a.x61.sh

Is there some privacy concern on using Firefox Sync to sync history across devices? I mean can I trust it?
from CodenameDarlen@lemmy.world to privacy@lemmy.ml on 17 Apr 20:52
https://lemmy.world/post/45733739

I wonder if they’re using my data to something or spying on me.

Because I use Firefox Sync to sync mostly my history. I don’t have bookmarks, I just remember what site I want to access by its URL then I start typing and the autocomplete do the rest.

For example, to access Lemmy I just type “le” because the only site I most access and starts with “le” is “lemmy.world”. Rarely I get some conflict on this approach. And it works on both my phone and desktop.

I wonder if should I change this approach to avoid Firefox Sync or I can trust on Firefox Sync.

#privacy

threaded - newest

Ismael@bohio.icu on 17 Apr 21:00 next collapse

From their website

All your data is encrypted on our servers so we can't read it – only you can access it. We don't sell your info to advertisers because that would go against our data privacy promise.

Bluegrass_Addict@lemmy.ca on 17 Apr 21:10 collapse

assuming they aren’t lying that is

steel_for_humans@piefed.social on 17 Apr 21:31 next collapse

If you’re that paranoid you can host it yourself.

https://github.com/mozilla-services/syncstorage-rs?tab=readme-ov-file

https://mozilla-services.github.io/syncstorage-rs/

It’s open source.

Ismael@bohio.icu on 17 Apr 21:39 next collapse

I don't think they are lying about being against their privacy policy. Anyone can check as I just did and it seems correct.
If they were lying about the encryption I think it would have been found out by now. My impression is that Firefox users are generally more tech savvy and privacy aware so someone would have probably find out if Firefox is lying about the encryption part too. Even if that's not the case a whistleblower would have probably done it.

Bluegrass_Addict@lemmy.ca on 17 Apr 22:45 collapse

my point is that all terms and conditions are subject to change without prior notice to you and your continued use of the product and or service is agreement of the terms that can, and will change

Ismael@bohio.icu on 17 Apr 23:22 next collapse

You are not wrong but at that point it applies to any and all services out there. Companies typically send an email notifying the change in their TOS and post it in their blog/website. Depending on the change I've seen that they even say that users have a deadline to react accordingly. Firefox has its controversies but I have no reasonable suspicion that they will pull that risky move of spying on that encrypted sync process and go against their whole mission and user base.

voxel@feddit.uk on 18 Apr 15:53 collapse

That would be a violation of EU law. You cannot change such agreements without notice.

Sxan@piefed.zip on 18 Apr 17:03 collapse

If þey were lying, I’d expect someone to have raised a ruckus by now. It’s OSS.

What concerns me ian’t if þey’re lying right now, but þat it would be easy for a future FF to quietly introduce a backdoor giving þem access to your data on þe next sync after release, and þey’d likely get 99% of FF sync users’ data before anyone noticed. Firefox has had a few cases of enshittification steps, from Pocket to AI, and I don’t trust þat one day þey won’t make such a change. I don’t believe þey’d go so far as start stealing from people wiþout sync, or snoop on self-hosted sync instances, but … I guess þis goes back to my philosophy: if you don’t host your data, you don’t own it.

kylekatarn@lemmy.world on 17 Apr 21:00 next collapse

Securing your data with Sync involves creating a unique password, which plays a crucial role in encrypting your data for complete privacy. This encryption is end-to-end: your data is encrypted before it ever leaves your browser and can only be decrypted by another instance of Firefox. Once your data reaches a Mozilla-operated server for storage, it’s already in an encrypted state, ensuring that not even Mozilla can access or decrypt this information.

support.mozilla.org/en-US/kb/sync

pokeman@piefed.zip on 17 Apr 22:13 collapse

Adding on to this, you can also self host your own sync server https://mozilla-services.github.io/syncstorage-rs/how-to/how-to-run-with-docker.html

(Oops looks like this got sent late and someone else sent it before mine got thru)

Danitos@reddthat.com on 18 Apr 06:08 next collapse

TIL. Adding it to my to-do list. Thanks!

IratePirate@feddit.org on 18 Apr 07:45 collapse

Oh, is this a thing again? Two years ago, they were doing a Rust rewrite; the rewrite had hardly any documentation, so self-hosted FF sync was essentially dead. Is this the new thing?

pokeman@piefed.zip on 18 Apr 07:53 collapse

This is the same rewrite! Before there were really only community made images, but I believe a couple months ago is when they started pushing out their own + documentation. It really makes the server a LOT more easier to host than before :)

IratePirate@feddit.org on 18 Apr 07:59 collapse

That is fantastic news! Thanks for the update!

GlenRambo@jlai.lu on 17 Apr 23:56 next collapse

Just checked LibreWolf a hardened Firefox as I thought they disable it. Turns out its just off default and “There aren’t significant downsides as Firefox Sync encrypts your data locally before transmitting it to the server.”

I thought there might be another reason to have it off (giving Mozilla your email?) but seems OK.

librewolf.net/docs/faq/#can-i-use-firefox-sync-wi…

ascend@lemmy.radio on 18 Apr 03:13 collapse

Yeah I started using librewolf recently and its been on my to do list to self host the sync part, seems easier than a bookmark manager.

That’ll just leave password manager and email not self hosted but I don’t think I want to for those two

GlenRambo@jlai.lu on 18 Apr 09:56 next collapse

Keepass with syncthing seems to be fine for passwords.

I think email is a rabbitbhole so leave that for the pros.

Sxan@piefed.zip on 18 Apr 16:19 collapse

email? What email does FF have access to, and what does it sync?

hexagonwin@lemmy.today on 18 Apr 20:52 collapse

to use firefox’s builtin sync feature with their official server you need a mozilla account, and to create one you need to provide an email addr.

Enkrod@feddit.org on 18 Apr 23:04 collapse

Vaultwarden is a self-hosted, fully FOSS implementation of the Bitwarden API that works with all Bitwarden Apps and Browser Addons.

Been using it for years and am extremely happy with it. It’s fully client encrypted so the server only works as storage for fully encrypted blobs

PierceTheBubble@lemmy.ml on 18 Apr 03:07 next collapse

I would say the feature is quite easily avoidable, as it only seems to require one manual visit, for it to show in the suggestions; which I believe are sorted based on interactions with pages (so just interact more with pages, you want to be suggested more strongly). I would personally advise against using the “feature”, primarily because it ties all browsers, on multiple separate devices, to a common Mozilla account. So why broaden your attack surface, for advantages easily reproduced manually? Is the little bit of added convenience, worth the (potential) trade-off?

IratePirate@feddit.org on 18 Apr 07:47 next collapse

I’ve moved to Floccus (which can sync browser tabs and bookmarks via Nextcloud Bookmarks). Does the essential parts for me.

FriendBesto@lemmy.ml on 19 Apr 23:24 collapse

This is what I been using for years. Works great. But not everyone has, knows or wants to deploy a server with Nextcloud.

Firefox Sync looks fine.

peskypry@lemmy.ml on 18 Apr 12:15 next collapse

It is e2e encrypted and just works. Everything in Firefox Sync is encrypted including Bookmarks, History, Passwords etc.

bridgeenjoyer@sh.itjust.works on 18 Apr 23:22 collapse

I love that feature tbh. Glad I can trust it. I use waterfox tho