How Firefox Sync keeps your data safe even if TLS fails

With so many stories popping up in the news around data leakage these days, you may be wondering if your Firefox Sync data is safe. No need to worry as Firefox Sync contains additional layers of security.

How Sync works

  • Firefox Sync ensures that your data is encrypted before it ever leaves your device, and that the password to unlock this encryption is never transmitted to the server. This is done by applying some cryptographic hashing to your Firefox Account password to strengthen it when you enter it, and deriving the authentication and encryption keys.
  • The authentication key is transmitted to the server to prove that you own the account. If TLS fails, this might cause the authentication key to be leaked, and someone who intercepts this key could use it to authenticate into your account. However, they can’t use it to access your Firefox Sync data since the encryption key is used to encrypt your data before it leaves your device. This key is never transmitted to the server, so it can’t be leaked if TLS fails.
  • Firefox Sync uses the account password to build an additional layer of security and encryption on top of what’s provided by TLS. Therefore, we can’t even access your Firefox Sync data and don’t rely on the confidentiality of TLS to keep your data safe. For all the technical details regarding how this entire process works, see protocol documentation.

The stronger your password, the more protection this scheme can offer. That’s why it’s important to choose a Create secure passwords to keep your identity safe for your Firefox Account.

// These fine people helped write this article:Joni, Lamont Gardenhire. You can help too - find out how.

Was this article helpful? Please wait...

Volunteer for Mozilla Support