This uses HIBP for the underlying dataset. I'm not sure what's added though. Convenient UX? They claim to only send anonymized data out, but HIBP already supports the underlying hash range queries -- that doesn't appear to be new here.
I suspect it'll warn you if any of the accounts you've saved in Firefox (username/password) have been compromised. 1Password already does this¹ but this is likely the Firefox implementation of it.
The main thing added here is a brand and some advertising, but that's not insignificant. Haveibeenpwned is a good service but it looks a whole lot like http://ismycreditcardstolen.com/ on first glance. If the Mozilla brand gets it to more people, that's a win.
Mozilla has wasted a bunch of resources creating a pointless tool. Let me explain why!
Last year, they promised to create an add-on that triggered when you visited sites known to have been breached in the past, and let the user check if his password was included in the leaked data, via HIBP: https://www.bleepingcomputer.com/news/security/firefox-will-...
Now, they announced Firefox Monitor, which is nothing but a standalone website where you can check your email and see if it's been included in public breaches. This is the same functionality of the main HIBP website. If people want to check if their email was included in a breach, they'd just visit HIBP, not Firefox Monitor.
Why does this website exist in the first place? They took a good idea that used a proactive approach to alerting users of potentially leaked passwords and they've created a Firefox-branded HIBP clone website that very few people are gonna know about or even use.
Pointless use of resources, when they could have used them for something actually useless.
>> ...that very few people are gonna know about or even use
"This is major because Firefox has an install base of hundreds of millions of people which significantly expands the audience that can be reached once this feature rolls out to the mainstream."
You're ignoring how most users need things in front of their face. Most users are not privacy or security "aware" in any manner. Putting it in the UI or actively promoting these services is beneficial to the common web user.
And if it fails, it's at least worth it to learn why it failed. Was the UI bad? Did it not promote the service in the right way? Did users not understand the purpose of the tool?
Now, the screenshot doesn't have a URL in the address bar, suggesting it might be a built-in special page. But it also has a generic "Page title" in the tab title, so it looks like a modified stock image rather than an actual UI screenshot.
The screenshot on Troy Hunt's blog does show "https://www.mozilla.org/firefoxmonitor", but it's otherwise the same screenshot with the same generic "Page title", so it's probably equally fake.
(I tried to look for the actual bugzilla bug for this for more info, but didn't find anything.)
The intentions are good, but yeah, it seems like an half-baked solution.
Why not integrate this tool directly into the browser UI? User goes to whatever website, input his login creds, Firefox reads the login email and sees if the email+url combo is in the HIBP database. If yes, a message will advise the user to change his password. End of story.
So, you conclude that it is a pointless tool because people can consult the HIPB website directly. Meanwhile, Troy Hunt, the creator of the HIPB website himself writes that this is a good idea.
I'm worried that this will just train people to start blindly clicking through "pwned password" modal dialogs for CVVs and OTP/SMS 2FA codes, just like they did for the "Do you want to view only the webpage content that was delivered securely?" dialog in MSIE.
The wide public is not so interested in secured content really imo, but they will rarely ignore warnings about their passwords. The password is like a pin for your debit card. You don't mind people seeing your card (unsecured content), but you will not share your pin code (password).
Next time you are in a checkout line, pay attention to how few people make any attempt to prevent shoulder surfing their PIN. POS devices have gotten better with shielded keypads, but there are still many machines that make it somewhat difficult to obscure your PIN. The average person gives very little thought to security, or at the very least gives little thought to possible threat models.
As many have commented, this isn't a new tool for technologists.
The goal of Firefox Monitor is to bring this functionality to non-technical users, which requires a lot of user experience research to inform without scaring people away from using the internet.
Make sure to not do it automatically, but on user interaction (like new Safari password fills). Otherwise you leak usernames and tie them to browser sessions which can be fingerprinted.
I think this is addressed by the use of k-anonymity which is described in the section of the article titled “Enabling Anonymous Searches with k-Anonymity”.
I don't recall any popular website using Basic Auth. FF must implement WebAuthN or whatever was last offered to fix auth. Have i been pwned brings nothing new to the table.
Well, that's the problem with browsers though: they need to support a slightly broader range of sites than just the currently popular ones; long tail and whatnot.
Now, I am all for actually secure auth, and support in browsers is the necessary first step; for "fixing auth", someone then needs to implement the other side of the equation, too (I do remember when OpenId+HW 2FA was supposed to have fixed this, a few years back).
As for "nothing new" - for the people of HN, perhaps. For the casual user, this is something radically new.
>I do remember when OpenId+HW 2FA was supposed to have fixed this
HW 2fa can never fix auth because it's hardware, and cannot scale. There are solutions out there, all what's left is to raise awareness to add it. Showing popular passwords will just move us to a new set of popular passwords and so on.
Not quite 1Password, but Mozilla is developing a cross-platform password manager, tentatively called "Lockbox", that will support Firefox, Android, iOS, and possibly a Chrome extension.
I hope they add support for self-hosted backends. It'd be great to have a self-hosted password manager developed by a company with an amazing security team.
Please for heavens sake don't! Isn't it enough to have a binary blob for DRM? I don't want to have another binary blob in my firefox. And especially one which takes all my passwords and sends it to some companies cloud. You can't know what happens with this data because all parts are propriatary. I can't trust a binary blob with all my passwords.
One feature I wish HIBP had was support for sub-domain addressing [1] and plus addressing [2].
My main email address has the format 'example@fastmail.fm' and receives alerts from HIBP if found in a data breach, but all of the related subdomain-based email addresses do not (e.g. netflix@example.fastmail.fm, google@example.fastmail.fm etc.)
Based on the 1Password screenshots in the linked article it would appear that specific support for sub-domain/plus addressing may not be required?
However, Firefox Monitor looks like it has the same limitations as the HIBP website/API and makes the alerts somewhat less useful when using sub-domain/plus addressing.
Everything said that isn't politically correct is systematically downvoted here on «hacker» news. I am enjoying your very low knowledge and your smartphone attitude. LOL
Leave the Firefox alone, please. Pocket, HIBP, 1Password, Cloudflare ... Not cool. 1Password has flawed sec rep [0], Cloudflare is pure MITM, stripping TLS between you and webserver, the rest just network and data leaks I haven't asked for.
For passwords best is KeepassXC, sync encrypted db via any file sharing.
It reads like a press release. Praises for Troy, Troy praises 1Password and Cloudflare, great sell to naive Mozilla. Shareholders pat themselves on the backs. Champagne, sir?
I use Firefox. Are you saying I'm now less safe? If I'm more safe but some other people don't like the solution then I guess they can configure or fork Firefox then we're all happy, right?
Arguably, if Firefox is devoting resources to this then it's not got resources to spend on other issues. That could in theory make it less secure.
HIBP and 1Password aren't making FF more secure, chances are they're increasing attack surface in both directions (ie making compromise of 1Password more likely too).
> Arguably, if Firefox is devoting resources to this then it's not got resources to spend on other issues.
This is a logical fallacy. It's like saying - if we wouldn't spend money on the space program, we could feed Africa with that money. The problem here is that this is not a zero-sum game: the people that worked on this (e.g. Troy Hunt) wouldn't had the skills or inclination to bring other enhancements to Firefox. Thus this is a net addition, and not to the detriment of other work
> That could in theory make it less secure
So adding a feature that helps people be more secure against a specific threat (using bad passwords that have been broken) makes the product less secure? This makes no sense, but it's just put in there to spread Fear (FF is less secure because of added security features) and Doubt ("could in theory" ... meaning we don't know, but lets put this out there)
> HIBP and 1Password aren't making FF more secure,
I tend to evaluate a security in context of a threat model. HIBP and 1Password have very good track records of mitigating attacks on user passwords (by notifying people about password breaches and thus decreasing the value of a password breach, and by making easy for the average user to manage complex passwords). As a result, the Firefox users have better tools to manage password-based authentication, increasing their security.
> chances are they're increasing attack surface in both directions (ie making compromise of 1Password more likely too).
The evaluation of the "attack surface" here refers to the horizontal scale (how many actors of the same type see the interface) whereas the concept of reducing the "attack surface" refers to the vertical scale (how many types of communication the actors see). Reducing the horizontal scale is known as "security by obscurity" and it's a very bad idea to use it. A larger horizontal scale has no impact on the security, see ciphered communication: an encrypted message doesn't get less secure if more eyes see it, its security only depends on how well the encryption works.
Assuming that 1Password doesn't use "security by obscurity", increasing its footprint on the web will not decrease its security.
The GP posited a stance, the parent refuted the _possibility_ of it, I was stating it was possible. Indeed, is it not a quite reasonable and logical possibility?
If the parent addressed the actuality of it, perhaps with some factual basis, ... (Like "when FF did X in past they still quashed Y bugs, introduced Z features" - I know number of bugs/whatever isn't the best metric, but something factual) ...
I wonder what the controlling minds of Firefox are trying to achieve as a long-term goal; they seem to take an opposite stance to the "do one thing well" philosophy.
I think a lot of people have my email address. You don't hear people worrying about spam so much these days (other than people who have the time and inclination to run their own mail servers). So it would seem to be a small price to pay to keep tabs on your passwords.
Agreed. However, for the average user, I think the risk posed by this new Firefox feature is smaller than the risk they're exposing themselves through ignorance.
Disagree. Respectfully :) Today we have age of free data harvest, 'land grab' by majors. Shining combination of your email, IP and user-agent as a default browser behaviour is just another leak.
Again: no-email-exposed-never-not-even-encrypted-or-hashed. So just an IP address and user agent; if that is a leak, I would recommend disconnecting from the network altogether.
k-Anonymity. In other words, "I have hashed my e-mail address, here's the beginning part of the hash: 0deadbeef0, tell me if you have anything matching that." "Yup, I have something that hashes to 0deadbeef0123456789abcd, associated with these breaches, and something else that hashes to 0deadbeef0abc1056886516, associated with those breaches." Plaintext is not exposed, and you're not even exposing the whole hash, so GL to anyone trying to find out which if the hashes (if any) is yours, let alone what the plaintext was.
Shooting the messenger, that's what. People tend to confuse "X might have your password" and "Y tells me 'something X something password', therefore Y hacked me".
204 comments
[ 3.7 ms ] story [ 249 ms ] thread"We're Baking Have I Been Pwned into Firefox and 1Password"
https://www.troyhunt.com/were-baking-have-i-been-pwned-into-...
¹ - https://blog.agilebits.com/2018/02/22/finding-pwned-password...
Last year, they promised to create an add-on that triggered when you visited sites known to have been breached in the past, and let the user check if his password was included in the leaked data, via HIBP: https://www.bleepingcomputer.com/news/security/firefox-will-...
Now, they announced Firefox Monitor, which is nothing but a standalone website where you can check your email and see if it's been included in public breaches. This is the same functionality of the main HIBP website. If people want to check if their email was included in a breach, they'd just visit HIBP, not Firefox Monitor.
Why does this website exist in the first place? They took a good idea that used a proactive approach to alerting users of potentially leaked passwords and they've created a Firefox-branded HIBP clone website that very few people are gonna know about or even use.
Pointless use of resources, when they could have used them for something actually useless.
"This is major because Firefox has an install base of hundreds of millions of people which significantly expands the audience that can be reached once this feature rolls out to the mainstream."
https://www.troyhunt.com/were-baking-have-i-been-pwned-into-...
And if it fails, it's at least worth it to learn why it failed. Was the UI bad? Did it not promote the service in the right way? Did users not understand the purpose of the tool?
I think the juice is worth the squeeze.
Firefox Monitor is just a page on the official Mozilla website.
>The site will offer recommendations
Now, the screenshot doesn't have a URL in the address bar, suggesting it might be a built-in special page. But it also has a generic "Page title" in the tab title, so it looks like a modified stock image rather than an actual UI screenshot.
The screenshot on Troy Hunt's blog does show "https://www.mozilla.org/firefoxmonitor", but it's otherwise the same screenshot with the same generic "Page title", so it's probably equally fake.
(I tried to look for the actual bugzilla bug for this for more info, but didn't find anything.)
(Disclosure: Although I work at Mozilla, I have not worked on Firefox Monitor)
2. Get it working well with UI, UX, etc....
3. Then integrate it into the browser.
Seems like a totally logical flow to me.
When Firefox warns you that you're (possibly) pwned when you browse to a website or try to log in, then you can't get around combining step 2 and 3.
Or when Firefox compares your password database with HIBP, you can't get around combining step 2 and 3.
Why not integrate this tool directly into the browser UI? User goes to whatever website, input his login creds, Firefox reads the login email and sees if the email+url combo is in the HIBP database. If yes, a message will advise the user to change his password. End of story.
The goal of Firefox Monitor is to bring this functionality to non-technical users, which requires a lot of user experience research to inform without scaring people away from using the internet.
1. Test Firefox Monitor on the web
2. Integrate it for all Firefox users
What's the deal with WebAuthN? Such a basic functionality still not completed.
“Perfect is the enemy of good” [1].
[1] https://en.m.wikipedia.org/wiki/Perfect_is_the_enemy_of_good
Now, I am all for actually secure auth, and support in browsers is the necessary first step; for "fixing auth", someone then needs to implement the other side of the equation, too (I do remember when OpenId+HW 2FA was supposed to have fixed this, a few years back).
As for "nothing new" - for the people of HN, perhaps. For the casual user, this is something radically new.
HW 2fa can never fix auth because it's hardware, and cannot scale. There are solutions out there, all what's left is to raise awareness to add it. Showing popular passwords will just move us to a new set of popular passwords and so on.
https://mozilla-lockbox.github.io/
My main email address has the format 'example@fastmail.fm' and receives alerts from HIBP if found in a data breach, but all of the related subdomain-based email addresses do not (e.g. netflix@example.fastmail.fm, google@example.fastmail.fm etc.)
Based on the 1Password screenshots in the linked article it would appear that specific support for sub-domain/plus addressing may not be required?
However, Firefox Monitor looks like it has the same limitations as the HIBP website/API and makes the alerts somewhat less useful when using sub-domain/plus addressing.
[1] https://www.fastmail.com/help/receive/addressing.html
[2] https://haveibeenpwned.uservoice.com/forums/275398-general/s...
See here: https://haveibeenpwned.com/DomainSearch
Nothing is politically incorrect about your post, but it doesn't add to the discussion.
For passwords best is KeepassXC, sync encrypted db via any file sharing.
[0] https://www.theregister.co.uk/2017/02/28/flaws_in_password_m...
Must be storing a lot of email addresses at this point.
What's the angle? "Stick it to the Man", and stuff?
HIBP and 1Password aren't making FF more secure, chances are they're increasing attack surface in both directions (ie making compromise of 1Password more likely too).
(FWIW it's not a position I hold, I've not looked at the situation properly yet.)
> Arguably, if Firefox is devoting resources to this then it's not got resources to spend on other issues.
This is a logical fallacy. It's like saying - if we wouldn't spend money on the space program, we could feed Africa with that money. The problem here is that this is not a zero-sum game: the people that worked on this (e.g. Troy Hunt) wouldn't had the skills or inclination to bring other enhancements to Firefox. Thus this is a net addition, and not to the detriment of other work
> That could in theory make it less secure
So adding a feature that helps people be more secure against a specific threat (using bad passwords that have been broken) makes the product less secure? This makes no sense, but it's just put in there to spread Fear (FF is less secure because of added security features) and Doubt ("could in theory" ... meaning we don't know, but lets put this out there)
> HIBP and 1Password aren't making FF more secure,
I tend to evaluate a security in context of a threat model. HIBP and 1Password have very good track records of mitigating attacks on user passwords (by notifying people about password breaches and thus decreasing the value of a password breach, and by making easy for the average user to manage complex passwords). As a result, the Firefox users have better tools to manage password-based authentication, increasing their security.
> chances are they're increasing attack surface in both directions (ie making compromise of 1Password more likely too).
The evaluation of the "attack surface" here refers to the horizontal scale (how many actors of the same type see the interface) whereas the concept of reducing the "attack surface" refers to the vertical scale (how many types of communication the actors see). Reducing the horizontal scale is known as "security by obscurity" and it's a very bad idea to use it. A larger horizontal scale has no impact on the security, see ciphered communication: an encrypted message doesn't get less secure if more eyes see it, its security only depends on how well the encryption works.
Assuming that 1Password doesn't use "security by obscurity", increasing its footprint on the web will not decrease its security.
You stretched that argument to points that only Reed Richards could match...
If the parent addressed the actuality of it, perhaps with some factual basis, ... (Like "when FF did X in past they still quashed Y bugs, introduced Z features" - I know number of bugs/whatever isn't the best metric, but something factual) ...
I wonder what the controlling minds of Firefox are trying to achieve as a long-term goal; they seem to take an opposite stance to the "do one thing well" philosophy.
On second point, why bother with some 3rd party? I trust mozilla, not its 'partners'
Did I miss any announcement about 1Password becoming part of FF, or Mozilla helping in any way with development of 1Password?
Is there anything to alleviate those concerns other than "trust us, we're not saving emails from queries"?
If you do half-trust them, if they're reasonable, they don't store the email addresses. They don't need to, for a simple search.
But the post is about integrating it into the browser, isn't it?
You don't click them :)
https://blog.mozilla.org/security/2018/06/25/scanning-breach...
Going public with this would probably be a good time to update the website.