Firefox Sync & SSL (or not?)

2

I was looking at these 2 tutorials on how to set up a sync service for Firefox:

http://alien.slackbook.org/blog/setting-up-your-own-mozilla-sync-server/

https://wiki.archlinux.org/index.php/Mozilla_Sync_Server

And noticed how both didn't go into details about putting it behind SSL. Is SSL maybe not neccessary in this scenario because the data (bookmarks, passwords, etc.) is encrypted anyways? Or will this still expoxe the communication that takes place prior to the data-exchange, that is, my sync-server credentials?

(Sidenote, this is just for personal use, so no need to worry about handling a large load, etc.)

Dexter

Posted 2012-02-20T09:59:29.993

Reputation: 315

posted in wrong location, should be in superuser site... – Cold T – 2012-02-20T15:03:25.553

Answers

1

All data stored by Mozilla Sync is encrypted client-side, to guard against compromised servers and similar issues.

In older versions, Sync would prompt you for the encryption key (passphrase); nowadays a random key is generated when linking the first device, and can be retrieved via Sync → Manage Account → My Recovery Key.

When linking devices using the "Pair Device" functionality (by entering the three codes), the new device obtains the key directly from the old one using J-PAKE (see KeyExchange for details).

However, the credentials are transferred in plain text – Mozilla Sync appears to use HTTP Basic authentication, according to my tests.

user1686

Posted 2012-02-20T09:59:29.993

Reputation: 283 655

Asked: 2012-02-20T09:59:29.993

Viewed: 580 times

Active: 2012-02-20T18:27:20.543