Firefox Sync:

Then and Now and Soon





Brian Warner, Mozilla Identity

warner@mozilla.com


(these slides: http://goo.gl/afczZ7)

Browser Data Synchronization

  • keep bookmarks, passwords, preferences, etc synchronized between multiple browsers
  • data stored on server: clients are mostly offline
  • extra credit: encryption

Firefox Sync (neƩ Weave)

  • Firefox extension by Mozilla Labs, 2007-2010
  • username + password + passphrase

J-PAKE

Credential Transfer

Sync 1.3, now with J-PAKE

included in Firefox 4.0 (March 2011)

Awesome!

  • great security, even against the server
  • no passwords to remember

Not So Awesome

Problem #1: incomplete transition

  • pairing replaced passphrase
  • but email/password was left in

Problem #2: no single-device recovery

Solving the Wrong Problem

  • We built Sync: connecting your devices to each other
    • incidentally provided an elegant security solution
  • But people wanted a backup service: connecting their device to a server
  • They used Sync anyways, with bad results.

New (contradictory) constraints

  • instructions: "Fix Sync!". Make it:
    • "secure"
    • recoverable-by-password
    • recoverable-by-email
    • use one password, not two
  • make it look more like a "normal" account system

New SRP-based Design

Data-Protection Classes

  • class A: recoverable by email
  • class B: recoverable only by password

Client-Side Key-Stretching

  • client does not reveal password to server

SRP

  • protects stretched password against eavesdroppers, MitM, and malicious server

Pushback

  • full spec looks pretty complex
  • SRP is underspecified: scary
  • implementing our own SRP (in Javascript): scary
  • can't do server-side stretching with SRP verifier
  • slow clients, JS clients: performance worries
  • scrypt RAM usage vs small phones: OOM Killer

Scope Creep

  • new requirement: generalized accounts
  • auth-only, same password
  • don't care about encryption keys
  • login from arbitrary browsers

"onepw" design

"passive" attack

"active" attack

just auth

future directions

  • Reintroduce Pairing
  • 2FA

More Information



Thanks!

warner@mozilla.com


(these slides: http://goo.gl/afczZ7)