22 comments

[ 3.3 ms ] story [ 50.2 ms ] thread
someone else graduating from php kindergarten

congrats!

total aside but i went to set up Firefox sync for someone the other day and ended up ditching it all together.

in addition to a username/password for a sync account, you need to use an (unretrievable) sync key to add a browser. i understand the desire for security and privacy, but this is just horrible usability. i can get it all working obviously but there's no way this person (who is 80 years old) is going to be able to enter a key to set up the remote machines.

chrome's sync is much better. just use your gmail/google account credentials, and you're all set.

And have fun telling Google all about where you get your porn. Chrome's sync is not a reasonable option for anyone who cares about his privacy enough (which should be everybody on Hacker News).

you need to use an (unretrievable) sync key to add a browser

No you don't. You need a 12-character weak secret that shows up on one of the computers.

People don't care about privacy. I'll gladly tell Google about youporn.com in exchange for its great user experience.

Also, people who know or care about sync keys also know how to use private browsing.

People don't care about privacy.

I find this kind of thought process philosophically unsound. People might not care about privacy enough today -- that doesn't mean that software developers should follow them off the cliff. At some level, programmers have a moral imperative to guide users into doing things that are better for them. That includes ensuring privacy, even at the cost of a slightly more involved UX.

Also, people who know or care about sync keys also know how to use private browsing.

I don't use private browsing because I'm the only one who uses my devices, so I don't care about the contents of my history. I do care about Google knowing about it though, which is why I use Firefox.

You seem to be horribly mis-informed about Chrome's sync features. The data being synced is completely encrypted end-to-end, and you can provide a personal passphrase aside from your Google credentials as an added level of security if you'd like.
The data being synced is completely encrypted end-to-end, and you can provide a personal passphrase aside from your Google credentials as an added level of security if you'd like.

I'm having trouble parsing this comment -- part of any "end-to-end" encryption would be an additional passphrase not known or accessible to Google in any form. Obviously Google knows about your Google credentials, so merely the credentials are not sufficient to get "end-to-end" encryption.

Also last I checked the personal passphrase only encrypted passwords. I haven't used Chrome in a long while, so has that been extended to all your data yet?

If you think Google has access to your raw, plaintext credentials logged somewhere on their servers, I have a Nigerian banker to forward your way who'd love to give you a million dollars if you help him up-front with a little cash.
Nope, you're wrong. Google will always be in a situation where they can read your password. Otherwise authentication to the rest of their services would be impossible.
Again, it's sad if you think they're actually logging everyone's plaintext credentials. Which is besides the point, because in the latest versions the additional non-Google account passphrase extends to all the encrypted data it syncs.
I seriously doubt Google is dumb enough to store user passwords in plaintext. There is absolutely no reason to. Passwords get stored as non-reversible hashes.
>I seriously doubt Google is dumb enough to store user passwords in plaintext...

And who said they'd need to store anything? The only need access to them once in order to defeat any kind of local encryption scheme based on your Google account password.

If you think Google has access to your raw, plaintext credentials logged somewhere on their servers

I don't think that. Read my comment again, paying special attention to the phrase "in any form".

Exactly. For it to be any less secure, they'd have to be logging your plaintext credentials. And if you're that paranoid, there's the additional passphrase.
(comment deleted)
Firefox has the "private browsing" mode.
I use Xmarks to sync both Firefox and Chrome. Then I can keep my bookmarks in sync between browsers instead of having to have a different set for each browser.
Ugh, Python?! It's so bad...

Just joking, I'm not a troll. ;)

I just wonder where they go with Sync. Closely watching the Mozilla community I know there are (still? Has been a while) big plans, but think Firefox Sync really needs a broader audience, both users and developers. I also have the feeling this could somehow be connected with HTML5/HTTP(P2P) to create something really great. Just have to figure out what it is.

They can write it in VB for all I care as long as they make it stop completely screwing up and deleting my bookmarks.