The new Sync protocol

Last time I described the user difficulties we observed with the pairing-based Sync we shipped in Firefox 4.0. In late April, we released Firefox 29, with a new password-based Sync setup process. In this post, I want to describe the protocol we use in the new system, and their security properties.

(For the cryptographic details, you can jump directly to the full technical definition of the protocol, which we've nicknamed "onepw", since there is now just "one password" to protect both account access and your encrypted data) more…

Pairing Problems

we learned that our pairing implementation in Firefox Sync had some problems. Some were shallow, others were deep, but the net result is that a lot of people were confused by Sync, and we didn't get as many people using it as we'd hoped. This post is meant to capture some of the problems that we observed.

more…

Remote Entropy

Can you safely deliver entropy to a remote system?

Running a system without enough entropy is like tolerating a toothache: something you'd really like to fix, but not quite bothersome enough to deal with. more…

phishing training

I stopped by the bank this morning to make a deposit. While fussing with the ATM machine, I was listening to a nearby bank employee making a phone call. more…