X
Tap here to go to the mobile version of the site.

Support Forum

Unable to set up sync (new sync key is ALWAYS invalid)

Posted

When I try to set up my desktop firefox account, I always get "WRONG RECOVERY KEY" message on sync tab. Initially I was using by backuped key but it wasn't valid. Then I cleared sync account data, deleted account, created new account. Just after finishing new account setup, every time after windows showing that sync will start soon, when I come back to sync window I ALWAYS find there "wrong recovery key" message. I've read most sync articles available none solved my problem.

When I try to set up my desktop firefox account, I always get "WRONG RECOVERY KEY" message on sync tab. Initially I was using by backuped key but it wasn't valid. Then I cleared sync account data, deleted account, created new account. Just after finishing new account setup, every time after windows showing that sync will start soon, when I come back to sync window I ALWAYS find there "wrong recovery key" message. I've read most sync articles available none solved my problem.

Chosen solution

Btw I agree that there should be a warning either when enabling FIPS mode, or when activating Sync. it took me hours to figure out the problem ....

Read this answer in context 1

Additional System Details

Installed Plug-ins

  • Google Talk Plugin Video Accelerator version:0.1.44.29
  • Version 4.5.3.14917
  • Shockwave Flash 11.8 r800
  • Google Update
  • Next Generation Java Plug-in 10.25.2 for Mozilla browsers
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • 5.1.20513.0
  • Adobe PDF Plug-In For Firefox and Netscape 10.1.7
  • VLC media player Web Plugin 2.0.6
  • Foxit Reader Plug-In For Firefox and Netscape
  • Picasa plugin
  • The plug-in allows you to open and edit files using Microsoft Office applications
  • Office Authorization plug-in for NPAPI browsers

Application

  • Firefox 23.0.1
  • User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
  • Support URL: http://support.mozilla.org/1/firefox/23.0.1/WINNT/en-US/

Extensions

  • Adblock Plus 2.3.2 ({d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d})
  • Evernote Web Clipper 5.7 ({E0B8C461-F8FB-49b4-8373-FE32E9252800})
  • feedly 16.0.528 (feedly@devhd)
  • FireGestures 1.7.10 (firegestures@xuldev.org)
  • Google +1 1.1.0.9 ({F9ABC0D1-06E6-4989-8211-B3246378C627})
  • Master Password+ 1.21.2 (masterpasswordtimeoutplus@vano)
  • Pocket 3.0.4 (isreaditlater@ideashower.com)
  • Toodledo 1.82 (statusbar@toodledo.com)
  • Troubleshooter 1.1a (troubleshooter@mozilla.org)
  • Update Scanner 3.1.12 ({c07d1a49-9894-49ff-a594-38960ede8fb9})
  • Xmarks 4.2.1 (foxmarks@kei.com)
  • PDF Architect Converter For Firefox 1.0 (FFPDFArchitectConverter@pdfarchitect.com) (Inactive)

Javascript

  • incrementalGCEnabled: True

Graphics

  • adapterDescription: Intel(R) HD Graphics 3000
  • adapterDescription2:
  • adapterDeviceID: 0x0116
  • adapterDeviceID2:
  • adapterDrivers: igdumd64 igd10umd64 igd10umd64 igdumd32 igd10umd32 igd10umd32
  • adapterDrivers2:
  • adapterRAM: Unknown
  • adapterRAM2:
  • adapterVendorID: 0x8086
  • adapterVendorID2:
  • direct2DEnabled: True
  • directWriteEnabled: True
  • directWriteVersion: 6.2.9200.16571
  • driverDate: 12-12-2012
  • driverDate2:
  • driverVersion: 9.17.10.2932
  • driverVersion2:
  • info: {u'AzureCanvasBackend': u'direct2d', u'AzureFallbackCanvasBackend': u'cairo', u'AzureContentBackend': u'direct2d'}
  • isGPU2Active: False
  • numAcceleratedWindows: 1
  • numTotalWindows: 1
  • webglRenderer: Google Inc. -- ANGLE (Intel(R) HD Graphics 3000)
  • windowLayerManagerType: Direct3D 10

Modified Preferences

  • accessibility.typeaheadfind.flashBar: 0
  • browser.cache.disk.capacity: 358400
  • browser.cache.disk.smart_size.first_run: False
  • browser.cache.disk.smart_size.use_old_max: False
  • browser.cache.disk.smart_size_cached_value: 358400
  • browser.places.smartBookmarksVersion: 4
  • browser.startup.homepage: http://www.google.com/ig
  • browser.startup.homepage_override.buildID: 20130814063812
  • browser.startup.homepage_override.mstone: 23.0.1
  • browser.tabs.warnOnClose: False
  • dom.max_script_run_time: 0
  • dom.mozApps.used: True
  • dom.w3c_touch_events.expose: False
  • extensions.lastAppVersion: 23.0.1
  • font.internaluseonly.changed: True
  • gfx.direct3d.last_used_feature_level_idx: 0
  • gfx.direct3d.prefer_10_1: True
  • keyword.URL: http://search.babylon.com/?affID=112465&tt=060612_6_&babsrc=KW_ss&mntrId=6856d463000000000000028037ec0200&q=
  • network.cookie.prefsMigrated: True
  • places.database.lastMaintenance: 1378819271
  • places.history.expiration.transient_current_max_pages: 104858
  • plugin.disable_full_page_plugin_for_types: application/pdf
  • plugin.importedState: True
  • privacy.sanitize.migrateFx3Prefs: True
  • security.disable_button.openCertManager: False
  • security.disable_button.openDeviceManager: False
  • security.warn_viewing_mixed: False
  • storage.vacuum.last.index: 1
  • storage.vacuum.last.places.sqlite: 1378293266

Misc

  • User JS: Yes
  • Accessibility: No
cor-el
  • Top 10 Contributor
  • Moderator
17352 solutions 156825 answers

Create a new profile as a test to check if your current profile is causing the problems.

See "Creating a profile":

If the new profile works then you can transfer some files from an existing profile to the new profile, but be cautious not to copy corrupted files to avoid carrying over the problem.

Create a new profile as a test to check if your current profile is causing the problems. See "Creating a profile": *https://support.mozilla.org/kb/profile-manager-create-and-remove-firefox-profiles *http://kb.mozillazine.org/Standard_diagnostic_-_Firefox#Profile_issues If the new profile works then you can transfer some files from an existing profile to the new profile, but be cautious not to copy corrupted files to avoid carrying over the problem. *http://kb.mozillazine.org/Transferring_data_to_a_new_profile_-_Firefox

Helpful Reply

Empty profile dosn't have that problem, so problem is related to my settings

I noticed that problem is related to FIPS security enformement (Options->Advanced->Security Devices->Disable FIPS). Disabling FIPS solves problem. FIPS is disabled by default, I enabled it because I am security freak.

Altough problem is solved, I think this is workaround not solution - if this is intended FF behaviour, enabling FIPS should trigger a warning about disabling mozilla sync or sync options should check for FIPS and provide correct info WHY it won't work.

Empty profile dosn't have that problem, so problem is related to my settings I noticed that problem is related to FIPS security enformement (Options->Advanced->Security Devices->Disable FIPS). Disabling FIPS solves problem. FIPS is disabled by default, I enabled it because I am security freak. Altough problem is solved, I think this is workaround not solution - if this is intended FF behaviour, enabling FIPS should trigger a warning about disabling mozilla sync or sync options should check for FIPS and provide correct info WHY it won't work.
cor-el
  • Top 10 Contributor
  • Moderator
17352 solutions 156825 answers

You should only use FIPS if you really need it and are working in an environment where is works.
FIPS requires to disable all SSL ciphers (i.e. only TSL is used) and may not work properly with all servers.

You should only use FIPS if you really need it and are working in an environment where is works.<br /> FIPS requires to disable all SSL ciphers (i.e. only TSL is used) and may not work properly with all servers. *https://developer.mozilla.org/en-US/docs/NSS/FIPS_Mode_-_an_explanation

Question owner

Except this single issue with Mozilla Cloud Sync, FIPS was working for me FINE on various browsers since circa 2005. This is FIRST TIME I experience problems related with enabling this option. I do understand however that this is working the way it was designed (sync with Mozilla is using unsecure ciphers?) so I will stop using FIPS mode for a while. Still I am not convinced why enabling FIPS breaks Mozilla sync, with weak cipher being the only explanation?

Except this single issue with Mozilla Cloud Sync, FIPS was working for me FINE on various browsers since circa 2005. This is FIRST TIME I experience problems related with enabling this option. I do understand however that this is working the way it was designed (sync with Mozilla is using unsecure ciphers?) so I will stop using FIPS mode for a while. Still I am not convinced why enabling FIPS breaks Mozilla sync, with weak cipher being the only explanation?
Ez2517 1 solutions 4 answers

I had the same problem and tracked it down to the FIPS mode. When looking at the sync log, I have the impression tat it is not about weak ciphers, but about functionality of the PKCS#11 crypto module which may be disabled in FIPS mode. The log file contains the following:

1381084901615 Sync.Service DEBUG verifyLogin failed: PK11_ExtractKeyValue failed. Stack trace: ................

"ExtractKeyValue" suggests that maybe the key is extracted from the PKCS#11 driver (in clear text ?) which may not be allowed in FIPS mode. Just a theory ... :-)

I had the same problem and tracked it down to the FIPS mode. When looking at the sync log, I have the impression tat it is not about weak ciphers, but about functionality of the PKCS#11 crypto module which may be disabled in FIPS mode. The log file contains the following: 1381084901615 Sync.Service DEBUG verifyLogin failed: PK11_ExtractKeyValue failed. Stack trace: ................ "ExtractKeyValue" suggests that maybe the key is extracted from the PKCS#11 driver (in clear text ?) which may not be allowed in FIPS mode. Just a theory ... :-)
Ez2517 1 solutions 4 answers

Chosen Solution

Btw I agree that there should be a warning either when enabling FIPS mode, or when activating Sync. it took me hours to figure out the problem ....

Btw I agree that there should be a warning either when enabling FIPS mode, or when activating Sync. it took me hours to figure out the problem ....
mghali 0 solutions 3 answers

Why isnt there a KB article simply saying FIPS BREAKS FIREFOX SYNC?


This has got to be the stupidest waste of time I've seen in ages. Why hasn't this been fixed? It's obviously been screwing users for YEARS (just do a simple google search). I can't believe a completely valid config option completely BREAKS a core feature like this, with no warning whatsoever.

I've been switching over from Safari because I like the new TLS support in Aurora. But after getting boned by this clusterfsck, forget it. I don't have time to waste on this kind of amateur hour nonsense.

'''Why isnt there a KB article simply saying FIPS BREAKS FIREFOX SYNC? ''' This has got to be the stupidest waste of time I've seen in ages. Why hasn't this been fixed? ''It's obviously been screwing users for '''YEARS''''' (just do a simple google search). I can't believe a completely valid config option completely BREAKS a core feature like this, with no warning whatsoever. I've been switching over from Safari because I like the new TLS support in Aurora. But after getting boned by this clusterfsck, forget it. I don't have time to waste on this kind of amateur hour nonsense.
mghali 0 solutions 3 answers

cor-el:

Whether or not we "should" be using FIPS is not relevant here.

The issue here is that enabling additional security features silently breaks other functionality. For no good reason whatsoever.

They are both core features. If they conflict then warn us when we choose them both. Why is that so hard to understand?

Or perhaps sack up, and configure TLS on your sync servers so it can talk to your own browsers.. Or has that been too difficult to figure out for the last couple of years?

What a joke.

edit: modified this post. please refrain from personal attacks on other forum members (Forum rules and guidelines)! helpers here are contributors volunteering their time. if you disagree with someone else's opinion it should be possible to say so in an objective matter. (philipp)

cor-el: Whether or not we "should" be using FIPS is not relevant here. The issue here is that enabling additional security features silently breaks other functionality. For no good reason whatsoever. They are both core features. If they conflict then warn us when we choose them both. Why is that so hard to understand? Or perhaps sack up, and configure TLS on your sync servers so it can talk to your own browsers.. Or has that been too difficult to figure out for the last couple of years? What a joke. ''edit: modified this post. please refrain from personal attacks on other forum members ([[Forum rules and guidelines]])! helpers here are contributors volunteering their time. if you disagree with someone else's opinion it should be possible to say so in an objective matter. (philipp)''

Modified by philipp

mghali 0 solutions 3 answers

PooPooToo:

You hit the nail on the head. For some reason Mozilla's decided to restrict the sync servers to an insecure set of ciphers. Unbelievable! It's like they didn't bother testing against their own clients.

If that's not horrible enough, then they ignore the stream of support issues being raised and leave this goose egg in their software unfixed for YEARS - without even bothering to add a faq or kb article or anything. Just "experts" on the support forum telling us to disable FIPS. Pathetic.

PooPooToo: You hit the nail on the head. For some reason Mozilla's decided to restrict the sync servers to an insecure set of ciphers. Unbelievable! It's like they didn't bother testing against their own clients. If that's not horrible enough, then they ignore the stream of support issues being raised and leave this goose egg in their software unfixed for YEARS - without even bothering to add a faq or kb article or anything. Just "experts" on the support forum telling us to disable FIPS. Pathetic.

Modified by mghali

Ez2517 1 solutions 4 answers

There is another possibility. We know now that the NSA takes influence on organisations to keep 'little insecurities' in systems and protocols which are not too obvious for the normal user. This SYNC implementation COULD be one of those, since when breaking it, it nicely allows to extract a lot of interesting data - bookmarks (-> personal interests), passwords (yummy !) and so on.

BR Franz

There is another possibility. We know now that the NSA takes influence on organisations to keep 'little insecurities' in systems and protocols which are not too obvious for the normal user. This SYNC implementation COULD be one of those, since when breaking it, it nicely allows to extract a lot of interesting data - bookmarks (-> personal interests), passwords (yummy !) and so on. BR Franz
the-edmeister
  • Moderator
5391 solutions 40027 answers

Ez2517,

The Sync Key / Recovery Key is the encryption "device" for the users data when it is in transit to / from the Sync servers and while sitting on the Sync server. Without the correct "key" the data is scrambled, and no one except the the user ever sees that "key" as it isn't sent to the Sync server. That 26 character alpha/numeric "key" is somewhat difficult to crack, and who would bother for bookmarks and so on.

Ez2517, The Sync Key / Recovery Key is the encryption "device" for the users data when it is in transit to / from the Sync servers and while sitting on the Sync server. Without the correct "key" the data is scrambled, and no one except the the user ever sees that "key" as it isn't sent to the Sync server. That 26 character alpha/numeric "key" is somewhat difficult to crack, and who would bother for bookmarks and so on.
Ez2517 1 solutions 4 answers

Helpful Reply

Hi,

I am sure the secret services do bother. if you look at the information on what they are bothering about, all the metadata from mails, sms, location info, information from apps like Angry Birds, there is no question they would be interested in which web sites you are into. And for sure they bother about passwords. It is not about how difficult it is to crack a 26 digit "key". It is about that this key seems to be used in an unsafe way, resp. that the SYNC implementation seems to require Firefox to be configured in an unsafe way, on one hand allowing weak ciphers, on the other hand allowing extraction of "keys" directly from the browsers PKCS#11 module. There is a reason that FIPS has specified what a PKCS#11 implementation may or may not do if it shall be secure.

Hi, I am sure the secret services do bother. if you look at the information on what they are bothering about, all the metadata from mails, sms, location info, information from apps like Angry Birds, there is no question they would be interested in which web sites you are into. And for sure they bother about passwords. It is not about how difficult it is to crack a 26 digit "key". It is about that this key seems to be used in an unsafe way, resp. that the SYNC implementation seems to require Firefox to be configured in an unsafe way, on one hand allowing weak ciphers, on the other hand allowing extraction of "keys" directly from the browsers PKCS#11 module. There is a reason that FIPS has specified what a PKCS#11 implementation may or may not do if it shall be secure.