are bookmarks encrypted?
So I have a master password set for Firefox, to store my logons. I am syncing my bookmarks and passwords using Firefox's built-in sync function. My question is, are bookmarks encrypted on FIrefox's sync servers? I want to ensure that all my bookmark metadata (tags, keywords, descriptions) that I enter are encrypted. Anyone know if this is occurring?
Additional System Details
- Google Update
- Shockwave Flash 12.0 r0
- The QuickTime Plugin allows you to view a wide variety of multimedia content in Web pages. For more information, visit the QuickTime Web site.
- iTunes Detector Plug-in
- Next Generation Java Plug-in 10.51.2 for Mozilla browsers
- Adobe PDF Plug-In For Firefox and Netscape 10.1.9
- Adobe Shockwave for Director Netscape plug-in, version 18.104.22.168
- Pando Web Plugin
- The plug-in allows you to open and edit files using Microsoft Office applications
- Office Authorization plug-in for NPAPI browsers
- Unity Player 2.6.1f3
- User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
Yes they are encrypted.
- this old article Firefox Sync data is secure - Find out more
- and http://www.mozilla.org/en-US/legal/privacy/firefox.html
- ... This data (“Firefox Sync User Data”) is stored on, manipulated, and transmitted to and from Mozilla’s servers by means of your use of the Firefox Sync Services. Firefox Sync User Data is encrypted on your computer before it is sent to Mozilla’s servers, so it is not available to Mozilla in a readable form. Mozilla uses SSL/TLS technology to ensure your Firefox Sync User Data is encrypted during transit. ...
Change to the system are coming soon but you can be certain it will remain secure
Modified by John99
In light of the Edward Snowden revelations about the NSA and in particular use of the Homeland Security laws to obtain ANY information that a US company holds about a person…
Is there any way the Mozilla organisation can get access to my synced bookmarks?
No, Mozilla can't read your bookmarks. Only you have the encryption key.
Thanks for your reply, but what level of encryption is it? Actually how secure is it? Bearing in mind that security obscurity may as well be no security.
just an aside, and possibly you are even less involved with documentation than I am, but I failed to find any good and current documentation about this. Maybe we have a hole in the current documentation. The new Sync and accounts are bound to be at least as secure as the old one but do we document that.
In another thread I did my best to flag the user level documentation I could find /questions/997922#answer-566606*
There is some documentation mentioned above. It may not fully answer your question but it is going to be encryption not just obfuscation, and will be end to end. I can say that because Mozilla takes security and Privacy seriously and is not going to start lowering standards on something like that.
As an example Mozilla are even considering the possiblities and mitigation methods for if someone could hack compilers creating a backdoor to change Firefox code in a way that would be hard to detect, or that Mozilla may be legally and forced to secretly change code to assist in Government level surveillance. See this blog article by someone who was recently at the top of Mozilla management.
An additional note, the bookmarks on your own computer are not encrypted by Mozilla. The passwords are at least to the extent that someone trying to read them needs both the password files and the master password, unless you leave the computer on and unattended when anyone can see them. That is better than Google Chrome. There is a possibility that your OS or other software may encrypt certain partitions | folders | files.
The relevant links contained in my previous post
- Old article on the old sync
Firefox Sync data is secure - Find out more
- This mentions the encryption https://wiki.mozilla.org/Identity/Firefox-Accounts#Why_does_Firefox_Accounts_require_me_to_choose_a_password.3F
Update X link see also
- /questions/999581 ( tagged as escalate - but no point in escalating all the posts as they are cross linked) If I disable my master password and enable sync of my passwords, how are they encrypted? What is my encryption key?
- /questions/997922#answer-566606 already mentioned
new vs 29 seems like a dog. It doesn't close properly, doesn't remember old passwords and isn't syncing properly?
- /questions/998080 (From a long time contributor) The new sync process and master password do not mix
- /questions/999578 Security of synced bookmarks in light of the Edward Snowden revelations - are we secure?
- /questions/999566 Privacy reduced with new Firefox Sync?
Modified by John99
So if I understand, the bookmarks are encrypted on Mozilla's server in some undescribed fashion. But those same bookmarks are not stored encrypted on the user's computer, even if a master password is used?
That is correct the server data is encrypted.
The undescribed encryption method is going to be relatively high security, but I do not know the method and would need to research that so I will let someone else answer that. I did however note one linked article
Says [my emphasis]
Sync is different from most storage-in-the-cloud services in that data is encrypted locally - that is it cannot be read by other parties - before it is sent to the cloud. While many services encrypt data as it is being transmitted, Sync keeps your data encrypted even after it has arrived at the server.
This means that the Sync server operators can’t read your data - even if they wanted to. The only way your data can be read is if someone possesses your secret Sync Key (sometimes referred to as a Recovery Key). This can occur if your device is lost or hacked or if you reveal it to another party. The important fact to note is that the Sync Key is never made available to the Sync Server and without it, your encrypted data is statistically impossible to recover.
But no; the bookmarks themselves, on your computer, are not encrypted.
Bookmarks are stored in a database places.sqlite and in some snapshot backup files s with .json extension names.
These are not intend to be obfuscated, but to a casual observer they may be insofar as they are not plain text or html.
I presume most other browsers store bookmarks as html which are easily readable with a browser or word processor. Google chrome even stores passwords without any master password so any user of the browser may see them by using the UI.
The login passwords with Firefox are protected with a master password. To read them you need the password and the logins are encrypted on your computer.
You may of course have data encrypted by the OS or other software, but that is not a Firefox matter.
HelpDesk staff or another contributor will probably give a full answer in the other thread within the next few days.