total aside but i went to set up Firefox sync for someone the other day and ended up ditching it all together.
in addition to a username/password for a sync account, you need to use an (unretrievable) sync key to add a browser. i understand the desire for security and privacy, but this is just horrible usability. i can get it all working obviously but there's no way this person (who is 80 years old) is going to be able to enter a key to set up the remote machines.
chrome's sync is much better. just use your gmail/google account credentials, and you're all set.
And have fun telling Google all about where you get your porn. Chrome's sync is not a reasonable option for anyone who cares about his privacy enough (which should be everybody on Hacker News).
you need to use an (unretrievable) sync key to add a browser
No you don't. You need a 12-character weak secret that shows up on one of the computers.
I find this kind of thought process philosophically unsound. People might not care about privacy enough today -- that doesn't mean that software developers should follow them off the cliff. At some level, programmers have a moral imperative to guide users into doing things that are better for them. That includes ensuring privacy, even at the cost of a slightly more involved UX.
Also, people who know or care about sync keys also know how to use private browsing.
I don't use private browsing because I'm the only one who uses my devices, so I don't care about the contents of my history. I do care about Google knowing about it though, which is why I use Firefox.
You seem to be horribly mis-informed about Chrome's sync features. The data being synced is completely encrypted end-to-end, and you can provide a personal passphrase aside from your Google credentials as an added level of security if you'd like.
The data being synced is completely encrypted end-to-end, and you can provide a personal passphrase aside from your Google credentials as an added level of security if you'd like.
I'm having trouble parsing this comment -- part of any "end-to-end" encryption would be an additional passphrase not known or accessible to Google in any form. Obviously Google knows about your Google credentials, so merely the credentials are not sufficient to get "end-to-end" encryption.
Also last I checked the personal passphrase only encrypted passwords. I haven't used Chrome in a long while, so has that been extended to all your data yet?
If you think Google has access to your raw, plaintext credentials logged somewhere on their servers, I have a Nigerian banker to forward your way who'd love to give you a million dollars if you help him up-front with a little cash.
Nope, you're wrong. Google will always be in a situation where they can read your password. Otherwise authentication to the rest of their services would be impossible.
Again, it's sad if you think they're actually logging everyone's plaintext credentials. Which is besides the point, because in the latest versions the additional non-Google account passphrase extends to all the encrypted data it syncs.
I seriously doubt Google is dumb enough to store user passwords in plaintext. There is absolutely no reason to. Passwords get stored as non-reversible hashes.
>I seriously doubt Google is dumb enough to store user passwords in plaintext...
And who said they'd need to store anything? The only need access to them once in order to defeat any kind of local encryption scheme based on your Google account password.
Exactly. For it to be any less secure, they'd have to be logging your plaintext credentials. And if you're that paranoid, there's the additional passphrase.
I use Xmarks to sync both Firefox and Chrome. Then I can keep my bookmarks in sync between browsers instead of having to have a different set for each browser.
I just wonder where they go with Sync. Closely watching the Mozilla community I know there are (still? Has been a while) big plans, but think Firefox Sync really needs a broader audience, both users and developers. I also have the feeling this could somehow be connected with HTML5/HTTP(P2P) to create something really great. Just have to figure out what it is.
22 comments
[ 3.3 ms ] story [ 50.2 ms ] thread[1] http://tarekziade.wordpress.com/2011/07/12/firefox-sync-pyth...
congrats!
in addition to a username/password for a sync account, you need to use an (unretrievable) sync key to add a browser. i understand the desire for security and privacy, but this is just horrible usability. i can get it all working obviously but there's no way this person (who is 80 years old) is going to be able to enter a key to set up the remote machines.
chrome's sync is much better. just use your gmail/google account credentials, and you're all set.
you need to use an (unretrievable) sync key to add a browser
No you don't. You need a 12-character weak secret that shows up on one of the computers.
Also, people who know or care about sync keys also know how to use private browsing.
I find this kind of thought process philosophically unsound. People might not care about privacy enough today -- that doesn't mean that software developers should follow them off the cliff. At some level, programmers have a moral imperative to guide users into doing things that are better for them. That includes ensuring privacy, even at the cost of a slightly more involved UX.
Also, people who know or care about sync keys also know how to use private browsing.
I don't use private browsing because I'm the only one who uses my devices, so I don't care about the contents of my history. I do care about Google knowing about it though, which is why I use Firefox.
I'm having trouble parsing this comment -- part of any "end-to-end" encryption would be an additional passphrase not known or accessible to Google in any form. Obviously Google knows about your Google credentials, so merely the credentials are not sufficient to get "end-to-end" encryption.
Also last I checked the personal passphrase only encrypted passwords. I haven't used Chrome in a long while, so has that been extended to all your data yet?
And who said they'd need to store anything? The only need access to them once in order to defeat any kind of local encryption scheme based on your Google account password.
I don't think that. Read my comment again, paying special attention to the phrase "in any form".
Just joking, I'm not a troll. ;)
I just wonder where they go with Sync. Closely watching the Mozilla community I know there are (still? Has been a while) big plans, but think Firefox Sync really needs a broader audience, both users and developers. I also have the feeling this could somehow be connected with HTML5/HTTP(P2P) to create something really great. Just have to figure out what it is.