Hi Ian, On Thu, Mar 12, 2015 at 11:37 AM, Ian Zimmerman <[email protected]> wrote:
> This is not a development question. Please forgive me if I trespass, > but I believe I have been told to do this by [1]. > > I have read that article and also [2], but there is still something > bugging me about the new Sync. My Firefox (actually Iceweasel, wink) > asks for the Accounts credentials the first time I start Sync on each > computer, but doesn't ask again after that - even after restart! How is > that possible? Is the Accounts password stored in the clear on my > computer when Sync is enabled? Not quite. When you connect, we maintain a long-lived access token and your Sync keys. The token is given to you in exchange for /proof/ of your password and is opaque. The Sync keys are derived from server material and your password, but under standard cryptographic assumptions you can not go backwards from the keys to your password. > That would be very bad (even if > "convenient"), I really want to be asked for the password every time. > This is not what the vast majority of our users want. > It seems I can get that behavior now only if I go to Manage Sync and > click Disconnect before I close Firefox. > Pretty much. Disconnect does much much more than just pause Sync, though -- it will forget that you were Syncing and next time you connect you'll upload and download /everything/. It's terrible for your user experience. So, it seems as if I have the choice between: > > 1. Convenience and no security (password stored, no interaction either > on start or on close) > No -- we store derivatives of your password. If somebody takes either but not both, they cannot access your Sync data. > 2. Security and double inconvenience (password not stored, I have to > both log in to Accounts when starting and tell Firefox to forget it when > closing). > The security you ask for is very much not what the vast majority of our users expect or want. I doubt this will ever be supported. Nick
_______________________________________________ Sync-dev mailing list [email protected] https://mail.mozilla.org/listinfo/sync-dev
