is firefox sync safe
Hi I thought about starting to use firefox sync for my bookmarks. I noticed that is also sync login details, and I don't understand how this can be safe.
Assuming the data is stored encrypted, how this can be decrypted on the other machine?
tx
All Replies (7)
The Sync service uses a sync key to encrypt data locally before uploading. This Sync key is generated internally from the password of your Firefox account, so you do not need to worry about it. Without the correct password it isn't possible to decrypt the data stored on the Sync server because the correct Sync key can't be generated. The Sync key changes when you change the password of the Firefox account and you lose all data stored on the Sync server when you change the password of the Sync account. Other connected devices use the same name and password to log in to the Firefox Sync account, so they can decrypt data downloaded from the server locally. As long as you choose a strong password and you keep it to yourself then your data is safe.
See also:
so anytime the same user and pass are supplied the same sync key will be generated. isnt it?
Yes. If you would change the password of the Sync account or request a new password because you do not remember it then all data stored on the Sync servers is deleted because it can't be decrypted anymore and personal data stored on the Sync server is lost. You need to change the password on all connected devices and once again do an initial sync.
So if I understand correctly, the process goes like that: 1. when syncing the login details it is encrypted locally using the sync user and password. 2. encrypted data is stored on Mozilla servers 3. when a new machine is being synced, the encrypted data is sent to that machine, and is being decrypted locally again.
Am I right?
anyone?
The email address and password of the Firefox account is used to login to the Sync server. This same password is also used locally to encrypt your data before it is send to the Sync server. Other connected devices can retrieve this encrypted data and since they use the same email and password they use that password to decrypt this data locally. So only encrypted data travels between a connected device and the sync server.
Thanks. Now it is a bit more clear. two more questions please: 1. How does Master password fits into this model? 2. I never used this sync feature before, but now I read that in the past Mozila used a different mechanism, that allegedly was more secure. I'm interested how was it more secure? and if so, why did Mozila dropped that?
thanks