Just today I reinstalled Ubuntu on a laptop and the sync completely borked.
What I don't understand is why does it first ask you for a pair code from another device? My only other device was a desktop far away. After I logged in and clicked "reset sync key" it apparently lost all of the synced data!
I seriously hope this solves the currently heinous sync process. Just let me log in an authorize myself for goodness sake.
Aside from the fact that yes, pair codes are annoying - it sounds like you didn't understand Sync at all and were upset that it wouldn't compromise basic security guarantees for ease of use?
In the old system, the pair code was effectively a password. It's obvious that resetting the sync key wiped out your synced data; the synced data was encrypted with the old key and generating a new one obviously wouldn't let you decrypt it. (It's possible the old key can still be used to recover the data, but I'm not sure).
Complaining that it demanded a pair code is like complaining that gmail asks you for a 2fa code after you've turned on 2fa. Of course it does, that's how the security works.
Of course, the pair code system is kind of a pain, so they introduced passwords. But the pair code system does work if you use it correctly. I don't think it's fair to call it 'completely borked' when your problems are entirely down to user error.
Keep in mind that Firefox Sync always protects all your profile data; Mozilla can't access it because your machines encrypt it. This is unlike Chrome's profile sync where all the data lives on Google's servers and is accessible to them. As a result the authentication can't be as simple as 'sign in with your gmail account' or something like that.
This is a bit unfair, since, as you admit, these changes are being made precisely because users don't understand the sync model, and the mismatch causes things like lost data.
Notably Chrome sync does let you encrypt all data locally, but it works the same way: if you lose your passphrase, you can't sync a new machine with it.
The big difference is that it's also tied to an account, which lets you do things like use it as a backup and restore service (the analog would be a pair code that's persistent and well known to the user). The current Sync pair code system makes your synced data just an extension of the data in your browser (or browsers, if you already use more than one). Lose that browser and you lose your data. The new Firefox Sync looks like it provides that now, which should ease a lot of user pain due to lost data (and not just annoyance).
I don't think it's still as simple as entering your username/password if you don't have your paired device nearby: you also need a recovery key. I got bitten by this once: I didn't remember entering, or even being asked about a recovery key when I set up my account, so I was forced to reset my data. Luckily, I still had my bookmarks in Chrome, so I didn't lose any data, but the entire experience was frustrating.
Also, quick addendum: you _can_ specify an addition password in Chrome so your data is encrypted before it gets sent to Google. It's pretty much identical to FF Sync then, and much more user friendly.
This is a ridiculous and rather arrogant response. First off, if the user doesn't understand something, you can't just always blame the user. It in fact did completely bork my synced data. I don't care what you want to call it, if user's lose data there's a problem somewhere in the design of the sync system.
No where in the user-flow did it say anything about losing data if you reset the recovery key. These confusions are why they're changing the FF sync system!
True, if you accidentally lost data, this suggests the documentation should be better. But this is not entirely changing:
class-A: data assigned to this class can be recovered, even if the user forgets their password, by proving control over an email address and resetting the account. It can also be read by Mozilla (since it runs the keyserver and knows kA), or by the user's IdP (by resetting the account without the user's permission).
class-B: data in this class cannot be recovered if the password is forgotten. It cannot be read by the IdP. Mozilla (via the keyserver) cannot read this data, but can attempt a brute-force dictionary attack against the password.
We do not yet know which data will be assigned to which category by default, but it is likely that saved-passwords will go into class-B, and many other datatypes will default to class-A. There will be an option to put all data into Class-B.
...and for good reason, because since Mozilla presumably wants to avoid being required to hand over account data by governments to the greatest extent possible. Being able to reset your password via email necessarily makes it possible for Mozilla to decrypt that data.
> This is unlike Chrome's profile sync where all the data lives on Google's servers and is accessible to them.
This is not true. When you configure chrome's sync you can set an encryption password separate from your Google password and select items for encrypted sync.
Though in my opinion Firefox Sync had the better method here security wise.
In the old system, the pair code was effectively a password. It's obvious that resetting the sync key wiped out your synced data
Except that I can change my password on Facebook without losing all my data and change my bank PIN without losing my money.
The truth is that isn't a password at all.
And it was completely borked. The 2nd most common use case for Chrome Sync for me is logging onto a new computer and wanting my bookmarks. If I had my other computer with me I wouldn't be logging onto a new computer!
I'm pretty sure the pairing code system came along quite a while after password-based encryption and authentication. I've been using Firefox Sync since it was branded Mozilla Weave, and the first time I came across the pairing code thing it was an unpleasant surprise that was totally at odds with my prior experiences with associating a new computer. I had previously had no trouble adding a new machine without direct access to a previous machine.
On Password reuse - Implementing a one factor, password based auth puts the accounts security in the users hands. There are lots of email, password lists from hacked web services (Linkedin,Yahoo Voices, Gawker, etc.) in the wild and users all too commonly reuse their weak passwords across multiple services.
If a user couldn’t figure out how to set up Firefox Sync previously by following the instructions and taking a set of digits from one device and entering them into another, what hope have they of picking a strong and unique password?
I enjoyed the extremly minimal cost of entry in terms of UX. But it's just a little bit too ~naked. I don't know when or if the sync has been done (maybe my system lacks some DE notification) and I have no other way to see what has been synced, I can' t find a browser based interface for the account. account.mozilla.... restricts itself as a login form.
good news. I hope that new sync feature will work seamlessly and efficiently - I disabled sync about a year ago because browser became sluggish with large number of bookmarks.
Mozilla would love to have Firefox on iOS. You just need to convince Apple to change their terms of service to allow real 3rd party browsers (as opposed to UI skins atop the slower version of Safari).
What chrome did is fine for me. I don't need a super snappy web browser for mobile sites. I'd be fine with a UI that syncs with Firefox on top of WebKit
I don't think Firefox would be keen on (1) having a webkit-based browser with the name Firefox and (2) having it be an intentionally-hobbled browser compared to Safari so Apple can ensure its browser is the 'fastest' on iOS. Google made the decision with Chrome, since it is also webkit, but it will likely bite them in the ass later as blink continues to be improved and webkit begins to stagnate more. And as they begin to have differing rendering bugs.
Not sure why they can't just slap something together like Chrome for iOS. Sure, it won't be the real firefox, but I just want to access my passwords, history, and such easily
In theory - yes. I checked option "Use Weave/Firefox to sync white list" in Flash Block. Recently I was playing with VM and I synced Iceweasel on Debian (remembering about marking option to remove local data and use synced data). It got everything except white list. Sadly, white list from original Firefox has been also lost :(
Works ok on nightly for me. I'm just waiting for this to be implemented on Firefox Mobile so I can continue to actually sync between all my machines again.
What I don't understand is why does it first ask you for a pair code from another device? My only other device was a desktop far away. After I logged in and clicked "reset sync key" it apparently lost all of the synced data!
I seriously hope this solves the currently heinous sync process. Just let me log in an authorize myself for goodness sake.