Opened 3 years ago

Last modified 10 months ago

#16778 needs_information defect

"Sign In To Sync..." still appears in TBB Tools menu and about:preferences#sync

Reported by: teor Owned by: mcs
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-usability
Cc: brade, gk, nsimpson Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Although #16488 removed "Sign in to Sync" from the browser menu, I still see "Set Up Sync..." in the Tools menu in TBB 5.0 on OS X.

Can we kill that one too?

Child Tickets

Change History (20)

comment:1 Changed 3 years ago by gk

Keywords: tbb-5.0-regression added

Do you see that after an update or with a fresh Tor Browser 5.0? Or both?

comment:2 Changed 3 years ago by teor

I see it in the Tools menu in Tor Browser 5.0 whether via update or fresh download.
I also see it in the Tools menu in Tor Browser 5.5a1, via update. (Haven't checked a 5.5a1 fresh download, would you like me to?) This might be ok, based on my reading of #16488 (see below).

Also, a menu item named "Sync" is not in the browser menu by default (the menu at the top right of every browser window), but is still available via the "Customize" item at the bottom left of that menu.

Based on the comments in #16488, the feature was hidden (to avoid confusing users), but still available to those who want it. There are also related issues linked in #16488: #7188, #10367, #10368.

We may have already reached the point where it's hidden enough - I don't know if you want it gone from the tools menu as well.

comment:3 Changed 3 years ago by gk

Keywords: tbb-5.0-regression removed

Ah, okay, I thought this was still visible in the toolbar, so no regression then.

comment:4 Changed 3 years ago by mcs

Cc: brade gk added
Keywords: TorBrowserTeam201508 tbb-usability added
Owner: changed from tbb-team to mcs
Status: newassigned

comment:5 Changed 3 years ago by mcs

Keywords: TorBrowserTeam201508R added; TorBrowserTeam201508 removed
Status: assignedneeds_review

Kathy and I created a patch to hide the Tools menu item and also the Sync category within about:preferences. Please review (and we are OK with not bothering with this patch if the improvement we gain is not worth the cost of maintaining a more complex patch).
https://gitweb.torproject.org/user/brade/tor-browser.git/commit/?h=bug16778-01&id=610aefa14454e77d27170fb302f03fdfa8676a4a

comment:6 Changed 3 years ago by mcs

Here is a revised fix that also hides the Sync panel within the older preferences UI:
https://gitweb.torproject.org/user/brade/tor-browser.git/commit/?h=bug16778-02&id=0227740b6bfb3aef3b1718551cc9347c4b5f5899
Please review this one instead of the one I previously posted.

comment:7 Changed 3 years ago by teor

I'm sorry, I'm not sure how to apply patches to Tor Browser, I normally work with (Core) Tor.

Is there anything special I need to do, or can I just patch the JS code in the latest alpha version?

comment:8 in reply to:  7 Changed 3 years ago by mcs

Replying to teor:

I'm sorry, I'm not sure how to apply patches to Tor Browser, I normally work with (Core) Tor.

Is there anything special I need to do, or can I just patch the JS code in the latest alpha version?

I was really asking one of the people who work on Tor Browser for a review, although you are more than welcome to take a look. Manually patching the JS code is possible but sometimes messy because of the omni.ja archives and the fact that some js files are preprocessed (during the build process).

comment:9 Changed 3 years ago by gk

Just that I understand the patch correctly: The idea is not to get rid of Sync access entirely but to hide it even further basically on OS X systems, right? I doubt the casual user will ever run into this issue on Linux or Windows as there is no menu bar active by default (and I am assuming they don't try to get lost in the preferences maze either).

Assuming I am right with my understanding against what kind of problem does this "hide Sync access one level deeper in the browser" protect? Looking at the requests that get issued after clicking on the Sync link (by accident, maybe?) there are no machine/user identifiable information sent back to Mozilla (at least before you start the setup process) and the etag should be no issue if you click just once per seesion on the menu item.

Last edited 3 years ago by gk (previous) (diff)

comment:10 in reply to:  9 Changed 3 years ago by mcs

Replying to gk:

Just that I understand the patch correctly: The idea is not to get rid of Sync access entirely but to hide it even further basically on OS X systems, right? I doubt the casual user will ever run into this issue on Linux or Windows as there is no menu bar active by default (and I am assuming they don't try to get lost in the preferences maze either).

I think that the top level preferences category is a potential "tripping point" for users.

Assuming I am right with my understanding against what kind of problem does this "hide Sync access one level deeper in the browser" protect? Looking at the requests that get issued after clicking on the Sync link (by accident, maybe?) there are no machine/user identifiable information sent back to Mozilla (at least before you start the setup process) and the etag should be no issue if you click just once per seesion on the menu item.

OK. Maybe we should mark this ticket "wontfix" then? I would feel better if Sync was hidden until someone has audited the code, but it sounds like you have done enough that you are not too worried.

comment:11 Changed 3 years ago by mcs

Summary: "Set Up Sync..." still appears in Tools menu in TBB 5.0 on OS X"Set Up Sync..." still appears in TBB 5.0 Tools menu and Prefs

comment:12 Changed 3 years ago by mikeperry

Status: needs_reviewneeds_information

IMO, how much we hide Sync is fully dependent on the password recovery flow. The original Sync used to be fully end-to-end encrypted, but Mozilla had a lot of problems with people losing their passwords/device pairings. The new Sync claims to "derive the key securely from the password", but it's not clear what that means:
https://support.mozilla.org/en-US/kb/firefox-sync-upgrade-frequently-asked-questions#w_are-there-any-security-concerns-with-upgrading-to-the-new-system

If Mozilla's new key derivation scheme means that they can be compelled to reset the password or otherwise recover the end-to-end key, then I think we should hide this as much as possible. Until then I'm on the fence. Based on this password reset FAQ entry, it does sound like they can't recover your sync data in that case, which is a good sign:
https://support.mozilla.org/en-US/kb/ive-lost-my-firefox-sync-account-information

This appears to be the new spec: https://wiki.mozilla.org/Services/Sync/KeyRetrieval.

After reading that, the final question in my mind is "How is the user's password actually handled when authenticating to Firefox Accounts either for Sync or for other stuff?"

If the user password is just posted to the Firefox account server over HTTPS in some auth flow, I'm back to not feeling very comfortable about this, because then Mozilla is regularly being given the info they need to decrypt sync data upon every Firefox Accounts login. If, OTOH, Accounts auth is being done over some JS-based or browser-builtin HMAC/challenge-response protocol where the actual password is never actually sent to the server for any type of login (or account creation), then it's probably OK.

comment:13 Changed 3 years ago by mikeperry

Keywords: TorBrowserTeam201509R added; TorBrowserTeam201508R removed

Transfer review tickets to Sept.

comment:14 in reply to:  12 Changed 3 years ago by mcs

Replying to mikeperry:

After reading that, the final question in my mind is "How is the user's password actually handled when authenticating to Firefox Accounts either for Sync or for other stuff?"

If the user password is just posted to the Firefox account server over HTTPS in some auth flow, I'm back to not feeling very comfortable about this, because then Mozilla is regularly being given the info they need to decrypt sync data upon every Firefox Accounts login. If, OTOH, Accounts auth is being done over some JS-based or browser-builtin HMAC/challenge-response protocol where the actual password is never actually sent to the server for any type of login (or account creation), then it's probably OK.

It is hard to tell for sure, but Kathy and I do not think the actual account password is sent to the Mozilla servers. about:accounts?action=signin loads an iframe from https://accounts.firefox.com/signin?service=sync&context=fx_desktop_v1, which handles authentication. We could spend more time trying to reverse engineer minimized JS, but it looks like PBKDF2 is used to avoid sending the password over the network. But one of the items returned to the client is something called a key fetch token, which -- if I had to bet -- is the piece of data that is used later to retrieve the sync key. And if Mozilla stores the sync key on their server, can't they decrypt my sync data any time they want to? Or maybe something more than the sync key is needed in order to do that?

Should we just ask the right person at Mozilla about this?

comment:16 in reply to:  15 Changed 3 years ago by mcs

Replying to someone_else:

The current Firefox sync is described here:
https://blog.mozilla.org/warner/2014/05/23/the-new-sync-protocol/
https://github.com/mozilla/fxa-auth-server/wiki/onepw-protocol

Thanks for the links; very helpful. My read is that neither the user's password nor the key used to encrypt sync data ("kB") ever leave the browser. But someone who is better at crypto analysis than I am should read those documents and comment here.

comment:17 Changed 3 years ago by mcs

Keywords: TorBrowserTeam201510 added; TorBrowserTeam201509R removed

comment:18 Changed 3 years ago by gk

Keywords: TorBrowserTeam201510 removed

Now time for these during October.

comment:19 Changed 2 years ago by gk

Cc: nsimpson added
Severity: Normal
Summary: "Set Up Sync..." still appears in TBB 5.0 Tools menu and Prefs"Set Up Sync..." still appears in TBB 5.0 Tools menu and on preferences window

#18275 is a duplicate of this ticket.

comment:20 Changed 10 months ago by cypherpunks

Summary: "Set Up Sync..." still appears in TBB 5.0 Tools menu and on preferences window"Sign In To Sync..." still appears in TBB Tools menu and about:preferences#sync
Note: See TracTickets for help on using tickets.