FIREFOX SYNC: THEN AND NOW AND SOON BRIAN WARNER, MOZILLA IDENTITY [email protected] BROWSER DATA SYNCHRONIZATION keep bookmarks, passwords, preferences, etc synchronized between multiple browsers data stored on server: clients are mostly offline extra credit: encryption FIREFOX SYNC (NEÉ WEAVE) Firefox extension by Mozilla Labs, 2007-2010 username + password + passphrase J-PAKE "Password-Authenticated Key Agreement" (PAKE) other PAKE protocols: SRP, EKE, SPEKE use shared weak password to derive strong session key uses several roundtrips eavesdroppers get zero knowledge about the session key MitM gets exactly one guess http://grouper.ieee.org/groups/1363/Research/contributions/hao-ryan-2008.pdf CREDENTIAL TRANSFER SYNC 1.3, NOW WITH J-PAKE INCLUDED IN FIREFOX 4.0 (MARCH 2011) AWESOME! great security, even against the server no passwords to remember NOT SO AWESOME PROBLEM #1: INCOMPLETE TRANSITION pairing replaced passphrase but email/password was left in PROBLEM #2: NO SINGLE-DEVICE RECOVERY SOLVING THE WRONG PROBLEM We built Sync: connecting your devices to each other incidentally provided an elegant security solution But people wanted a backup service: connecting their device to a server They used Sync anyways, with bad results. NEW (CONTRADICTORY) CONSTRAINTS instructions: "Fix Sync!". Make it: "secure" recoverable-by-password recoverable-by-email use one password, not two make it look more like a "normal" account system NEW SRP-BASED DESIGN DATA-PROTECTION CLASSES class A: recoverable by email class B: recoverable only by password CLIENT-SIDE KEY-STRETCHING client does not reveal password to server SRP protects stretched password against eavesdroppers, MitM, and malicious server PUSHBACK full spec looks pretty complex SRP is underspecified: scary implementing our own SRP (in Javascript): scary can't do server-side stretching with SRP verifier slow clients, JS clients: performance worries scrypt RAM usage vs small phones: OOM Killer SCOPE CREEP new requirement: generalized accounts auth-only, same password don't care about encryption keys login from arbitrary browsers "ONEPW" DESIGN "PASSIVE" ATTACK "ACTIVE" ATTACK JUST AUTH FUTURE DIRECTIONS Ship it!: Firefox 29, late April 2014 Reintroduce Pairing 2FA MORE INFORMATION "onepw" protocol: https://github.com/mozilla/fxa-auth-server/wiki/onepw-protocol old SRP protocol: https://wiki.mozilla.org/Identity/AttachedServices/KeyServerProtocol these slides (press 's' for notes): http://people.mozilla.org/~bwarner/warner-rwc2014/ THANKS! [email protected].