Firefox sync security followup

Firefox sync security followup

8 March 2015 • 11:47 • Stefan Gofferje
  • Privacy
  • Security
  • Firefox

After writing my blog article about the imminent forced migration of Firefox sync 1.1 to 1.5, I did receive a few emails, so here’s a followup.

The first Email I received from Richard Newman, Staff Software Engineer at the Mozilla Corporation. Richard pointed out that it actually is possible to self-host the sync server and the authentication server. He also emphasized that NSA or other agencies would not have access to the sync’ed data due to it’s end-to-end encryption. Right in the next sentence, he says “Mozilla can’t decrypt that data without phishing you[…]” which is an interesting statement as intelligence agencies are known to (spear-)phish.

The second email from Nicholas Alexander, also Mozilla employee, also points out the availability for self-hosting and states “It’s complicated because Mozilla is trying to run an extensible service for 100 million users!”. Additionally, Nicholas writes “An ambitious OwnCloud and Firefox add-on developer could arrange to simplify the FxA stack for self-hosters.  It’s a reflection of how little value that project has that it hasn’t happened yet.

He confirms that “[…]Mozilla is trying to compete with Google, Apple, and Facebook.” and states “The big identity and sync systems are extremely popular *because they provide a huge amount of user value.”* Then he most interestingly writes “You are looking at a system explicitly designed to protect the privacy of hundreds of millions of users and saying it’s not good enough.  A tiny fraction of those millions will self-host.  We can protect the privacy of the many by competing with Google, Apple, and Facebook, or we can protect the privacy of a tiny population by focusing on self-hosting.  For me, that choice is clear: we are market driven and must go to where our users are.”

Self-hosting?

First of all, yes, it’s true, there meanwhile is a possibility to self-host which I overlooked. However, what the Mozilla employees call “complicated”, I call “next to unusable”.

While the sync server component is fairly easy to install for an experienced admin, it still relies on the Mozilla authentication servers by default. Setting up your own authentication servers is also possible and also fairly straightforward, however, using self-hosted sync server and self-hosted auth server together is not documented.

The user configuration is the tricky part. As Firefox does not feature any option to choose self-hosted account- and sync servers in it’s GUI, the users have to go to about:config and start tweaking configuration options. And quite a few of those - for the sync server as well as for the auth server.

This is a major issue because while it again is easy enough for the tech-savy individual, it doesn’t scale - much less in an environment of mixed user skills. I don’t want to be the sysadmin in a company with hundreds or maybe a university with tenths of thousands of users who has to migrate all of those.

Value?

Nicholas wrote “The big identity and sync systems are extremely popular *because they provide a huge amount of user value.”* That is a statement that I can’t help but doubt. I’d rather say, the systems are heavily used, simply because they are easily available and - in many if not most cases - activated by default (see e.g. Android browser sync with Google account).

He also wrote that the fact, nobody had created an easy solution yet would be a sign of how little value the project has. That looks like a vicious circle to me. The Mozilla people don’t invest ressources in making self-hosting easy because they think it has low value and they think it has low value because nobody invests ressources. Uhm… Ok… How about you changed the system from easy to absurdely tedious so it’s your job to provide a solution, users can easily migrate to? Unless of course, you actively want to discourage self-hosting…

The whole situation somewhat reminds me of the early browser wars when Microsoft preinstalled Internet Explorer on Windows. Yeah, IE was the most widely used browser but was it the most popular? Over time, Netscape and later Mozilla gained popularity as people learned how to install software themselves but the big breakthrough in Europe came IIRC when the EU Commision obligated Microsoft to separate IE from Windows and proactivly offer a choice which browser the user wants after the installation of Windows.

It actually is kinda ironic that Mozilla is now showing a roughly similar behavior regarding a part of their own product by making using their own sync service very easy and self-hosting - or the choice of potential other sync service providers - extremely complicated.

Designed for privacy?

Since the (still ongoing) NSA-scandal, the world has learned many times over about the extensive access, US law grants to intelligence agencies including the right to obligate the respective cloud service provider to absolute silence about any form of cooperation. That makes any cloud service operated by any entity within the jurisdiction of the USA automatically inherently untrustworthy. And that is also valid if the servers are outside US jurisdiction as the Microsoft Ireland case shows. That this is not just a theoretical thought is demonstrated by loss projections of upto $35bn for the big US cloud service providers in their European business which prompted them to meet with President Obama about the issue.

Hosting the usernames and passwords, bookmarks and browser history of hundreds of millions of people throughout the world, the Firefox sync service must be considered an extremely high value target for any intelligence agency, especially the US agencies which are known to simply collect everything possible about anyone possible by any means possible. Those agencies are also well known to use common criminals’ methods like phishing (remember Richard’s statement?). And it’s even theoretically possible that a US agency simply obligated Mozilla to include a master key or weakness into their encryption system and banned them from disclosing it.

So, to label a service “designed for privacy” with any real world justification, it nowadays simply must contain an easy to use option to choose an alternative service provider or self-host. Additionally, if privacy really is the goal, why not create an independent entity for the hosting in a country with very strong privacy protection, say Iceland or Switzerland?

Summary

Is self-hosting possible?

Yes. For very tech-savy individuals, with a lot of effort.

Is self-hosting feasible?

No. Not in any kind of environment with a number of non-tech-savy people. It’s poorly documented, overly complicated and the migration doesn’t scale.