”

    That was not an problem for me and many other, nor Mozilla syncserver. The only I know it was wishes from the users that MP should prompt when it was really needed, like logins and manually sync, Even an good solution/idea was there for years ago. like do two prefs, one with generated random number that change when add/delete/edit bookmarks, settings and more. If that prefs was not equal with the other one then an prompt popup after short delay but also set both pref equal when it did.

    “Master Passwords are likely creating a false sense of security, since they only protect your passwords, not your cookies or other session state, which means a local attacker can likely still get what they want. Chrome has avoided to implementing Master Passwords for this same reason…”

    Cookies is for tracking and ads, all evidence is out there. Internet could work without cookies but more and more sites forcing us to think we need them for remember forms and site-sittings we do. Blocking of cookies will often result to an big cold hand who stop me to login in. But the true is that the serverside of an site could easily hold/save settings I do without use of cookies. So to my concern why is cookies so important for Sync? MP for cookies, really. what, wait so all previous FF has no secure with cookies umm I delete them.

    local attacker, maybe a local password for the device and windows can help

    Just saying open the eyes

  10. Steve G wrote on :

    I must say I am a little shocked with this new release that I have lost the protection of Master passwords. This was one of the main reasons I use Firefox.

    Now, if I lose my PC or my laptop is stolen the thief can just run Firefox (which logs into my Firefox account automatically) and look at all my saved passwords. What a disaster!

    Is it possible for a user to roll-back to the previous version?

    1. Callahad wrote on ::

      Hi Steve, there’s some more discussion in my previous comment regarding master password issues.

      If you want to continue using Sync 1.1 for now, you can downgrade to Firefox 28, set up Sync 1.1, and then upgrade to Firefox 29/Sync 1.5. Your Firefox will continue to use the old Sync until it’s discontinued (likely several months away), and we’ll hopefully have a solution for the master password problem by then. :)

      Regardless, if someone has unfettered access to your machine, they can probably copy old session cookies and gain whatever access they need, even without direct access to your passwords. I’d strongly encourage you to look into whole-disk encryption (Windows BitLocker, Mac FileVault, etc.) to protect against that, instead of (or in addition to!) relying on the master password.

      1. Steve G wrote on :

        Thank you for your reply, but I’m not really worried about an ‘attacker’, that’s not the threat model I’m concerned about.

        Threat 1: laptop stolen from car, sold in pub for 50 quid, buyer turns it on and then tries going to my Amazon account, changes address and buys themselves lots of goodies.

        Threat 2: my young daughter ‘buys’ something without really knowing what she’s doing as the browser just fills my passwords etc in for her.

        Both of these were impossible before with a master password. The pub purchaser is not an expert and will not try to hack into cookies or session data etc. I always accept the NSA will be able to get in anyway.

        I have just re-enabled the master password as I stupidly updated FF on the desktop and 3 laptops before discovering this issue, I am annoyed to lose synch but even more annoyed to lose the perfectly adequate security I used to have and thought was a major advantage of FF.

        1. Steve G wrote on :

          I have discovered ‘Pale Moon’ a FF fork from about V26, this retains the Master Password functionality but otherwise is Firefox from a few months ago. So I shall give this a go.

          I can put up with all the messing with the GUI that happens with the numerous FF upgrades, but removing such basic functionality as security is a complete no-no for me.

          I’m afraid I have lost all confidence in Mozilla if they can do this without warning. I accept I am in a minority of users, who care more about security than total convenience, so I guess this is the time to say goodbye and thanks to the project for several years of browser premiership.

  11. Kai-Chieh Ku wrote on :

    I’m a bit confused with the new Sync.

    “The security of your data now depends upon your password. If your password is guessable, somebody else could connect to your account and decrypt your data. Of course, the best passwords are randomly generated.”

    Doesn’t this mean the security is actually weaker than before because an average human cannot remember every randomly generated password? I believe most real world users are using not-so-strong passwords – I would be glad to know I am wrong for this point.

    Also, entering the pairing code was NOT the ONLY way to add a new device to Sync 1.0 if I remember correctly.
    So what the real benefit for this new Sync? For me, it sounds pointless except promote your Firefox Account/OS?

  12. Sam Tobin-Hochstadt wrote on ::

    It’s too bad that we’re losing one of the best features of Sync — for those of us with multiple devices, you didn’t have to remember a password! It would be great if the J-PAKE authentication system, or something similar, could work with the new Sync.

  13. Christian Ronquillo wrote on :

    Hi,

    Thanks for Firefox Sync! I rely on it frequently as it’s a very useful feature. With the arrival of the new method of login, do you have any plans of employing two-factor authentication aside from the usual username / password combination?

    1. Matthias wrote on :

      +1 for this!
      Especially because the security feature that you need “something you know and something you have” is now lost :-(

  14. Jonathon wrote on ::

    In addition to my sync key / recovery key (same thing?), I have a Firefox password (I registered somewhere for it around a year ago, I think) which I previously used successfully to restore my settings.
    Now there is nowhere for me to enter my recovery key (is there?),
    and when I try to sign into my Firefox account it says my account does not exist.

    Is Firefox’s new account different from the password-protected account which I previously registered?

    I’m not confusing the Sync account with the account Mozilla required me to create to install certain Add-Ons.
    I don’t remember where I signed up for the Firefox Sync account, but I think I did so around a year ago.

    I am using the same email address as I used when I registered for the Firefox account. That is 100% certain. I am using the same password (copied and pasted, like when it previously worked).

    To repeat, I also have a sync key / recovery key. I’m not confusing that with a password.

    Is there anywhere I can enter my recovery key?
    Is there another type of Firefox account which will allow me to login like I did before?

    1. Jonathon wrote on ::

      I found where I can login with the account I already have:
      https://account.services.mozilla.com/

      BUT all it shows is:

      Account Settings

      Change your password
      Delete your account

      Sync Settings

      Clear your Sync data
      Request a quota increase

      Welcome to the account management portal for Mozilla Services

      ———————

      Why is there no button like “Sync Now”?
      Why is there no button like “see bookmarks” or “download data”?

      Sync is not now automatically happening, and my Firefox menu still says “Sign in to Sync”.
      (I tried to sign in that way *again*. Same result as always: “unknown account. Sign up.”)

    2. Callahad wrote on ::

      Sync 1.1 (username + password + recovery key) is completely separate from Sync 1.5 (email + password). They don’t share an account database, which is why Sync 1.5 is telling you that your account does not exist.

      Unfortunately, Firefox 29 does not easily support reconnecting old Sync 1.1 accounts. Could you try downgrading to Firefox 28 and setting up Sync 1.1 (Prefs → Sync → Set Up Firefox Sync → I Have an Account → I don’t have the device with me)?

      Once you’ve done that, you should be able to upgrade to Firefox 29, and then follow the instructions for updating to Sync 1.5.

      (For what it’s worth, Sync isn’t designed as durable, long-term storage, so if you haven’t accessed it in a year, there’s a chance that your Sync 1.1 data has been wiped.)

  15. Frank wrote on :

    Hello

    I have created an account and have signed into FF sync 1.5, however I was thinking that my stored old synced data like bookmarks would be populated but it never came, Am I going to start afresh? how can I bring back my old data into this new one?

    Thanks

  16. Celin Prit wrote on :

    Hi there,

    If someone knows my gmail password that I used as Firefox sync, can that person go inside my gmail, then look for sync confirmation from Firefox in inbox, then have access to my firefox sync data?

    Also:
    What exactly is encrypted inside the password manager?

    Is it only the passwords?
    Or also the Username logins and corresponding websites?

  17. Johannes wrote on :

    In the end there is a bad feeling concerning the Sync 1.5’s security. As stated in https://github.com/mozilla/fxa-auth-server/wiki/onepw-protocol#firefox-accountssync-protocol the new protocol has several weaknesses that Sync 1.0 had not. The most important from my point of view seems to be the way to encrypt the authentication-parameters by breaking the tls-communication initiating the connection. Thy did you not force perfect-forward-security to fix this?

  18. NB wrote on :

    I am really disappointed with the new approach for sync in Firefox 29. I wish I had never updated it.
    I installed it in a new W8 laptop, and Sync says my account does not exist. The suggestion to install the previous version can fix the problem, but on the same breath it was said the old sync will be discontinued in a couple of months.

    I do not want to be forced to not having the option of using the master password, so that will be the end of using Firefox for me – a shame as it has been my preferred browser for so many years. And saying that someone else can access our cookies and history if the person gets access to our computers is not 100% correct as I have Firefox set up to clear cookies, history and everything else when it closes.

    Sorry to leave Firefox, but I have no option – looking for something out there to sync my passwords securely.