[tor-bugs] #16778 [Tor Browser]: "Set Up Sync..." still appears in TBB 5.0 Tools menu and Prefs

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Sep 2 18:59:31 UTC 2015 

#16778: "Set Up Sync..." still appears in TBB 5.0 Tools menu and Prefs
-------------------------+-------------------------------------------------
     Reporter:  teor     |      Owner:  mcs
         Type:  defect   |     Status:  needs_information
     Priority:  normal   |  Milestone:
    Component:  Tor      |    Version:
  Browser                |   Keywords:  tbb-usability,
   Resolution:           |  TorBrowserTeam201509R
Actual Points:           |  Parent ID:
       Points:           |
-------------------------+-------------------------------------------------

Comment (by mcs):

 Replying to [comment:12 mikeperry]:
 > After reading that, the final question in my mind is "How is the user's
 password actually handled when authenticating to Firefox Accounts either
 for Sync or for other stuff?"
 >
 > If the user password is just posted to the Firefox account server over
 HTTPS in some auth flow, I'm back to not feeling very comfortable about
 this, because then Mozilla is regularly being given the info they need to
 decrypt sync data upon every Firefox Accounts login. If, OTOH, Accounts
 auth is being done over some JS-based or browser-builtin HMAC/challenge-
 response protocol where the actual password is never actually sent to the
 server for any type of login (or account creation), then it's probably OK.

 It is hard to tell for sure, but Kathy and I do not think the actual
 account password is sent to the Mozilla servers.
 about:accounts?action=signin loads an iframe from
 https://accounts.firefox.com/signin?service=sync&context=fx_desktop_v1,
 which handles authentication.  We could spend more time trying to reverse
 engineer minimized JS, but it looks like PBKDF2 is used to avoid sending
 the password over the network.  But one of the items returned to the
 client is something called a key fetch token, which -- if I had to bet --
 is the piece of data that is used later to retrieve the sync key.  And if
 Mozilla stores the sync key on their server, can't they decrypt my sync
 data any time they want to?  Or maybe something more than the sync key is
 needed in order to do that?

 Should we just ask the right person at Mozilla about this?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16778#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list