204 comments

[ 3.7 ms ] story [ 249 ms ] thread
This uses HIBP for the underlying dataset. I'm not sure what's added though. Convenient UX? They claim to only send anonymized data out, but HIBP already supports the underlying hash range queries -- that doesn't appear to be new here.
The main thing added here is a brand and some advertising, but that's not insignificant. Haveibeenpwned is a good service but it looks a whole lot like http://ismycreditcardstolen.com/ on first glance. If the Mozilla brand gets it to more people, that's a win.
This also has anonymized email lookup (using the same model as passwords) that is new.
Mozilla has wasted a bunch of resources creating a pointless tool. Let me explain why!

Last year, they promised to create an add-on that triggered when you visited sites known to have been breached in the past, and let the user check if his password was included in the leaked data, via HIBP: https://www.bleepingcomputer.com/news/security/firefox-will-...

Now, they announced Firefox Monitor, which is nothing but a standalone website where you can check your email and see if it's been included in public breaches. This is the same functionality of the main HIBP website. If people want to check if their email was included in a breach, they'd just visit HIBP, not Firefox Monitor.

Why does this website exist in the first place? They took a good idea that used a proactive approach to alerting users of potentially leaked passwords and they've created a Firefox-branded HIBP clone website that very few people are gonna know about or even use.

Pointless use of resources, when they could have used them for something actually useless.

You're ignoring how most users need things in front of their face. Most users are not privacy or security "aware" in any manner. Putting it in the UI or actively promoting these services is beneficial to the common web user.

And if it fails, it's at least worth it to learn why it failed. Was the UI bad? Did it not promote the service in the right way? Did users not understand the purpose of the tool?

I think the juice is worth the squeeze.

And then everyone suffers through even more intrusions on their workflow because Johnny Newbie doesn't care
Where in the official announcement did they say they're putting Monitor in the official UI?

Firefox Monitor is just a page on the official Mozilla website.

Where in the official announcement did they say that?
>Visitors to the Firefox Monitor website

>The site will offer recommendations

Now, the screenshot doesn't have a URL in the address bar, suggesting it might be a built-in special page. But it also has a generic "Page title" in the tab title, so it looks like a modified stock image rather than an actual UI screenshot.

The screenshot on Troy Hunt's blog does show "https://www.mozilla.org/firefoxmonitor", but it's otherwise the same screenshot with the same generic "Page title", so it's probably equally fake.

(I tried to look for the actual bugzilla bug for this for more info, but didn't find anything.)

https://bugzilla.mozilla.org/show_bug.cgi?id=1463301 describes the study that is being run to determine the best design for incorporating Firefox Monitor into the browser UI.

(Disclosure: Although I work at Mozilla, I have not worked on Firefox Monitor)

1. Put it on the web first.

2. Get it working well with UI, UX, etc....

3. Then integrate it into the browser.

Seems like a totally logical flow to me.

But the browser is part of the UI/UX.

When Firefox warns you that you're (possibly) pwned when you browse to a website or try to log in, then you can't get around combining step 2 and 3.

Or when Firefox compares your password database with HIBP, you can't get around combining step 2 and 3.

The intentions are good, but yeah, it seems like an half-baked solution.

Why not integrate this tool directly into the browser UI? User goes to whatever website, input his login creds, Firefox reads the login email and sees if the email+url combo is in the HIBP database. If yes, a message will advise the user to change his password. End of story.

So, you conclude that it is a pointless tool because people can consult the HIPB website directly. Meanwhile, Troy Hunt, the creator of the HIPB website himself writes that this is a good idea.
Well, with respect, this is an undeniable win for Troy. I think that the parent comment was questioning how big a win it is for The Rest of Us.
I'm worried that this will just train people to start blindly clicking through "pwned password" modal dialogs for CVVs and OTP/SMS 2FA codes, just like they did for the "Do you want to view only the webpage content that was delivered securely?" dialog in MSIE.
(comment deleted)
The wide public is not so interested in secured content really imo, but they will rarely ignore warnings about their passwords. The password is like a pin for your debit card. You don't mind people seeing your card (unsecured content), but you will not share your pin code (password).
Next time you are in a checkout line, pay attention to how few people make any attempt to prevent shoulder surfing their PIN. POS devices have gotten better with shielded keypads, but there are still many machines that make it somewhat difficult to obscure your PIN. The average person gives very little thought to security, or at the very least gives little thought to possible threat models.
As many have commented, this isn't a new tool for technologists.

The goal of Firefox Monitor is to bring this functionality to non-technical users, which requires a lot of user experience research to inform without scaring people away from using the internet.

I think it will be a new tool for a lot a technologists too (ie myself)
I’m confident that this is a first step towards integrating it into Firefox itself.

1. Test Firefox Monitor on the web

2. Integrate it for all Firefox users

Mozilla PR/marketing team all over the web for the last few weeks...
Helps they have hundreds of employees to upvote the posts on HN too. I've been there :)
This would explain their brigading of topics on reddit.
And apparently the downvotes!
What's unexplained are the content-less, conspiracy-theoretic, complaining, BS comments like the string of comments above this one.
It does feels like it. Businesses recognised social PR ages ago, I bet HN is no exception.
Congratulations @troyhunt Your project's making a bigger difference around the world.
(comment deleted)
A much more honorable way to do this would have been to allow the search of a hash of your email rather than your actual email.
That's... exactly what they're doing?
Double-checking source code @ haveibeenpwned.com. I see no javascript that hashes your email address before submission.
Sure, but that's not what the linked article is discussing as the basis for integration with Firefox.
Well the email k-anonymity is new that he added for this integration and Troy addresses why he’s not yet using it on HIBP in the article.
Make sure to not do it automatically, but on user interaction (like new Safari password fills). Otherwise you leak usernames and tie them to browser sessions which can be fingerprinted.
(comment deleted)
I think this is addressed by the use of k-anonymity which is described in the section of the article titled “Enabling Anonymous Searches with k-Anonymity”.
Instead of actually fixing authentication they are baking "have this password been exposed in plaintext" into the browsers.

What's the deal with WebAuthN? Such a basic functionality still not completed.

I thought Firefox supported Web Authentication API since Version 60, as much as a standard that isn't finished yet can be supported?
"Fixing." Don't ask me how many sites are still only supporting Basic Auth, in 2018 - I frequent several. How is FF ("they") supposed to fix that?
I don't recall any popular website using Basic Auth. FF must implement WebAuthN or whatever was last offered to fix auth. Have i been pwned brings nothing new to the table.
Well, that's the problem with browsers though: they need to support a slightly broader range of sites than just the currently popular ones; long tail and whatnot.

Now, I am all for actually secure auth, and support in browsers is the necessary first step; for "fixing auth", someone then needs to implement the other side of the equation, too (I do remember when OpenId+HW 2FA was supposed to have fixed this, a few years back).

As for "nothing new" - for the people of HN, perhaps. For the casual user, this is something radically new.

>I do remember when OpenId+HW 2FA was supposed to have fixed this

HW 2fa can never fix auth because it's hardware, and cannot scale. There are solutions out there, all what's left is to raise awareness to add it. Showing popular passwords will just move us to a new set of popular passwords and so on.

Excellent need, more than enough reason to switch. Now bake 1Password into Firefox.
Not quite 1Password, but Mozilla is developing a cross-platform password manager, tentatively called "Lockbox", that will support Firefox, Android, iOS, and possibly a Chrome extension.

https://mozilla-lockbox.github.io/

I hope they add support for self-hosted backends. It'd be great to have a self-hosted password manager developed by a company with an amazing security team.
This would be really amazing.
Please for heavens sake don't! Isn't it enough to have a binary blob for DRM? I don't want to have another binary blob in my firefox. And especially one which takes all my passwords and sends it to some companies cloud. You can't know what happens with this data because all parts are propriatary. I can't trust a binary blob with all my passwords.
(comment deleted)
you guys are the hugest fucking idiots ive ever come across
DGDSFGSDFGDSFGDSFGDSFGDSFGDSFGDSFGKFHJGHH346246456425623451345345123451235134512345456425624562345
One feature I wish HIBP had was support for sub-domain addressing [1] and plus addressing [2].

My main email address has the format 'example@fastmail.fm' and receives alerts from HIBP if found in a data breach, but all of the related subdomain-based email addresses do not (e.g. netflix@example.fastmail.fm, google@example.fastmail.fm etc.)

Based on the 1Password screenshots in the linked article it would appear that specific support for sub-domain/plus addressing may not be required?

However, Firefox Monitor looks like it has the same limitations as the HIBP website/API and makes the alerts somewhat less useful when using sub-domain/plus addressing.

[1] https://www.fastmail.com/help/receive/addressing.html

[2] https://haveibeenpwned.uservoice.com/forums/275398-general/s...

More bloat, thanks Mozilla
So will this feature only be available in the web-version of 1password and not in the stand-alone version? :(
The latest versions of 1Password (I’m on 7) have great HIBP integration. Really pleased with it so far.
You had been pwned anyway.
Everything said that isn't politically correct is systematically downvoted here on «hacker» news. I am enjoying your very low knowledge and your smartphone attitude. LOL
You sure it's not you posting trite, basically irrelevant one-liners that's presenting a "smartphone attitude"?

Nothing is politically incorrect about your post, but it doesn't add to the discussion.

There is no discussion here, just marketing stuffs.
Wow. How did you guess?
By answers not politically correct systematically downvoted...!
Yeah. There is a flaw with voting stuff in HN, you have to keep yourself 'in party line' to get votes, or to keep yourself from being downed.
Leave the Firefox alone, please. Pocket, HIBP, 1Password, Cloudflare ... Not cool. 1Password has flawed sec rep [0], Cloudflare is pure MITM, stripping TLS between you and webserver, the rest just network and data leaks I haven't asked for.

For passwords best is KeepassXC, sync encrypted db via any file sharing.

[0] https://www.theregister.co.uk/2017/02/28/flaws_in_password_m...

What will happen when Have I Been Pwned gets Pwned?

Must be storing a lot of email addresses at this point.

It is storing leaks so the data on the site is allready public one way or another.
It also has emails of people who sign up to its 'alert me if this address is found in future leaks' service.
They are compromised anyway. They just will be compromised once more.
It reads like a press release. Praises for Troy, Troy praises 1Password and Cloudflare, great sell to naive Mozilla. Shareholders pat themselves on the backs. Champagne, sir?
And that's bad because? And Mozilla is "naive" because?

What's the angle? "Stick it to the Man", and stuff?

Security is hard. Adding 3rd party systems you don't control is not the way.
I use Firefox. Are you saying I'm now less safe? If I'm more safe but some other people don't like the solution then I guess they can configure or fork Firefox then we're all happy, right?
Arguably, if Firefox is devoting resources to this then it's not got resources to spend on other issues. That could in theory make it less secure.

HIBP and 1Password aren't making FF more secure, chances are they're increasing attack surface in both directions (ie making compromise of 1Password more likely too).

This is FUD.
Can you explain what's incorrect in my post?

(FWIW it's not a position I hold, I've not looked at the situation properly yet.)

Sure, I'll take it point by point.

> Arguably, if Firefox is devoting resources to this then it's not got resources to spend on other issues.

This is a logical fallacy. It's like saying - if we wouldn't spend money on the space program, we could feed Africa with that money. The problem here is that this is not a zero-sum game: the people that worked on this (e.g. Troy Hunt) wouldn't had the skills or inclination to bring other enhancements to Firefox. Thus this is a net addition, and not to the detriment of other work

> That could in theory make it less secure

So adding a feature that helps people be more secure against a specific threat (using bad passwords that have been broken) makes the product less secure? This makes no sense, but it's just put in there to spread Fear (FF is less secure because of added security features) and Doubt ("could in theory" ... meaning we don't know, but lets put this out there)

> HIBP and 1Password aren't making FF more secure,

I tend to evaluate a security in context of a threat model. HIBP and 1Password have very good track records of mitigating attacks on user passwords (by notifying people about password breaches and thus decreasing the value of a password breach, and by making easy for the average user to manage complex passwords). As a result, the Firefox users have better tools to manage password-based authentication, increasing their security.

> chances are they're increasing attack surface in both directions (ie making compromise of 1Password more likely too).

The evaluation of the "attack surface" here refers to the horizontal scale (how many actors of the same type see the interface) whereas the concept of reducing the "attack surface" refers to the vertical scale (how many types of communication the actors see). Reducing the horizontal scale is known as "security by obscurity" and it's a very bad idea to use it. A larger horizontal scale has no impact on the security, see ciphered communication: an encrypted message doesn't get less secure if more eyes see it, its security only depends on how well the encryption works.

Assuming that 1Password doesn't use "security by obscurity", increasing its footprint on the web will not decrease its security.

>Arguably, if Firefox is devoting resources to this then it's not got resources to spend on other issues. That could in theory make it less secure.

You stretched that argument to points that only Reed Richards could match...

The GP posited a stance, the parent refuted the _possibility_ of it, I was stating it was possible. Indeed, is it not a quite reasonable and logical possibility?

If the parent addressed the actuality of it, perhaps with some factual basis, ... (Like "when FF did X in past they still quashed Y bugs, introduced Z features" - I know number of bugs/whatever isn't the best metric, but something factual) ...

I wonder what the controlling minds of Firefox are trying to achieve as a long-term goal; they seem to take an opposite stance to the "do one thing well" philosophy.

True on both. On first point, obvious areas they should focus are strong sandboxing of tabs and cookie cleaning by default.

On second point, why bother with some 3rd party? I trust mozilla, not its 'partners'

How do you know they are not? This sounds like the old "why are you not focusing on my pet peeve feature" entitlement.
> 1Password aren't making FF more secure

Did I miss any announcement about 1Password becoming part of FF, or Mozilla helping in any way with development of 1Password?

My problem with haveibeenpwned is that when you haven't been pwned, you've just handed them your mail address.

Is there anything to alleviate those concerns other than "trust us, we're not saving emails from queries"?

I think a lot of people have my email address. You don't hear people worrying about spam so much these days (other than people who have the time and inclination to run their own mail servers). So it would seem to be a small price to pay to keep tabs on your passwords.
Well, if you don't trust them, obviously just don't use it.

If you do half-trust them, if they're reasonable, they don't store the email addresses. They don't need to, for a simple search.

> just don't use it

But the post is about integrating it into the browser, isn't it?

Which is exactly why the service won't query the plaintext, or even a complete hash.
But how do I keep not using it?
The same way I don't use Pocket or the Edit Controls in Firefox, or Pivot Tables in Excel.

You don't click them :)

Its all about defaults, what matters most, as it'll be used by majority of users. People will use whatever pops up or was put on taskbar.
Agreed. However, for the average user, I think the risk posed by this new Firefox feature is smaller than the risk they're exposing themselves through ignorance.
Disagree. Respectfully :) Today we have age of free data harvest, 'land grab' by majors. Shining combination of your email, IP and user-agent as a default browser behaviour is just another leak.
Again: no-email-exposed-never-not-even-encrypted-or-hashed. So just an IP address and user agent; if that is a leak, I would recommend disconnecting from the network altogether.
k-Anonymity. In other words, "I have hashed my e-mail address, here's the beginning part of the hash: 0deadbeef0, tell me if you have anything matching that." "Yup, I have something that hashes to 0deadbeef0123456789abcd, associated with these breaches, and something else that hashes to 0deadbeef0abc1056886516, associated with those breaches." Plaintext is not exposed, and you're not even exposing the whole hash, so GL to anyone trying to find out which if the hashes (if any) is yours, let alone what the plaintext was.

https://blog.mozilla.org/security/2018/06/25/scanning-breach...

What could possible go wrong?
Shooting the messenger, that's what. People tend to confuse "X might have your password" and "Y tells me 'something X something password', therefore Y hacked me".