2037239 - Firefox Sync design seems needlessly insecure in terms of UX regarding use of password

Status: UNCONFIRMED

(Cloud Services :: General, defect)

Description

[Ellie]

Attachment: Screenshot of how the password dialog doesn't look distinguishable from one where the password would be transmitted

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:149.0) Gecko/20100101 Firefox/149.0

Steps to reproduce:

The Firefox Sync design seems needlessly insecure in terms of UX regarding use of password. Apparently, the password for Firefox Sync is derived from the account password, and this is kept secure by not actually sending the account password to the server but only a derived key: https://www.kyzer.me.uk/syncserver/ Correct me if I'm wrong.

However, the problem with how Firefox Sync implements that is that it just shows me a password page that looks like any ordinary password page, where for all I know the password is transmitted to the server as-is.

How would a user know that the page isn't changed, even specifically for them thanks to the email ties, to grab the password after all?

(From what I can tell this is a higher risk than e.g. a forged firefox update, since 1. I can check the checksum of firefox locally or store it for offline analysis, which is more difficult with a changing web page, 2. the firefox update server typically doesn't know who I am so it would probably need to risk serving a forged update to multiple people if there ever were an attack, 3. users can disable firefox updates or review them in some way before applying them if they have high security needs, which typically isn't practical for a web page.)

I could be wrong, I'm not a security expert. I'd like to be wrong, too. Let me know if I am mistaken.

But if I'm not, then I think Firefox Sync should be changed so that similar to e.g. Brave, the sync password isn't ever actually entered into something that looks like a web page. This way, the user can be sure the web page wouldn't actually save the sync password.

Actual results:

Sync password seems to be entered in some way into a web page that it's indistinguishable if the E2EE quality is retained, as in it's unclear to the user if the server would have access to the password.

Expected results:

Sync password should probably only be entered in some local dialog that clearly is associated with Firefox Sync and clearly isn't a web page. It probably shouldn't be associated with some email either, since this may allow the sync servers to track people's internet addresses associated with their identity. As far as I can tell, Brave's sync satisfies all these needs, while Firefox's currently doesn't.