Firefox Sync:
Then and Now and Soon
Brian Warner, Mozilla Identity
warner@mozilla.com
(partial) video: https://www.youtube.com/watch?v=G16rOGmpBUc
Browser Data Synchronization
- keep bookmarks, passwords, preferences, etc synchronized between
multiple browsers
- data stored on server: clients are mostly offline
- extra credit: encryption
Firefox Sync (neƩ Weave)
- Firefox extension by Mozilla Labs, 2007-2010
- username + password + passphrase
J-PAKE
Credential Transfer
Sync 1.3, now with J-PAKE
included in Firefox 4.0 (March 2011)
Awesome!
- great security, even against the server
- no passwords to remember
Not So Awesome
Problem #1: incomplete transition
- pairing replaced passphrase
- but email/password was left in
Problem #2: no single-device recovery
Solving the Wrong Problem
- We built Sync: connecting your devices to each other
- incidentally provided an elegant security solution
- But people wanted a backup service: connecting their device to a
server
- They used Sync anyways, with bad results.
New (contradictory) constraints
- instructions: "Fix Sync!". Make it:
- "secure"
- recoverable-by-password
- recoverable-by-email
- use one password, not two
- make it look more like a "normal" account system
New SRP-based Design
Data-Protection Classes
- class A: recoverable by email
- class B: recoverable only by password
Client-Side Key-Stretching
- client does not reveal password to server
SRP
- protects stretched password against eavesdroppers, MitM, and
malicious server
Pushback
- full spec looks pretty complex
- SRP is underspecified: scary
- implementing our own SRP (in Javascript): scary
- can't do server-side stretching with SRP verifier
- slow clients, JS clients: performance worries
- scrypt RAM usage vs small phones: OOM Killer
Scope Creep
- new requirement: generalized accounts
- auth-only, same password
- don't care about encryption keys
- login from arbitrary browsers
"onepw" design
"passive" attack
"active" attack
just auth
future directions
- Ship it!: Firefox 29, late April 2014
- Reintroduce Pairing
- 2FA
More Information
- "onepw" protocol:
- old SRP protocol:
Thanks!
warner@mozilla.com