Does modzilla save passwords/bookmarks etc on their servers ?
After the Opera "breach" http://www.opera.com/blogs/security/2016/08/opera-server-breach-incident/
Does Modzilla save bookmarks and/or passwords on its servers when sync is activated ? Are these secure? Can these be viewed (apart from viewing under Options->Security->Saved Logins) I know Chrome has a option of opening up Google Dashboard where it will advise of all saved data on its servers, under Google Sync. Is there a similar option for Firefox ??
I have deleted my old account and created a new on but only syn'd the bookmarks due to this Opera incident.
All Replies (7)
hi capcomnz, if you are using firefox sync, your data will be encrypted locally on your device with a key derived from your firefox account password before it is sent to mozilla's servers - your account password is the only way to decrypt that data. if you want to learn more about the technical details about the sync protocol you can refer to its documentation at https://github.com/mozilla/fxa-auth-server/wiki/onepw-protocol (in particular the section about "security analysis").
Thanks for the reply Philipp but the technical stuff was way over my head. You said "that the data is encrypted locally on device .....before it is sent to Mozillas servers." So in theory the same thing that happened at Opera could happen here. The account passwords were possibly compromised, which lead to 3rd party site passwords being possibly compromised as well, through their sync system. Does that mean that when I deleted my old account all information was deleted and now I have setup a new account and only syncing bookmarks no 3rd party site passwords should be on Mozillas servers.
hey again, i am not sure what kind of attack exactly happened with opera or what kind of security safeguards they are using, so i cannot comment on that.
but yes, what's cryptographically protecting your sync data is in essence your firefox account password, so we advise to pick a strong and unique password for that purpose. if i'm not mistaken we also recently introduced some form of 2-factor authentication so that when a new device wants to connect to your sync account you not only have to provide a password but also demonstrate control over your email account (by clicking a link on a confirmation mail).
i don't think that after closing an account the data is purged immediately (this happens on something like a daily interval) - but deleting an account destroys its encryption keys, so the encrypted blobs on the server become meaningless.
capcomnz said
Does that mean that when I deleted my old account all information was deleted and now I have setup a new account and only syncing bookmarks no 3rd party site passwords should be on Mozillas servers.
How did you "delete" your old account? What exactly did you do?
Hi jscher2000 I simply went under Options -> Sync and clicked on Manage Account That opened a website which gave several options like changing picture, display name, password but also Delete Account.
That sounds conclusive to me. Especially if you were able to create a new account using the same email address.
Actually i created a new account under a different email address and only syn'd bookmarks. That way I get them on my iPad as well.