On Wed, Apr 15, 2015 at 11:00 AM, Ian Zimmerman <[email protected]> wrote:
> On Wed, 15 Apr 2015 09:37:30 -0700, > Nicholas Alexander <[email protected]> wrote: > > Nicholas> Hi Ian, > > Thanks for your reply, even if I had to wait a bit for it :) > > Ian> I have read that article and also [2], but there is still something > Ian> bugging me about the new Sync. My Firefox (actually Iceweasel, > Ian> wink) asks for the Accounts credentials the first time I start Sync > Ian> on each computer, but doesn't ask again after that - even after > Ian> restart! How is that possible? Is the Accounts password stored in > Ian> the clear on my computer when Sync is enabled? > > Nicholas> Not quite. When you connect, we maintain a long-lived access > Nicholas> token and your Sync keys. The token is given to you in > Nicholas> exchange for /proof/ of your password and is opaque. > > I don't understand this part. What kind of proof, and does this happen > only once (at setup time) or each time I connect? > This is explained in https://github.com/mozilla/fxa-auth-server/wiki/onepw-protocol and https://github.com/mozilla/fxa-auth-server/blob/master/docs/api.md. It's a pretty standard Trust-on-first-use approach where we create an account with a hash (PBKDF2, 1000 rounds) of your password, so the account server never sees the nakedtext of your password. > > Nicholas> No -- we store derivatives of your password. If somebody > Nicholas> takes either but not both, they cannot access your Sync data. > > But doesn't the token grant access to the keys? > No. The token lets you talk to the server. The server stores encrypted data but you need the nakedtext of your password (which Mozilla never sees!) to decrypt it. Nick
_______________________________________________ Sync-dev mailing list [email protected] https://mail.mozilla.org/listinfo/sync-dev
