It's pretty easy to accidentally enable uploading all your cleartext passwords to Google's cloud service too (the dialog to do so is a dark pattern). I similarly was furious when I discovered that. Firefox is now my go-to, and what I recommend to friends and family.

Do note that if you enable Firefox's sync functionality, all of your passwords will be encrypted with a function of your Mozilla Account password, and that Mozilla can target your browser instance with JavaScript to steal your account password at will (their protocol specifies that they never see your plaintext password, but they serve JavaScript to hash the password — which means they could serve JavaScript to send the password anywhere they like).

Firefox is more secure than Chrome, but it's not very secure. The sad thing is that it used to be more secure and Mozilla deliberately weakened their security.

I agree that is a valid issue, but it's still quite a different scale than using Google.

If I understand correctly, you're saying that we should be careful about saving passwords in Firefox if we could be the target of a National Security Letter from the US. The attack would be detectable, so it cannot be used very often (and they would need a really good excuse for doing so).

By contrast, Google takes all our data and can do whatever they want with it, without a warrant/NSL?

Oh, I certainly don't recommend Google over Firefox. But I do not recommend using Firefox's Sync functionality, which is indeed insecure by design.

I have no idea why so many downvotes. Can anyone disagree that a system in which Mozilla is able to decrypt user data is insecure?

One note: the attack is not necessarily detectable, unless you are in the practice of verifying the JavaScript you receive for each page. If there were some public registry of hashed versions of Mozilla-served JavaScript, it would be detectable.

Also, you need not worry only about the U.S. government, but also about any government which can compel Mozilla to act, and any government which can compel an employee of Mozilla to act, and finally any employees at Mozilla with access. And also you need to worry about bugs in Mozilla's JavaScript: since they did not design a system in which they can't know your password (which is the key to all your secrets), an implementation error might send them your password (and thus allow them to decrypt all your secrets).

We can run our own Firefox Account servers. A privacy-focused hosting co-op could run that as part of their services, or someone could run their own at home (but that's not useful to the general public).

People get annoyed of being told x-y-z is not secure, while not being offered any practical solution, especially if the risk/probability of attack is low.

(I'm assuming Firefox has a good reason for working the way it does, but I guess the first step would be to have more documentation about that.)

> We can run our own Firefox Account servers.

Which can themselves be compromised. The old Firefox Sync protocol was immune to remote compromise, completely and totally.

> People get annoyed of being told x-y-z is not secure, while not being offered any practical solution

I agree: the problem is that there was a practical solution: just keep the old Sync protocol.

> I'm assuming Firefox has a good reason for working the way it does

The short version is that people wanted to be able to only have one device and still get at their data, and Mozilla didn't want to confuse them by separating their account passwords and their sync passwords. Never mind that combining them has results in a wholesale loss of security.

thanks for the direct ftp link, and congrats to the firefox team! i've been using 57 (and 58) via the developer edition and really like the improvements.

but i think i'll stick with 56 as my default browser for a little longer since quantum breaks some great legacy add-ons:

  * NoScript -- control script execution
  * RequestPolicy (and its variants) -- control content requests
  * Blend In -- use the most common user agent string

ublock origin can somewhat replace the first two (although i think its UI could use some improvement) but the latter one and a few more that i use don't have direct equivalents (yet).

NoScript should be released either today/tomorrow or soon. The dev was planning to have it ready for 57, but I don't know how far exactly he got.

It won't be quite full-featured yet, though. He's planning that for Firefox 59, which will be the next Extended Support Release and what Tor Browser will be based on (which needs NoScript).

There's a handful of compatible user-agent switchers already...

I switched from RequestPolicy to uMatrix earlier this year and have found it to be an acceptable substitute. I think my motivation was RequestPolicy being incompatible with multiprocess.

Blend In can be replaced by setting privacy.resistFingerprinting to true in about:config.

It'll set the user agent to the same as the Tor browser, Firefox 52.

That data is never truly deleted, not for a while at least.

I suppose it has benefit now with Android, and multiple devices, but Google, and Youtube both started saving searches long before the release of Chrome.

Quite terrible.

Isn't it the same thing no matter the browser?

If you are logged in you Google account, every Google search will end up in your Google history. It doesn't matter if you search from Chrome's omnibox, google.com or Firefox's search bar.

Does Chrome also uploads search made with other search engines? That would be a bit more worrisome. Though considering that Firefox saves your history in your "Firefox Sync" account, I wouldn't be surprised if Google did the same.

Firefox Sync is intentionally designed so that we can't read or recover your data; it's all encrypted client-side.

Chrome is specifically designed to do the opposite: Google explicitly states that when you sign into Chrome, "your experience in other Google products is personalized by including your Chrome history with your Web & App Activity." (https://support.google.com/chrome/answer/185277)

A good point. Firefox sync has zero-knowledge encryption, Chrome sync doesn't. It is just that if Firefox sync stores your history, Chrome sync probably does it too.

And interestingly, you could have a page showing your search history with Firefox sync just like with Google. Just because a page shows you private data doesn't mean someone else has access to it, and the more common opposite is also true.

Not exactly zero-knowledge, just end-to-end. They have the encryption key (called kB), but it's encrypted with a key derived from your password.

(Note, that while the password and key derived from it never normally leave the brwser, the login page is served from the network. So, you trust Mozilla's servers to not get hacked and serve you insecure login page.)

The system also has a notion of "class A" storage, where Mozilla knows the key (called kA), but AFAIK nothing ever used that. Maybe its already gone.

Oh, the device names (and types - like desktop vs android) are not encrypted. Probably because of attempts to add push updates (normally, sync is just polling for updates). And the profile data too (not a part of Sync at all - its Accounts).

Google has optional client-side (also, E2E) encryption, for some types of the data (e.g. passwords and autofill data). One has to opt in explicitly. When opted in, data is encrypted with a key that's is derived form a passphrase you provide (and sync implementations would error and ask you for the passphrase). I'm not sure, but IIRC protocol has provisions that allow to not encrypt some data at client's (= Chrome's) discretion, as the encrypted flag is set per-object. I'm not aware if this is used or not - was a very long while since I've looked at their sync server implementation.

That said, for E2E encryption both system have feature parity, but Mozilla's one has it by design and Google's one only as an opt-in.

You can tell Google not to keep your search history.

https://support.google.com/websearch/answer/54068?p=web_app_...

I hate that it saves it enough that I often perform 'dumb' googles in an incognito window just so it'll never suggest "how do I parallel park" again. But how is this unexpected behavior? It also saves every URL you visit - in your browser history. And those URLs encode the search terms. If you want it to not save what you do, then you use incognito mode.

How is it not unexpected that a piece of software uploads and saves everything you search for on a remote corporate server? When did this become so commonplace that users don't even blink an eye to it? And more importantly, why would anyone find this acceptable?

That's what the feature says it does! When you create a new Chrome profile and it asks you to sign it, it says "Sign in to Chrome with your Google Account to get your bookmarks, history, passwords, and other settings on all your devices." That's a valuable feature to many people including myself.

Yeah it's a widely advertised feature and you can obviously pull up tabs from one Chrome on one computer onto Chrome from another computer. There's no other way for this to work and it's actually useful. There's nothing underhanded going on here, except perhaps if (when) they sell the data to other parties.

I just grabbed FF57 from the ftp link :), couldn't wait!

It's a Google box... did you not assume that this went to Google?

Google is just the default, you can set it to whatever search engine you like.

I am so vexed by your complaint that I had to create an account just to ask what you thought signing in to Chrome does. What did you think it was going to do? The fact that it syncs your history to your account is front and center in the description, not buried in some legal document:

https://support.google.com/chrome/answer/185277

"When you sign in to Chrome, your info is saved to your Google Account so you can get it whenever you need it."

It is literally the first sentence. I also support some of the various EU privacy initiatives but I don't support them because I think users should be militantly ignorant about what they're doing.