Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The most compelling reason to use Firefox Sync is that it is client-side encrypted. Mozilla stores opaque encrypted blobs that it is entirely unable to decrypt.

Law enforcement agencies request that data from time to time, hoping to obtain browsing history, only to be turned down thanks to the encryption.

(disclaimer: former Mozilla security)



Even better, you can host the sync server yourself: https://github.com/mozilla-services/syncstorage-rs


Only downside to using your own sync server for your devices' Firefox Sync is that the Firefox/iOS cannot accept custom Sync server URL; with Firefox/iOS, you are stuck with Mozilla Sync server.


That sounds equally like a downside to using Apple devices as a lot of open source self-hosted applications are limited in their respective iOS version.


A local server that uses sentry and spanner?

What?


You have an incredulous tone, but you can host Sentry (it's open source) and it's very common to host databases in the cloud.


I just hoped that everything on that server could run locally and not depend on any cloud based tech.


I strongly suggest to read the requirements fully before commenting what amounts to misinformation at best.

You can run everything locally. You don't need spanner and can use mysql instead as a database. Also, as the previous commenter already told you, you can can run sentry locally.

Let's see whether you're willing and able to walk back your comments. I'm in the same boat as you - I'd want to run everything locally and I'm very happy to see it's entirely possible.


Good to know


This is a big reason to avoid Edge: They have entire categories that aren't e2ee, browsing history being one of them. Chrome, IIRC, can have e2ee but the user has to turn it on.

Brave, Vivaldi and Firefox offer complete, e2ee sync solutions.


Is this encrypted with a KDF from your password?


The encryption method is detailed here, that might potentially (not sure, as I don't know what KDF is) answer your question: https://hacks.mozilla.org/2018/11/firefox-sync-privacy/

But encryption does depend on your password:

> The crux of the difference in how we designed Firefox Accounts, and Firefox Sync (our underlying syncing service), is that you never send us your passphrase. We transform your passphrase on your computer into two different, unrelated values. With one value, you cannot derive the other. We send an authentication token, derived from your passphrase, to the server as the password-equivalent. And the encryption key derived from your passphrase never leaves your computer.


Thanks! KDF is key derivation function. Looks like they are using PBKDF2.


Chrome Sync is also client-side encrypted, you just need to set the sync password.

Settings -> You and Google -> Sync and Google Services -> Encryption options


Somewhat relevant: https://palant.info/2023/08/29/chrome-sync-privacy-is-still-...


Google uses some dark patterns in the UX, yes. It's still weird to me that GP says "The most compelling reason to use Firefox Sync is that it is client-side encrypted" when that's table stakes for any browser sync engine I know of.


Because them making encryption the default rather than obscuring encryption options with dark patterns strongly signals they aren't trying to trick you into handing over private data for their profit.


Isn't this the same with Safari?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: