62 comments

[ 3.0 ms ] story [ 132 ms ] thread
Getting a 404 on the linux dl link for FF Auror, required to test this new feature:

http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/lates...

Same with all the English (US) versions in fact. Other languages appear to work.

(comment deleted)
I have to dig this up (sorry Brian, your talk was awesome and visually easy to get involved; kudos to identity team)

http://people.mozilla.org/~bwarner/warner-rwc2014/#/

Thanks! Glad you liked it! I plan to do a proper brown-bag Air-Mozilla presentation of it soon, so we'll have a video recording available online (and not just the slides).

FYI, I showed three different designs in that presentation, to compare/contrast 1: original J-PAKE, 2: intermediate not-used SRP thing, 3: final non-SRP "onepw" design. More than one audience member was left confused about which one we're using for Sync. Tell your friends: we're deploying the last one, nicknamed "onepw", from page 20 of that slide deck:

http://people.mozilla.org/~bwarner/warner-rwc2014/#/20

cheers, -Brian (member of Mozilla FxA/Sync team)

I'm really disappointed this doesn't authenticate against Persona. Supporting Persona in Firefox seems to be pretty slow coming, and this seems like a big blow against having that smoothly integrating it.
yeah was wondering about that. very strange, should know better from Google, etc. about the value of the universal login.

I wanna love Mozilla (even bought a Firefox OS phone!) but this is pretty low-level.

It actually uses Persona inside, and it's an email-as-ID as well.

Also, this is a new occurrence of scrypt used in the wild.

That's not quite accurate; Firefox Accounts uses the BrowserID Protocol, of which Persona is an implementation. That is to say, it authenticates using BrowserID assertions, but does not directly tie in to Persona accounts. Yet.

https://developer.mozilla.org/Persona/Glossary

You mean it doesn't use Mozilla's bridge? Presumably, if you have your own IdP, it will use it, since it uses BrowserID.
Persona is an awesome way to verify email address ownership, but that's only part of what Sync and the Firefox Marketplace need. For instance, Sync needs a user-memorable password for client-side encryption, and Marketplace needs the ability to force users to re-authenticate before a purchase, which is only feasible in a centralized system. Then there are COPPA concerns: We don't want to build an age gate into Persona, but we need one on Sync and Marketplace. Firefox Accounts lets us do that once, up front, and be on our merry way.

Nevertheless, I'm hopeful that we'll integrate Persona into the Firefox Accounts workflow, but that's still only part of the problem that Firefox Accounts is trying to solve. :)

(Why wasn't it there at first? We were still working out protocol / data format details, and sticking with a known username/password system reduced the number of variables while reinventing Sync.)

You do understand how it seems that this is just cannibalizing Persona and Persona will end up with none of the browser support it needs to fulfill its vision?
Sure, but isn't that the point? I mean, did that stop any of the other gatekeeper models?
Would seem to make sense to take a step back and look at what Persona and Accounts can/should be good at. Persona could/should be an awesome single sign on service that doesn't leak personal data all over the place and provides good security. Unfortunately it seems doomed to failure because the operating model chosen relies on competitive services to adopt it. In other words why would Google become an IdP for Persona when it competes with Google Sign On?

Firefox Accounts, in addition to Persona, could actually move the needle. If Mozilla would drop the idea that email providers should be IdP and instead step into the role themselves (like they kinda are with Accounts) this could all work.

More simply put why not do Persona as an SSO solution independent of email providers (Mozilla or a partner is the single IdP). Optionally attach data to that identity (several technical ways to do this) to hold more data such as that envisioned by Firefox Accounts (email, TOS acceptance, ...).

Love it. I abandoned the old sync. Figuring out how to set it up was more difficult than trying to learn Julia.

Only thing I didn't love was the icon, but its beta so hey.

Link to Aurora nightly:

ftp://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-mozilla-aurora/

How is Options>Sync>Pair a Device and follow the directions difficult?

I mean, it was definitely too many steps, and it wasn't labelled clearly enough which device was the master and which was the slave, but those are more like "users won't bother to find it" troubles, rather than it actually being difficult if you want to turn it on.

Please see the presentation. It gives you some clue why the old sync wasn't user friendly (you probably can guess already).

https://news.ycombinator.com/item?id=7200425

Basically, many assumed it was a backup program. Recovery was painful. There was multiple iterations of enhancement before they decided to roll out Fx Account, it was clear that users didn't like the original Sync.

Fx Account is more than Sync. This is like having a Google account and allows you to connect to Mozilla services like Marketplace and all instances of Firefox a user owns.

Oh yeah, I totally agree the old sync wasn't friendly - but that's something totally different. It wasn't intuitive, and it was surprising in that it really was just a sync, not a backup. Nevertheless, it was still pretty easy to enable if you actually wanted to.

Easy can still be frustrating (as in why all these steps and which machine is which, and why do I even need to look up how to do this?), and it can still be user unfriendly (as in not allowing recovery).

The steps to turn on sync for devices where you don't have access to both at the same time are a bit mangled since you're required to use the recovery key.

I'm hoping with this it will turn into something close to Chrome's sync

Well, minus the need to to have the decrypted/decryptable passwords in the hands of the service provider. I'm not too happy with the way chrome deals with that, it just means that the impact of any hack is going to be much larger than necessary.
Personally, I would really hate to have to setup and manage yet another account just to pair a sync a desktop and phone browsers.
Will I be able to use a Firefox Account in Google chrome ?
Will it still work with the self hosted sync server? Or will there be a self hosted one for Firefox Accounts?

And I hope they will implement it on Firefox OS very soon, otherwise the whole syncing is not really that interesting.

I expect those of us that host their own Sync server will have to deploy this[0] one instead. This is the general idea I got reading [1].

[0]: https://github.com/mozilla/fxa-auth-server

[1]: https://blog.mozilla.org/services/2014/02/07/a-better-firefo...

That.. looks quite a convoluted setup for 'simple' private hosting. Plus, the instructions seem quite sparse.

Is that something Mozilla is officially endorsing or something that might perhaps work, good luck with that?

New Sync has been development for about a quarter. Right now all effort on the Sync project is to get the basic workflows finished and testing the various Sync clients (Fx Desktop/Fx Android).

The team is looking to have a more understandable self deployment strategy by the time this ships in Firefox release ~12 weeks. This is not a promise though. Engineering work is tricky to estimate.

Self-hosting is on its way!
That was a lot of text to say:

"Today, we’re introducing Firefox Accounts as a safe and easy way for you to create an account. With Firefox Account can integrate services, like Firefox Sync.

Firefox Sync enables syncing of passwords, bookmarks, history, and open tabs across devices, now even easier to setup the service and add multiple devices"

This is a nice idea in theory, but after all the NSA revelations, we should all be very weary of cloud based data storage. Mozilla is based in the US, so what is stopping the NSA issuing them demands to hand over the user accounts? Browser data is just too detailed and sensitive, I would rather run Firefox portable off a flash drive and carry it with me.
> Last year, we created a new team at Mozilla to explore one specific area of the Web that’s grown with the explosion of mobile devices — the cloud (sometimes called Internet servers).

Hey Mozilla, you are too honest about the cloud thing. :)

Truth.
Yeah, after reading this I can imagine myself translating "we have a cloud" to "WE GOT SERVERS LOL" and the like...
I think they were trying to avoid bitter criticism from an army of neckbeard comic guys.
How is this any better or different than one of the other cloud providers? I read nothing about self-hosting this, nothing about end-to-end encryption, nothing about Persona.

I understand Mozilla is in a tight place with no access to iOS, little market share in mobile in general and the new walled gardens erected by Google, Apple, FB and soon Microsoft. But simply playing copy cat and catchup does not cut it.

Click on "same browser-based encryption". It's a link to an earlier blog post where they explain the encryption methods used in Firefox Sync. It mentions end-to-end encryption, too.
As Mozilla is a US-based organization, is anyone afraid of the NSA/USG commandeering Mozilla to setup pen-register/password-interception a la Lavabit?

Only a couple of months ago comments like mine would have been passed off as tin-foil conspiracy. Now, I think everyone's sense of normal is now tightly wrapped in tin-foil, encased in lead.

Opposite to Lavabit, Mozilla can't decrypt your data, so I can't see this happening, unless they change the open source client code without anyone noticing.
Finally! Doh, I need to install Aurora by now
How long till this is integrated with the main sponsor's unloved child, G+?

I've got more pressing matters than yet another account with personal information and data kept in the US ...

Mozilla is an independent non-profit organization. Yes, they do get a lot of revenue from Google - but they do not control Mozilla.
Mozilla has been sponsored by Google since long ago, but they always thought about people first. In fact, if you don't trust them you can run your own sync server in whatever country you like.
I hope Firefox will implement multiple accounts within the browser, similar to Chrome multiple accounts. If it is backed by Persona, then I will be able to have web sessions based on email accounts from different providers.
I have no problem with Mozilla doing this so long as its not pushed down my throat. I have no desire to use a cloud service.
While they can, of course, do whatever they want, I am disappointed by the development of unnecessary peripheral functionality such as this.

I think that the resources put toward this endeavor could have been better spent on improving the performance of Firefox, or perhaps reducing its memory usage, or even fixing the numerous bugs that affect it. Firefox isn't as bad as it once was with respect to those things, but there's still much room for improvement.

Functionality that's useful to a comparatively small number of users should be prioritized well behind core functionality that affects basically all Firefox users.

Of course those are priorities. That's why it says right at the top that one team has been working on this. It's not like all developers need to be doing the same thing all the time.
Engineers aren't just resources to be allocated. Quality isn't a zero-sum game. If a manager said "all of you should only be working on performance", it would be a waste of a lot of people's time who aren't performance engineers.
> I am disappointed by the development of unnecessary peripheral functionality such as this.

users expect their browser preferences, history, bookmarks, and passwords to be synced across devices. for a significant chunk of ff users, this is in no sense "unnecessary peripheral functionality"

Does anyone know if there will be a standalone client library for this API? I build an iOS browser that works with the old sync api and building a client on my own is probably a bad idea
The storage API is very similar -- a few record extensions, a few headers changed. The auth layer is completely new, and there's no iOS client library for it, nor any plans for one that I know of.
Do you think it would be possible to re-use the sync-code from firefox directly? The library wouldn't have to be iOS specific.
Mozilla is a trusted organization

Trust is such a poor and overloaded word. What is Mozilla "trusted" to do? That's a very difficult question to answer.

Perhaps thinking in terms of expectations would be better: My expectation is that Mozilla will produce a decent browser, with occasional bumps and steps backwards in response to some flavour du jour, most notably in the area of wouldn't it be cools that break usability. Not to mention the mobile browser considering my tablet and phone to be the "same type of device", when my tablet is much closer to my computer - and it's the computer's UX I want everywhere, not the phone's.

My expectation is that Mozilla will produce a half-decent email client that I have no real reason to use.

My expectation is that in doing these things Mozilla software will mostly stay out of my way, mostly work as I expect (sync the function works pretty much as expected, sync the UX is awful - I still need all manner of extension and app to get the "move easily from one device to another" experience I really want).

My expectation is that Mozilla will occasionally cook up something new, e.g., Persona, that I really don't see a need for, and that Mozilla will be unable to articulate why that new thing is needed, cool, or anything else.

If Mozilla disappeared tomorrow, I would be quite upset, because FF sucks far less than every other browser - maybe that's because I am so used to it, that I've made it work for me, but moving to anything else would be painful. My expectation is that they will continue to deliver excellent B+ software that is adequate to my needs and wants.

But why on earth would I expect that I could trust Mozilla with anything more than my sync information?

I trust Mozilla about as much as I trust my bank, as much as I trust Google, and, to be fair, more than I trust facebook. But again, trust is the wrong word: I expect Google to mine my information, make the occasional misstep, but to by and large attempt to keep my information safe and secure, because if they don't, it ain't just mine they release, it's millions of ours, and they cannot afford that.

I expect my bank to mess up UX occasionally, but to do security reasonably well, and to not share my personal overmuch, because of the regulatory framework in Canada: They just cannot mess this up without serious consequence.

I expect facebook to mine, share, intrude, mess around, and generally do stupid things. I am never disappointed.

What should I expect of Mozilla Accounts?

Nothing. Nothing at all, because "Accounts" is so not what I think of when I think "Mozilla". I hear "Mozilla" I think "FireFox", I think half-decent browser, better than others, adequate email client, neither better nor worse, I think confusing cross-device UX...

...but do I think trust?

Nope.

And the "occasional bump in response to something shiny" mentioned above means I never will - at least not without major public rebranding.

If I am going to trust you, you need to convince me you are rock-steady reliable, and never prone to blowing with the wind.

Mozilla is the most trusted Internet company, and you can see the methodology here http://www.ponemon.org/local/upload/file/2012%20MTC%20Report... I trust Mozilla to keep my data safe, not mine it or sell it for profit. I trust Mozilla to give me control over my data. I trust Mozilla to publish an open API to access my data from other programs. Those are important things when I'm considering a cloud storage provider.
Disclaimer: my opinion is entirely MY OWN OPINION and does not reflect Mozilla's opinion or anyone I have worked with in the past. I also acknowledge my lack of deep understanding/insight of any sort but just a tiny bit of what I think I know, so feel free to correct me.

I agree with many of your points because they are in fact excellent arguments. Trust can mean various of things. But in this context, trusting Mozilla is merely trusting Mozilla based on its reputation. Mozilla does not log your password and does not sell you to an advertizing agency so your new shiny Fx Account is really to be used for Mozilla service. At least as far as we know at this point. Mozilla was named #1 most trusted organization [1] but that doesn't mean we should say Mozilla is more trustworthy than Google without considering the context in which the trust is placed in.

The first thing I want to echo is expectation. We expect so and so to do such job and deliver such promises. We expect that when we first sign up the password I pass to Firefox Account and Google Account, my password is hashed and salted with strong hashing algorithm. We expect Mozilla engineers and Google engineers to be honest and professional, so they won't be use MD5 or SHA1 to keep our passwords. But are they? We have to put a bet on Mozilla.

Almost all the Mozilla projects are open-source, meaning they exist somewhere on mozilla-central or on Github. But we can't verify that a server is actually running the code the service provider claims to be using. How can I trust them? I can't. I challenge anyone out there to propose a way to verify server, the same goal we want to have for deterministic build.

Unlike some startup which claim to be secured, Mozilla does not brag about security without hard work. They don't come up with their own new crypto and ask the community to challenge them. They are careful about code changes. With that, we say Mozilla is trusted. Google is therefore also trusted.

There are two kinds of trust:

First, people with first-hand access. They have access to some part, if not, all parts of the infrastructure. If you are running your own Persona identity bridge [2], you can verify yourself that the password you enter is hashed and salted with strong hashing algorithm and iteration. This is a great news for people who are paranoid about a particular website not handling your password properly -- provided that Mozilla sends your data over TLS channel and does not log your encrypted password in the middle.

Second type is based on experience, based on reputation. Google and Facebook employed thousands of engineers. If either is evil, then we would have heard a whistleblower gone on public already. Because there is none (or little) we expect them executing my expectation: my password is hashed and handled properly. So I am happy to stay as a Gmail user and authenticate my Gmail as Persona account. I know both Mozilla and Google will do the communication properly.

I am not an expert in either privacy or security, but I feel like people forget about the mission of the organization. Is Google bad? Is Google evil? The #1 argument is Google is for-profit and Mozilla is non-profit (yes, there is a business entity called Mozilla Corp which exists to handle business contracts like search engine option in Firefox), so Mozilla is more trustworthy, right? Since Mozilla is non-profit and it doesn't talk to advertiser or does not customized your search experience, there is little to no incentive for Mozilla to sell your data and have an advertising agency to customize your experience. With that, Mozilla's reputation is not touched.

Mozilla doesn't about your search query or activity EXCEPT metrics. How many users are experiencing such and such crash? Who is adopting such option and such. How many web servers are still negotiating RC4 cipher? Is Firefox stable? Is people happy with the security and privacy controls?

They don't care if you are bidding a cat on...

> Does Firefox Accounts provide email? No.

Bummer. I've been waiting for more than ten years to get a firefox email account.

What's the easiest way to have hundreds of millions of loyal followers that use your web services on a daily basis?

Email.

That's the starting point, besides the browser.

I wouldn't mind the server side component to this. I'd like to run my own server so that my devices can use. You'd imagine it would be available with it being Mozilla, right?

Edits: YES! https://github.com/mozilla/fxa-auth-server

Both the auth server and the Sync server are available.
(comment deleted)