Firefox Android Sync is here! Uh, wait....

A new version of Firefox that runs on Android phones includes a feature called Sync.  If you activate it, Sync synchronizes your bookmarks, browsing history, open tabs, and passwords between your desktop computer and your phone.  Doesn't that sound awesome?  No more fumbling around with Delicious for bookmarks or mSecure for website passwords!

...Until you think about security.  Imagine this scenario:  you do some online banking at home, and the next day you lose your phone.  The person who finds your phone notices that you have Firefox, so he opens the browser and types "bank" into the URL bar.  Autocomplete helpfully fills in the name of your bank, and the phone automatically logs in to the site.  He's in your checking account.

What does Mozilla have to say about Sync's security?  On Mozilla's Sync page, they assure you that your data is encrypted so the "bad guys" (their words, not mine) can't intercept it or decode it.  After some digging, I was able to learn that your passwords are stored on Mozilla's servers; they are encrypted during transmission and in storage.  That will be good enough for most people, as far as you trust Mozilla, and as long as nobody touches your phone.

Here's what Mozilla says to do in the event that you lose your phone.  In a nutshell, you have to change your Sync password and then change every password you used in Firefox, because until you do, your phone can log into all those sites even though it's no longer syncing.  Wow, better be quick and thorough.

So can I use Sync for bookmarks but, say, not for passwords?  Apparently not, according to the answers at this Mozilla support forum query.  The last answer sums up my feelings about it pretty well.

Firefox, this is half-baked.  It's dangerous.  You are giving tools to thieves and setting up your users for some serious pain.  Pull the plug on Sync and fix it.

2 comments:

  1. Would be fine if you're using a secure master password. Plenty of people I know have all their passwords stored in firefox on laptops without one already... that's almost as big a problem. Unfortunately FF mobile doesn't appear to allow a master password. I won't be using sync until it does, and maybe not ever if I have to go via third-party servers (although I trust mozilla more than most web companies)

    BTW, For my bank, at least, FF doesn't even ask if I want to store the password, and no, I don't have it in the exceptions list...

    ReplyDelete
  2. You're right - my wife pointed out to me that online banking sites never allow passwords to be saved in browsers.

    I think a fingerprint scanner would be perfect. Laptops like my Thinkpad have had these for years, and they're quite small. You could fit one on the bottom edge of the phone and swipe your thumb on it when you want to log in to a site.

    ReplyDelete