This thread was archived. Please ask a new question if you need help.
Unable to set up sync (new sync key is ALWAYS invalid)
When I try to set up my desktop firefox account, I always get "WRONG RECOVERY KEY" message on sync tab. Initially I was using by backuped key but it wasn't valid. Then I cleared sync account data, deleted account, created new account. Just after finishing new account setup, every time after windows showing that sync will start soon, when I come back to sync window I ALWAYS find there "wrong recovery key" message. I've read most sync articles available none solved my problem.
Btw I agree that there should be a warning either when enabling FIPS mode, or when activating Sync. it took me hours to figure out the problem ....Read this answer in context 👍 1
All Replies (12)
Create a new profile as a test to check if your current profile is causing the problems.
See "Creating a profile":
If the new profile works then you can transfer some files from an existing profile to the new profile, but be cautious not to copy corrupted files to avoid carrying over the problem.
Empty profile dosn't have that problem, so problem is related to my settings
I noticed that problem is related to FIPS security enformement (Options->Advanced->Security Devices->Disable FIPS). Disabling FIPS solves problem. FIPS is disabled by default, I enabled it because I am security freak.
Altough problem is solved, I think this is workaround not solution - if this is intended FF behaviour, enabling FIPS should trigger a warning about disabling mozilla sync or sync options should check for FIPS and provide correct info WHY it won't work.
You should only use FIPS if you really need it and are working in an environment where is works.
FIPS requires to disable all SSL ciphers (i.e. only TSL is used) and may not work properly with all servers.
Except this single issue with Mozilla Cloud Sync, FIPS was working for me FINE on various browsers since circa 2005. This is FIRST TIME I experience problems related with enabling this option. I do understand however that this is working the way it was designed (sync with Mozilla is using unsecure ciphers?) so I will stop using FIPS mode for a while. Still I am not convinced why enabling FIPS breaks Mozilla sync, with weak cipher being the only explanation?
I had the same problem and tracked it down to the FIPS mode. When looking at the sync log, I have the impression tat it is not about weak ciphers, but about functionality of the PKCS#11 crypto module which may be disabled in FIPS mode. The log file contains the following:
1381084901615 Sync.Service DEBUG verifyLogin failed: PK11_ExtractKeyValue failed. Stack trace: ................
"ExtractKeyValue" suggests that maybe the key is extracted from the PKCS#11 driver (in clear text ?) which may not be allowed in FIPS mode. Just a theory ... :-)
Btw I agree that there should be a warning either when enabling FIPS mode, or when activating Sync. it took me hours to figure out the problem ....
Why isnt there a KB article simply saying FIPS BREAKS FIREFOX SYNC?
This has got to be the stupidest waste of time I've seen in ages. Why hasn't this been fixed? It's obviously been screwing users for YEARS (just do a simple google search). I can't believe a completely valid config option completely BREAKS a core feature like this, with no warning whatsoever.
I've been switching over from Safari because I like the new TLS support in Aurora. But after getting boned by this clusterfsck, forget it. I don't have time to waste on this kind of amateur hour nonsense.
Whether or not we "should" be using FIPS is not relevant here.
The issue here is that enabling additional security features silently breaks other functionality. For no good reason whatsoever.
They are both core features. If they conflict then warn us when we choose them both. Why is that so hard to understand?
Or perhaps sack up, and configure TLS on your sync servers so it can talk to your own browsers.. Or has that been too difficult to figure out for the last couple of years?
What a joke.
edit: modified this post. please refrain from personal attacks on other forum members (Forum rules and guidelines)! helpers here are contributors volunteering their time. if you disagree with someone else's opinion it should be possible to say so in an objective matter. (philipp)
Modified by philipp
You hit the nail on the head. For some reason Mozilla's decided to restrict the sync servers to an insecure set of ciphers. Unbelievable! It's like they didn't bother testing against their own clients.
If that's not horrible enough, then they ignore the stream of support issues being raised and leave this goose egg in their software unfixed for YEARS - without even bothering to add a faq or kb article or anything. Just "experts" on the support forum telling us to disable FIPS. Pathetic.
Modified by mghali
There is another possibility. We know now that the NSA takes influence on organisations to keep 'little insecurities' in systems and protocols which are not too obvious for the normal user. This SYNC implementation COULD be one of those, since when breaking it, it nicely allows to extract a lot of interesting data - bookmarks (-> personal interests), passwords (yummy !) and so on.
The Sync Key / Recovery Key is the encryption "device" for the users data when it is in transit to / from the Sync servers and while sitting on the Sync server. Without the correct "key" the data is scrambled, and no one except the the user ever sees that "key" as it isn't sent to the Sync server. That 26 character alpha/numeric "key" is somewhat difficult to crack, and who would bother for bookmarks and so on.
I am sure the secret services do bother. if you look at the information on what they are bothering about, all the metadata from mails, sms, location info, information from apps like Angry Birds, there is no question they would be interested in which web sites you are into. And for sure they bother about passwords. It is not about how difficult it is to crack a 26 digit "key". It is about that this key seems to be used in an unsafe way, resp. that the SYNC implementation seems to require Firefox to be configured in an unsafe way, on one hand allowing weak ciphers, on the other hand allowing extraction of "keys" directly from the browsers PKCS#11 module. There is a reason that FIPS has specified what a PKCS#11 implementation may or may not do if it shall be secure.