Re: Abrowser has Firefox Sync

4 réponses [Dernière contribution]
Jonathan Matt Gresham
Hors ligne
A rejoint: 07/24/2023

On 24/02/16 04:41AM, name at domain wrote:
> Was not sure if I was to report this on gitlab. Abrowser 123.0 has Firefox
> Sync. Have things changed that Firefox Sync is okay? It relies on
> accounts.firefox.com and takes your passwords too.
I would recommend looking at GNU IceCat and surf for alternatives until
this is resolved. Install IceCat by running:
sudo apt install guix
guix pull
guix install icecat

next you just have to find IceCat in ~/.guix-profile/bin
and make a hardlink or symbolic link to make it runnable from terminal
or run feature in GUI.

Ignacio Agulló
Hors ligne
A rejoint: 07/30/2019

O 2024-02-16 06:33, matt escribiu:
> On 24/02/16 04:41AM, wrote:
>> Was not sure if I was to report this on gitlab. Abrowser 123.0 has
>> Firefox
>> Sync. Have things changed that Firefox Sync is okay? It relies on
>> accounts.firefox.com and takes your passwords too.
> I would recommend looking at GNU IceCat and surf for alternatives until
> this is resolved. Install IceCat by running:
> sudo apt install guix
> guix pull
> guix install icecat
>
>
> next you just have to find IceCat in ~/.guix-profile/bin
> and make a hardlink or symbolic link to make it runnable from terminal
> or run feature in GUI.

Firefox Sync is originally introduced as a Firefox extension coupled to
an end-to-end synchronization service. The service initally offers to
synchronize bookmarks, but later on it adds browsing history, passwords,
tabs currently open, and so on. The user is free to choose what to
synchronize.

In 2009, Firefox Sync is incorporated into the browser so adding an
extension is no longer necessary.

In 2014, Mozilla announces that the original Firefox Sync service is to
disappear in the future, and that users wanting to use such a service
have to sign up for a new Sync service that is all the same... except
that it has no end-to-end encryption, so Mozilla is able to access the
user's bookmarks, browsing history, passwords and so on, and provide
copies whenever legally requested by an U.S. espionage agency.

As far as I know, Abrowser is always able to use the Firefox Sync
service, and there is no doubt that Abrowser if free software. As far
as I know, the Sync service server is free software too, so from the
point of view of free software there are no issues.

The issues are related to the freedom of the service (we not only care
for the freedom of the software, we care for the freedom of the services
too) and security. Like, not having strangers being able to read your
passwords.

The question is, what does offer IceCat that Abrowser doesn't?

Say, is its Sync service different from Abrowser's? Has it end-to-end
encryption? Is it not hosted in the US? Or is it a peer-to-peer
service that doesn't rely on a server? Why would using IceCat Sync be
better than Firefox Sync or Abrowser Sync?

Kind regards,
Ignacio Agulló.

Magic Banana

I am a member!

I am a translator!

Hors ligne
A rejoint: 07/24/2010

In 2014, Mozilla announces that the original Firefox Sync service is to disappear in the future, and that users wanting to use such a service have to sign up for a new Sync service that is all the same... except that it has no end-to-end encryption, so Mozilla is able to access the user's bookmarks, browsing history, passwords and so on, and provide copies whenever legally requested by an U.S. espionage agency.

That is not true. Firefox Sync still uses end-to-end encryption. The encryption key never leaves the computer of the user and her passphrase is cleverly handled (it is never transmitted in clear): https://hacks.mozilla.org/2018/11/firefox-sync-privacy/

In the end, unless an expert in encryption challenges the claim that "this cryptographic design is solid" (I personally have no idea what are "1000 rounds of PBKDF2" or "AES-256 in CBC mode, protected with an HMAC") or anybody else shows the source code does not match what its developer affirms (as you say: it is all free software; including the server-side), only the user can read the synced data. Mozilla, or anybody else, cannot.

Ignacio Agulló
Hors ligne
A rejoint: 07/30/2019

O 2024-02-16 14:38, name at domain escribiu:
>
> That is not true. Firefox Sync still uses end-to-end encryption. The
> encryption key never leaves the computer of the user and her
> passphrase is cleverly handled (it is never transmitted in clear):
> https://hacks.mozilla.org/2018/11/firefox-sync-privacy/

All right, I check on it. I read these:

"The new Firefox Sync enables you to safely and easily take your
browsing data (including bookmarks, open tabs and passwords) between
devices with complete end-to-end encryption,"
Test the New Firefox Sync on Nightly Release Channel - Future Releases
https://blog.mozilla.org/futurereleases/2014/02/01/test-the-new-firefox-sync-on-nightly-release-channel/

"And the encryption key derived from your passphrase never leaves your
computer.
"We designed Firefox Sync to protect your data – by default – so Mozilla
can’t read it."
Private by Design: How we built Firefox Sync - Mozilla Hacks - the Web
developer blog
https://hacks.mozilla.org/2018/11/firefox-sync-privacy/

Pairing Problems | Brian Warner
https://blog.mozilla.org/warner/2014/04/02/pairing-problems/

"all Sync data must be end-to-end encrypted, just like before, using a
key that is only available to you and your personal devices"
The new Sync protocol | Brian Warner
https://blog.mozilla.org/warner/2014/05/23/the-new-sync-protocol/

"The encryption used by Sync means that if a user’s password is reset
(not simply changed), then the data on the server is unable to be
decrypted. "
CloudServices/Sync/FAQ - MozillaWiki
https://wiki.mozilla.org/CloudServices/Sync/FAQ

These posts from Mozilla explain how Sync works, and why its
encryption is end-to-end.

I am not inspecting Abrowser's source code to ensure the key to
decrypt my data isn't sent to Mozilla, but I trust these posts,
specially the last one because of belonging to a FAQ that is supposed to
be updated. So I take back what I said about Sync data being available
to Mozilla. I had stopped using my Mozilla account for Syncing, but now
I might use it again.

Kind regards,
Ignacio Agulló.

Avron

I am a translator!

En ligne
A rejoint: 08/18/2020

I previously tried synchronizing the ~/.mozilla folder with my seafile server, but it was somehow creating problems due to the number of files that were constantly updated.

I am wondering whether it would work to move the ~/.mozilla directory to a USB key and create a symbolic link to it. It would avoid relying on someone else's computer.