598115 - Remove the option to Email Sync Key from install wizard

Status: VERIFIED FIXED

(Firefox :: Sync, defect)

Description

[Ragavan S [:rags]]

The current implementation of the setup wizard allows you to email yourself the Sync Key as one of the backup options. While it has usability benefits, it poses serious security risks.

Personally, I definitely see the usability value of having a backup in email. It helps both setting up additional devices as well as helping with recovery if all known copies of the key are lost somehow. 

However, the risk that comes with emailing essentially the key to the kingdom far outweighs the utility, especially given both the insecure nature of email and how the Sync architecture is based on the Sync Key being secret.

To address the concern around ease of setting up additional devices, we will do a couple of things. In the Fx 4 time frame, we will recommend that users go look up their Sync Key on their desktop when setting up Sync on other devices (especially Fennec and Firefox Home). Beyond Fx 4, we will provide other mechanisms (QR codes, Netflix style activation etc) to make setup easier.

I've talked to Jay as well that we are going to be moving in this direction.

Comment 1

[Ragavan S [:rags]]

Just want to add that the other options (Print and Save) will still be available.

Comment 2

[Mike Beltzner [:beltzner, not reading bugmail]]

I'm glad that you've talked to Jay, but you didn't talk to me, and that's pretty much a must when changing a feature like this. :)

I do not think that copying it to a clipboard is in any way helpful. If the issue is that we want to remove the email option, then let's make the bug about removing the email option.

Comment 3

[Philipp von Weitershausen [:philikon]]

(In reply to comment #2)
> I do not think that copying it to a clipboard is in any way helpful.

I think it is, if people want to send themselves an email (ick), paste it into a file on their encrypted harddrive or a personal USB pendrive, or some external password manager they use (e.g. 1Password). It's certainly better and way more flexible than Email.

> If the issue is that we want to remove the email option, then let's make
> the bug about removing the email option.

Whichever way we decide, it would be good to get an agreement on this, especially since we now have an ETA for this issue.

Comment 4

[Ragavan S [:rags]]

(In reply to comment #2)
> I'm glad that you've talked to Jay, but you didn't talk to me, and that's
> pretty much a must when changing a feature like this. :)

Sorry about that, I should have closed the loop on our email conversation.
 
> I do not think that copying it to a clipboard is in any way helpful. If the
> issue is that we want to remove the email option, then let's make the bug about
> removing the email option.

The bug *is* about removing the email option, but as philikon says in comment #3, I do think Copy to clipboard is useful to people that have other ways of saving sensitive information. Do you feel strongly that we should *not* provide users that option?

Comment 5

[Alex Faaborg [:faaborg] (Firefox UX)]

Is it possible for us to block activating the next control until we've detected a paste?  If we activate next right after they click copy, we might get a lot of users who decide not to save their Sync key at all.

Comment 6

[Alex Faaborg [:faaborg] (Firefox UX)]

I think we should copy plain text of they key+explanation.  If the user decides to place it into a text file, or an encrypted note in keychain etc, we want to have the context around it just as if they hit save or print.

Comment 7

[Philipp von Weitershausen [:philikon]]

(In reply to comment #5)
> Is it possible for us to block activating the next control until we've detected
> a paste?  If we activate next right after they click copy, we might get a lot
> of users who decide not to save their Sync key at all.

The paste would happen in another app, so the only thing we could possibly check for is that the wizard window loses focus... But do we really have to babysit the user this much? After seeing the UI in action for a while now I'm even wondering whether the whole block-next-until-you've-saved thing was such a good idea...

(In reply to comment #6)
> I think we should copy plain text of they key+explanation.

That feels wrong to me.

> If the user decides
> to place it into a text file, or an encrypted note in keychain etc, we want to
> have the context around it just as if they hit save or print.

So it would basically be the same text as in the email?

Comment 8

[Alex Faaborg [:faaborg] (Firefox UX)]

I agree that these types of mitigation steps are kind of annoying (users are going to want to just plow through this part of the process and ignore the key).  But if we get fewer support emails saying "I lost that sync whatever, give me my data back!" I think taking some annoying steps now creates less overall frustration.

Comment 9

[Ragavan S [:rags]]

I talked to beltzner earlier today and he feels pretty strongly that we should *not* provide a copy to clipboard button. I'm fine with that and so is mconnor.

Comment 10

[Philipp von Weitershausen [:philikon]]

(In reply to comment #9)
> I talked to beltzner earlier today and he feels pretty strongly that we should
> *not* provide a copy to clipboard button. I'm fine with that and so is mconnor.

Are we still removing the email option then, or is this a WONTFIX?

Comment 11

[Ragavan S [:rags]]

Yes, we are removing the Email option. We'll only have Print and Save to file.
Updated the summary to reflect that.

Comment 12

[Philipp von Weitershausen [:philikon]]

Attachment: v1

Comment 13

[Philipp von Weitershausen [:philikon]]

http://hg.mozilla.org/mozilla-central/rev/f404f7ffe6a6

Comment 14

[Tracy Walker [:tracy]]

verified with recent nightly minefield builds