Is my sync data encrypted if the other device is iOS
Hi,
I recently installed firefox on my desktop, created a Mozilla account and a passphrase for my profile data.
When I chose the iPhone as the second device to sync and the operation completed, I went to my iPhone, launched firefox and was able to go to the password section and select copy/reveal without it asking for my passphrase. So my valuable data is just there for anyone to view.
Can you please explain this behavior to me?
Thanks
Chosen solution
The data sent through Firefox Sync is encrypted using your password. This is why, if you were to reset your Firefox Account password, your bookmarks, passwords and any other data on Firefox Sync would get removed from the Firefox Sync servers, since it can't be decrypted with the new account password.
The behaviour that you described does indeed sound normal.
When you first setup Firefox Sync, you will need to log in and provide the password as well as complete an additional email verification process (likely). However, after you get signed in, your device will remember your Firefox Sync information so that you don't have to sign in each time.
That does mean that if someone were to obtain your device, they could look at whatever is saved in Firefox. The same would be the case if you didn't use Firefox Sync.
You can log a device out of Firefox Sync from anywhere using the Firefox Accounts settings page, that won't remove any content that's already been saved to the device. It will just prevent new or updated content from being sent to that device from Firefox Sync.
What you can do to secure your passwords more is you could enable a Master Password. That would make it so that you need to enter that Master Password before you will be able to see the logins and passwords saved in Firefox.
Side Note: Using a Master Password and Firefox Sync does not currently work on Firefox for Android.
Hope this helps.
Read this answer in context 👍 0All Replies (3)
Chosen Solution
The data sent through Firefox Sync is encrypted using your password. This is why, if you were to reset your Firefox Account password, your bookmarks, passwords and any other data on Firefox Sync would get removed from the Firefox Sync servers, since it can't be decrypted with the new account password.
The behaviour that you described does indeed sound normal.
When you first setup Firefox Sync, you will need to log in and provide the password as well as complete an additional email verification process (likely). However, after you get signed in, your device will remember your Firefox Sync information so that you don't have to sign in each time.
That does mean that if someone were to obtain your device, they could look at whatever is saved in Firefox. The same would be the case if you didn't use Firefox Sync.
You can log a device out of Firefox Sync from anywhere using the Firefox Accounts settings page, that won't remove any content that's already been saved to the device. It will just prevent new or updated content from being sent to that device from Firefox Sync.
What you can do to secure your passwords more is you could enable a Master Password. That would make it so that you need to enter that Master Password before you will be able to see the logins and passwords saved in Firefox.
Side Note: Using a Master Password and Firefox Sync does not currently work on Firefox for Android.
Hope this helps.
I have enabled a master password and it prompts me for it every time I start Firefox, just like I want. However, on my iPhone I was able to look at my passwords and logins without entering the master password. This is the part I don't fully understand, I was under the impression the master password would also be required on my iPhone when looking at passwords saved in Firefox.
Note that there is a difference between the master password that encrypts the logins on the device that uses this MP and the sync key that is derived from the password of the Sync account and this sync key is used locally to encrypt your personal data including usernames and passwords locally before uploading this data to the Sync server.
On the Sync server the logins aren't encrypted with the MP (only with the sync key) as that needs to be done on each connected individual device and in addition there is also a special seed used locally as a basic encryption key.