28

I looked at different password managers, to swap my user-generated, more or less predictable passwords for automatically generated, secure passwords. I stumbled upon KeePass and FeeFox (for Firefox integration), which seems to be a good and trusted combination.

However this led to one question: Why shouldn't I trust the built-in password manager and synchronization feature? I already trust Firefox for everything I do and they could steal my passwords anyway, even if I wouldn't store them in the password manager. Is there anything which speaks against this (as long as I generate safe, random passwords for every page and encrypt the password database with a secure password)?

Also, one second question popped up: How trustworthy is Firefox anyway? On their privacy information page, they state the following:

When do we share your information with others?
...
When the law requires it. We follow the law whenever we receive requests about you from a government or related to a lawsuit.
...

So it would be possible that they share everything they know about me with (American) governmental organizations. Are there even alternative browsers which wouldn't do this?

Peter Mortensen
  • 877
  • 5
  • 10
Christian
  • 381
  • 1
  • 3
  • 4
  • 5
    Just to be clear, you are talking about the Sync feature of Firefox? Or merely the offline password storage when using a master password? – Luc Feb 04 '16 at 15:31
  • 9
    All of the browsers would have to abide by whichever government they reside in. If a warrant is issued for data with respect to a user then they are legally obligated to comply. – RoraΖ Feb 04 '16 at 15:36
  • Is that where the browser instance resides? Where the organization developing the product resides? Where the data resides? – symcbean Feb 04 '16 at 15:47
  • 5
    I think you should change the title to "How trustworthy is Firefox sync". The question just now is too broad. – paj28 Feb 04 '16 at 17:30
  • 2
    This questions sounds like two questions to me: **1)** Can I trust Firefox Sync? **2)** Can I trust the Firefox password manager vs. a third-party one – raphael Feb 04 '16 at 19:28
  • Why do you have any more reason to trust Microsoft with all your information (OS/root level access to everything you do on the computer, in addition to possibly video/audio recording of your actions) then you do with Mozilla? Or for that matter your computer manufacturer who can infect your firmware? The fact is, you don't. – n00b Feb 04 '16 at 19:41
  • More trustworthy than Chrome. – user253751 Feb 04 '16 at 23:07

7 Answers7

24

I agree with RobM.

So it would be possible that they share everything they know about me with (american) governmental organizations.

Yes, very possible.

Are there even alternative browsers which wouldn't do this?

The Onion Router. There may be others. Even Firefox will work this way if you use local syncing, and disable malware and phishing protection. Personally, I would not disable those.

Can you trust Firefox?

I don't think this is a Firefox issue. This is a government issue. For example, you can read about telecommunications data retention in various countries. The Electronic Frontier Foundation has a good write-up about the Stored Communications Act.

You should note that synchronization usually means your data is stored online. I am aware that local syncing is possible. However, because of the wording, they are likely storing your data online ("in the cloud"), and are required to hand it over to the proper authorities if compelled.

Let me reiterate: If, as a company, you're storing information online about users/customers, then in many cases you can be required to hand it over when compelled by law enforcement. If you are not storing information, you don't have to hand over what you don't have.

Firefox is storing information if you allow it. This is a very convenient feature which has the added affect of being held to government data regulations. If you ask me, Firefox is very trustworthy. However, do you trust the government of your country?

Even simple Metadata can be used to quickly identify you

Because of Metadata, whether this is encrypted or not may be irrelevant. They may be able to decrypt your cloud-stored data. Even then, it may not matter due to certain laws in certain countries. Wait, what?

For example: user connected to X server at Y time may be all they really need. As an example, you could be in China and end up visiting a website associated with Falun Gong. For Firefox to operate in China, they would be compelled to cooperate with Chinese law.

They may store your meta data details, such as the IP address you connected to before checking if it was a malicious website or not, even if you're behind a VPN at the time, your previous profile was associated with other IP addresses.

This is just a rough example of how meta data can work, and is not necessarily relevant to you. It's my hope that this would explain how powerful meta data is so you can apply it to other situations.

Firefox's Built-In Phishing / Malware Protection

Let's see what Mozilla has to say. How does built-in Phishing and Malware Protection work?:

"Firefox will request a double-check to ensure that the reported site has not been removed from the list since your last update. This request does not include the address of the visited site, it only contains partial information derived from the address."

This partial information / metadata = exposed as a rebel sympathizer. The Death Star is on it's way.

If you don't like that idea, then don't sync online, and don't use the built-in phishing and malware protection. Personally, I don't like the concept of syncing in many situations. However, I will use the built-in phishing and malware protection as it helps minimize the amount of work I have to do while surfing the web, and it protects me!

Mozilla is up-front about what they are doing. They are not lying to you.

So why does Firefox cooperate with the government?

They have to. And why wouldn't they? In many cases, there are very good reasons to do so, for example, to track down criminals. Obeying the law is a cornerstone requirement to doing business in any country. If you don't like a country's laws, you have the choice to leave, and not do business there. Try to break those laws, and see how long you last.

Unfortunately, there are also cases where countries do not offer fair trials, and would quickly imprison, or even execute anyone caught engaging in banned activities, such as religious organizations like the Falun Gong. Again, if a company doesn't like the laws of a country, they may leave.

Raising awareness and fighting against corruption is one thing, and beyond the scope of this answer, but you can't expect to do any kind of business in any country, unless you obey their laws. And that's why Firefox provides this disclaimer. They are telling you the truth, even though they can hide it from you.

If you ask me, Firefox is very trustworthy. I don't know what your government is up to, or if Firefox has a presence in your country, though.

Mark Buffalo
  • 22,498
  • 8
  • 74
  • 91
  • There are choices other than don't sync, such as local syncing. Also, it's highly relevant if the data can be decrypted or not. If it can't be, then what's the risk? – Adam Shostack Feb 04 '16 at 16:08
  • @AdamShostack I'm talking about meta data, connections, etc. User connected to `X` server at `Y` time, etc. I should've clarified that. Give me a second. – Mark Buffalo Feb 04 '16 at 16:09
  • Thanks, that's more clear. I think there's two threats here: identifying Christian, and logging in as him. I think he's currently concerned with the later (which doesn't mean he shouldn't be concerned about both, but we don't know from the Q). – Adam Shostack Feb 04 '16 at 16:22
  • @AdamShostack Agreed, identifying him would be very easy through the use of metadata. However, he's worried about his data being stored online, so logically, I would presume this would be part of his worry. – Mark Buffalo Feb 04 '16 at 16:32
  • @AdamShostack I hope my edited post now reflects all the skipping of A, B, and C that I did in the original. Sometimes I make the mistake of assuming that something I'm aware of is common knowledge. Thanks for the correction. – Mark Buffalo Feb 04 '16 at 16:44
  • If I'm reading their explanation correctly, it doesn't appear that using the phishing and malware protection has any privacy implications for you. It doesn't check with Mozilla's servers for every site you visit, asking "is this site safe?", which would indeed have *massive* privacy implications. Instead, it downloads a blacklist from Mozilla and checks every site you visit against your local copy of the blacklist. – Mason Wheeler Feb 04 '16 at 18:38
  • @MasonWheeler The issue is metadata. You can put 2 and 2 together to get 4. For example: `User A` Connects to `Site A`, downloads blacklist. `User A` also connects to `Site B` around the same time (before requesting blacklist), Mozilla doesn't know about this... but your ISP does. Metadeta makes it much easier to show you were involved in visiting that site about `Falun Gong` at `X` time, especially when at `X` time, your profile was tied to that IP address. There are very many uses for metadeta, almost all of them aiding in forensics. – Mark Buffalo Feb 04 '16 at 18:46
  • @MarkBuffalo I'm still not seeing the connection. As it's explained there, downloading the blacklist is an automated task that's not connected to any of the sites you visit in any way. You could visit 100 completely harmless sites and it would still download the blacklist; it appears to be an act with no forensic relevance. – Mason Wheeler Feb 04 '16 at 18:58
  • @MasonWheeler I'm trying to think of a way to explain this better. Metadata can help create associations. If your IP address is associated with a downloaded blacklist check, and with visiting another website, within a very specific timeframe, then this metadata can help create a list of likely associations, especially if that is tied to your sync'd account/id. For some, a likely association is all they need. And in many cases, there is nearly irrefutable evidence linking two things together. Metadata is very powerful. – Mark Buffalo Feb 04 '16 at 19:07
  • @MarkBuffalo What is this "IP address associated with a downloaded blacklist check" that you're talking about? *The checking is local;* there is no IP activity to associate anything with. – Mason Wheeler Feb 04 '16 at 19:14
  • @MasonWheeler [How does built-in Phishing and Malware Protection work?](https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work): *"Firefox will request a double-check to ensure that the reported site has not been removed from the list since your last update. This request does not include the address of the visited site, it only contains partial information derived from the address."* This is irrelevant; partial information / metadata = exposed as a rebel sympathizer. – Mark Buffalo Feb 04 '16 at 19:16
  • 1
    @MarkBuffalo Ah, OK, I missed that part. Now your explanation makes sense. – Mason Wheeler Feb 04 '16 at 19:18
  • @MasonWheeler I added this little tidbit to the post. I should've included it anyway... good discussion! – Mark Buffalo Feb 04 '16 at 19:21
  • When you say "TOR." towards the top of the answer, are you referring to The Onion Router? – Panzercrisis Feb 04 '16 at 19:46
  • 1
    @Panzercrisis Yeah. – Mark Buffalo Feb 04 '16 at 19:48
  • You do *not* need surveillance to stop "criminals". Policing doesn't stop crime, ***meeting human need does.*** – Tachytaenius Aug 13 '21 at 11:23
11

How trustworthy? Good enough for most purposes, and better than using the same password everywhere.

Your data is encrypted

Your Firefox Sync data is encrypted, and the encryption key remains on devices you control. Mozilla's servers only see the encrypted data and do not have access to the key. If they were hacked or served a government order, it is only the encrypted data that is at risk. Your private data would remain secure - at least, as long as you've used a strong password. More information

Backdoors would be noticed

As you point out, you are already running Firefox on your computer. It can access all your files, hardware like cameras and microphones, monitor all your web traffic. It would be technically possible for it to be trojaned, and quietly send your browsing history to the NSA, or your camera feed to a cyber criminal. However, if some hacker or malicious insider attempted to backdoor the product, because of the massive user base, it would be noticed quickly. And I understand that most governments cannot legally issue an order for Firefox to backdoor their browser.

The main risk is malware

The greatest threat to your data is having malware on your computer. This could come from vulnerabilities in any of the browsers you use (including Firefox), from plugins, email clients, office software - anything that connects to the network, or processes files from untrusted sources. The risk of malware is very high, one study reports 30% of computers in the US are infected with malware.

paj28
  • 32,736
  • 8
  • 92
  • 130
  • +1 for describing the Zero-Knowledge architecture of the Sync feature. – raphael Feb 04 '16 at 19:30
  • that study with 30% malware seems to not consider certain problems with proprietary operation systems, since at a closer look the to say that Microsoft Windows itself does not have malware aspects is *blurry*. Looking at Intel ME/AMT one might even say that those computers are build as malware. – humanityANDpeace Feb 04 '16 at 20:46
  • 1
    "And I understand that most governments cannot legally issue an order for Firefox to backdoor their browser." Unfortunately, this is absolutely false. NSA has backdoors in all major computer hardware today, and they absolutely do ask for it, then subsequently place a gag-order on them so they cannot reveal it. Software companies are no exception. The saving grace of Firefox is that it is open source as you alude to in your answer above. ;) – Midwire Feb 04 '16 at 22:46
  • 2
    Plus: You can run your own Sync server: https://docs.services.mozilla.com/howtos/run-sync-1.5.html#howto-run-sync15 and https://github.com/mozilla-services/syncserver – aularon Feb 04 '17 at 16:55
  • @Midwire - Just noticed this old comment. If you have any links for further reading on your claims (Snowden leaks?) please send them across. In particular, it would be helpful to know more about the nature of the backdoors that are known. – paj28 Feb 05 '17 at 10:38
8

To me, trustworthiness doesn't necessarily require a claim that an organisation will never disclose your details. Rather it means that any claims made should be honest.

As a business, Firefox can be compelled by the governments of any countries it operates in to conform with their laws. An organisation that acknowledges this and clearly explains their position to you is far more trustworthy than one that obscures facts like this or information about how it internally stores and processes your data.

Any organsiation that claimed to operate "outside the law" with regards to following legal requirements over information disclosure to a government would also be outside any protection that governments placed on businesses in how those businesses processed your data... Assuming you believed their "outside the law" claim in the first place.

Rob Moir
  • 399
  • 1
  • 10
1

The reason you might not want to trust Firefox is that you can get the usability and security benefits of using a password manager without trusting Firefox (or any cloud provider).

As RobM points out, there a risk that Firefox can be compelled to turn over the data you send to them. There's also a risk that someone will break into their servers. Firefox has made efforts to secure that data. There are other password tools that integrate wtih Firefox which can be used in local sync mode. For example, 1Password will let you keep the data on devices you control, or select another cloud provider who you might trust more.

Adam Shostack
  • 2,659
  • 1
  • 10
  • 12
1

To answer your first question: the main reason you might not want to use the built in password manager for Firefox, or any given browser, is more to do with potential accessibility than security. By using KeePass with the appropriate browser add-in to gain access to that KeePass you may use a single KeePass vault to store all your passwords and gain access to them in a large number of applications. So in this case, it's more about potential added functionality than the browser not being up to date on appropriate security measures. I personally have needs that require me to use 3 browsers, all for different purposes.

Now for the more important second question. This is a difficult question with a large number of difficult implications that become very difficult to bring it down to the potential affect on the individual user. However, what I would recommend for gaining some understanding of this issue is reading Transparency Reports for different browsers. For example, the Google Chrome transparency report can be found here: https://www.google.com/transparencyreport/userdatarequests/legalprocess/

I'll just briefly summarize a little about what these reports typically contain. These reports typically contain more specific explanation of how the company responds to a request, numbers on how many requests are made per country, and the percentage of requests that returned some data. Also, given recent events they also have sections specifically addressing US issues.

Tikiman163
  • 85
  • 1
  • What I generally do is store non-vital passwords in Firefox and then use an external password manager for all the really important ones. – JAB Feb 04 '16 at 17:45
1

Why not save the password in the browser:

Because it makes it easier for attackers. If the site has an XSS or similar vulnerability they can steal your password.

You install a bad plugin/... it can steal your password directly. The same is true if a legitimate plugin has a security hole used by an attacker. Getting it from a different process is much more effort or even impossible without administrator rights.

For your second question:

This would basically be same as storing your KeePass database on an trusted online storage which can be accessed by US government and related. I think this question is already answered enough here and in other questions: https://security.stackexchange.com/search?q=keepass+cloud

H. Idden
  • 2,988
  • 1
  • 10
  • 19
1

You shouldn't trust the Firefox password manager because the master password is damn inconvenient to use. I've tried it, and after some days, each time I saw the annoying modal master password box each time the firefox crashed or was restarted has just become painful. I guarantee you that any normal user would quickly disable it, and you can do nothing to prevent them.

Also, the master password DOESN'T expire no matter how long firefox is open. If somebody steals your laptop while it is hibernated/sleeping (as mine does while in the bag), they can display all your passwords.

On Android Firefox, the master password box is double painful, as I could never grasp the idea when my Firefox exits and when it stays in the background.

Just about any plugin password manager is more secure and usable at the same time.

kubanczyk
  • 1,182
  • 6
  • 11