Nicholas Alexander wrote on 12.10.2015 23:49:
Right now, a connected device does not store the user's password. It
does store things acquired with the user's password, like access
tokens and encryption keys. This is a good story for security: a
compromised device cannot do everything the user can do, because
certain actions require knowledge of the password. For example:
changing the password, or deleting the account entirely.
To allow the user to smoothly transition to N>=1 new devices, we need
to store something that gives access to all services but without the
power of the password.
I would never allow third parties to store credentials for third party
services. You don't know what these services are, it may be much more
sensitive than holiday photos. Certain things should stay only local,
and encryption keys and access tokens certainly are among those.
These backup services are nothing but a backdoor.
_______________________________________________
mobile-firefox-dev mailing list
[email protected]
https://mail.mozilla.org/listinfo/mobile-firefox-dev
