Details on new "Firefox Accounts"_what methods of authenticating users?
On the "more info" page for Firefox accounts, it says,
"The Firefox browser collects so little data about you, we don’t even require your email address. But when you use it to create a Firefox account, we can protect your privacy across more of your online life."
I don't know why they say that - you have to register w/ an email to post or reply on any of the support forums or addon forum or to review addons or to file bugs on bugzilla.
How is the sign in / authentication process different for Firefox Accts than registering on the Mozilla support site?
Exactly what method are they using to register users or recognize them in different sessions? Are they using oAuth or anything similar?
If so, what data are they attempting to gather about the users, their system, device(s) or any personal / pseudo-personal data? Not that oAuth is "safe" (it had & has a number of security bugs). But sites using it (according to Google) can adjust what data they try to gather.
Thanks.
Novain'i JoeB t@
All Replies (5)
Joebt said
On the "more info" page for Firefox accounts, it says,"The Firefox browser collects so little data about you, we don’t even require your email address. But when you use it to create a Firefox account, we can protect your privacy across more of your online life."I don't know why they say that - you have to register w/ an email to post or reply on any of the support forums or addon forum or to review addons or to file bugs on bugzilla.
You can use the browser for browsing without creating a Firefox account. If you do want to create an account, it needs to be verified using an email address, so in that case you need to provide an email address.
How is the sign in / authentication process different for Firefox Accts than registering on the Mozilla support site?
Until recently, support accounts were completely separate. Now the site uses your Firefox Account for login, so there would normally be no difference between the Firefox Account you use for Sync or other services, and for this site. I mean, you could create a new Gmail/Outlook/Yahoo/etc. email address and use that to create a separate Firefox account for support if you wanted.
Exactly what method are they using to register users or recognize them in different sessions? Are they using oAuth or anything similar?
What do you mean by "different sessions"? See: https://developer.mozilla.org/docs/Mozilla/Tech/Firefox_Accounts/Introduction
If so, what data are they attempting to gather about the users, their system, device(s) or any personal / pseudo-personal data? Not that oAuth is "safe" (it had & has a number of security bugs). But sites using it (according to Google) can adjust what data they try to gather.
Maybe you can find some documentation on it if you search a bit?
See also:
- https://support.mozilla.org/en-US/kb/access-mozilla-services-firefox-account
- https://support.mozilla.org/en-US/kb/share-data-mozilla-help-improve-firefox
Novain'i cor-el t@
Thanks Jscher & Cor-el for tackling how Firefox Sync works on SUMO & across Mozilla sites!
If what they've shared above doesn't fully answer your questions. I can try to obtain a more detailed answer for you from the Firefox Accounts team. It's still the holidays though so it will be a little while before they can respond to us.
But if I can attempt to answer one part of your question: "If so, what data are they attempting to gather about the users, their system, device(s) or any personal / pseudo-personal data?" • I would say they might look at what OS you're using in their detection of suspicious activity monitoring system which tries to alert you of any strange, suspicious login attempts. They definitely look at the device type as well. Since you have to add/connect your device to your Firefox Account. The OS data & device type data would be isolated & only used for the suspicious activity monitoring system. But I'll let a Firefox Accounts developer explain the technical approach there since I want you to have the most accurate answer possible.
But as far as any other personal data being collected, none should be collected past what you specify to be synced in the syncing options of Firefox Accounts. And even then, all that personal data is heavily encrypted & setup in a way that Mozilla can not read it themselves.
More about that here (apologies if you've already read this): https://hacks.mozilla.org/2018/11/firefox-sync-privacy/ "The encryption key is the essential element. The service provider must never receive it – even temporarily – and must never know it. When you sign into your Firefox Account, you enter a username and passphrase, which are sent to the server. How is it that we can claim to never know your encryption key if that’s all you ever provide us? The difference is in how we handle your passphrase. ...... The crux of the difference in how we designed Firefox Accounts, and Firefox Sync (our underlying syncing service), is that you never send us your passphrase. We transform your passphrase on your computer into two different, unrelated values. With one value, you cannot derive the other. We send an authentication token, derived from your passphrase, to the server as the password-equivalent. And the encryption key derived from your passphrase never leaves your computer. ...... Interested in the technical details? We use 1000 rounds of PBKDF2 to derive your passphrase into the authentication token. On the server, we additionally hash this token with scrypt (parameters N=65536, r=8, p=1) to make sure our database of authentication tokens is even more difficult to crack.
We derive your passphrase into an encryption key using the same 1000 rounds of PBKDF2. It is domain-separated from your authentication token by using HKDF with separate info values. We use this key to unwrap an encryption key (which you generated during setup and which we never see unwrapped), and that encryption key is used to protect your data. We use the key to encrypt your data using AES-256 in CBC mode, protected with an HMAC."
See also:
const KEY_DERIVATION_ALGO = "PBKDF2"; const KEY_DERIVATION_HASHING_ALGO = "SHA-1"; const KEY_DERIVATION_ITERATIONS = 4096; // PKCS#5 recommends at least 1000. const DERIVED_KEY_ALGO = CRYPT_ALGO;
Novain'i cor-el t@
Thanks everyone. Got a little busy, to answer / reply. I don't think any very specific details on exactly what data (Scopes) Mozilla will access & enough details how they will use oAuth for average users to understand it. Because there are many options they can choose.
What do you mean by "different sessions"?
Really? Logging into (any Mozilla site / service, if using oAuth), then logging out. Next day, log back in. Or, same day, but close browser & clear all cookies, cache, etc., then log in again - in a "new session."
They aren't going to allow users to login, simply by entering your email (anyone could use another email they've seen on bugzilla, for instance). As the link provided indicates.
[[See also:*https://dxr.mozilla.org/mozilla-release/source/services/crypto/modules/WeaveCrypto.js]] See also:
One problem is, like many, I'm not a professional JS coder. I understand some of it (even use / modify fairly simple scripts to my needs). Enough knowledge to be dangerous.
Maybe you can find some documentation on it if you search a bit?
I apologize, but that's the problem. I have researched it & found nothing specific (details) on exactly what Mozilla is doing. I don't ask specific questions unless I've researched a topic enough to know when I'm at the stage of reinventing the wheel.
I'm assuming a lot here. I'm asking what data is Mozilla gathering, to create (I assume) a token for the user.
Is Mozilla acting as the authorization provider, or using other, say like, Google? Why? Well, [https://www.cubrid.org/blog/dancing-with-oauth-understanding-how...]
However, in order to use the functions of Facebook or Twitter through external services, one does not necessarily need to log in to neither of them. Just a "simple" authentication process, like OAuth, allows users to leverage the data from popular social networking services.
To non-technical users, that doesn't mean much. They often don't read privacy policies or TOS - for anything. But, one of the things the above statement means is, facebook & twitter are tracking users, even more than in the past. It also likely means they are building a device fingerprint or improving one they already have. But it doesn't stop w/ just 2 sites.
For instance, I'm using this intro to oAuth article, [https://itnext.io/an-oauth-2-0-introduction-for-beginn...] if other users want a better understanding of what oAuth is & exactly how it does what it does (in the hands of oAuth providers or the sites offering "services").
there are four different versions. Or, more correctly, four different flows. OAuth 2 is the totality of these flows. It’s not mandatory to implement them all, but only the ones that you need. The goal remains always the same: to obtain an access_token and use it to access protected resources. The four modalities are:
- Authorization Code Grant:
- Implicit Grant:
- Client Credential Grant:
- Password Grant:
Which of those is Mozilla using (or none of above)?
The itnext.io article has some detailed illustrations of various possibilities & the idealized process (which can vary greatly). Much depends on what a site wants to know about the user.
[https://developer.github.com/apps/bui.../understanding-scopes-for-oauth-apps/] The term "Scopes" refers to what data a particular oAuth provider's oAuth API offers & what the site (or on Github, the project developer) wants out of everything that is accessible.
On Github's explanation of "oAuth Scopes" for Github project developers, a few (out of many) thing it lists are:
read:user Grants access to read a user's profile data. user:email Grants read access to a user's email addresses. user:follow Grants access to follow or unfollow other users.
Maybe not as much for typical Github users, but they're offering to project developers - setting up an oAuth app, to read the email address(es) users' account profiles (I assume). Project devs on Github don't need to read my email addresses or anything else. Unless they're a well known, going concern, they have essentially zero credibility. I agreed to terms with Github, Inc. to create an acct - not w/ dozens of 1 man projects I might visit.
Here's Google's basic details on THEIR oAuth API, that sites can use. I wonder if Google would be interested in the users' data, gathered in the oAuth authorization process? [https://developers.google.com/identit.../OAuth2]
Google says,
The Google OAuth 2.0 endpoint supports applications that are installed on devices such as computers, mobile devices, and tablets.
Going a bit farther: https://developers.google.com/identity/protocols/OAuth2InstalledApp
OAuth 2.0 allows users to share specific data with an application while keeping their usernames, passwords, and other information private. For example, an application can use OAuth 2.0 to obtain permission from users to store files in their Google Drives. Installed apps are distributed to individual devices, and it is assumed that these apps cannot keep secrets. They can access Google APIs while the user is present at the app or when the app is running in the background.
Who could ever envision something going wrong or being abused, when large corporations are the oAuth providers; many of which are known for their (sometimes illegal) data gathering on users?
There are certain scenarios where this would be useful, IF USERS really want to SHARE THEIR DATA between 2 or more sites (or sites' services). If they distrust Site A so much, that they don't want to create & use a user name /password on it.
The oAuth provider (even if a site / corp. is its own provider), is saying, trust us with your PW & potentially a whole lot of other data about your device, and we'll vouch to Site A that you are who you say you are. It appears to be fingerprinting devices. While that's OK for my bank or I'll give them my phone for 2FA - 2 factor authentication, but I won't give it to sites unless they are a well known site, that are protecting my assets.
For many avg users, if a quilting or learn bird calling site uses oAuth, users may well be giving up more data than they realize or would want, if they understood the process; most will not understand the process.
Here's a Wikipedia partial list of "List of notable OAuth service providers." https://en.wikipedia.org/wiki/List_of_OAuth_providers
Note that many are known large user-data gatherers.
I guess the original question was exactly what / how is Mozilla using oAuth to identify users (if Mozilla is the provider)? What data will they ask (I assume they'll ask) users to approve access to, just to login a support forum? That's all a large % of Firefox users will ever visit.