I wonder if they’re using my data to something or spying on me.
Because I use Firefox Sync to sync mostly my history. I don’t have bookmarks, I just remember what site I want to access by its URL then I start typing and the autocomplete do the rest.
For example, to access Lemmy I just type “le” because the only site I most access and starts with “le” is “lemmy.world”. Rarely I get some conflict on this approach. And it works on both my phone and desktop.
I wonder if should I change this approach to avoid Firefox Sync or I can trust on Firefox Sync.
I love that feature tbh. Glad I can trust it. I use waterfox tho
It is e2e encrypted and just works. Everything in Firefox Sync is encrypted including Bookmarks, History, Passwords etc.
Just checked LibreWolf a hardened Firefox as I thought they disable it. Turns out its just off default and “There aren’t significant downsides as Firefox Sync encrypts your data locally before transmitting it to the server.”
I thought there might be another reason to have it off (giving Mozilla your email?) but seems OK.
https://librewolf.net/docs/faq/#can-i-use-firefox-sync-with-librewolf-is-it-safe-to-do-so
Yeah I started using librewolf recently and its been on my to do list to self host the sync part, seems easier than a bookmark manager.
That’ll just leave password manager and email not self hosted but I don’t think I want to for those two
Vaultwarden is a self-hosted, fully FOSS implementation of the Bitwarden API that works with all Bitwarden Apps and Browser Addons.
Been using it for years and am extremely happy with it. It’s fully client encrypted so the server only works as storage for fully encrypted blobs
Keepass with syncthing seems to be fine for passwords.
I think email is a rabbitbhole so leave that for the pros.
email? What email does FF have access to, and what does it sync?
to use firefox’s builtin sync feature with their official server you need a mozilla account, and to create one you need to provide an email addr.
Securing your data with Sync involves creating a unique password, which plays a crucial role in encrypting your data for complete privacy. This encryption is end-to-end: your data is encrypted before it ever leaves your browser and can only be decrypted by another instance of Firefox. Once your data reaches a Mozilla-operated server for storage, it’s already in an encrypted state, ensuring that not even Mozilla can access or decrypt this information.
Adding on to this, you can also self host your own sync server
https://mozilla-services.github.io/syncstorage-rs/how-to/how-to-run-with-docker.html(Oops looks like this got sent late and someone else sent it before mine got thru)
TIL. Adding it to my to-do list. Thanks!
Oh, is this a thing again? Two years ago, they were doing a Rust rewrite; the rewrite had hardly any documentation, so self-hosted FF sync was essentially dead. Is this the new thing?
This is the same rewrite! Before there were really only community made images, but I believe a couple months ago is when they started pushing out their own + documentation. It really makes the server a LOT more easier to host than before :)
That is fantastic news! Thanks for the update!
From their website
All your data is encrypted on our servers so we can’t read it – only you can access it. We don’t sell your info to advertisers because that would go against our data privacy promise.
assuming they aren’t lying that is
If þey were lying, I’d expect someone to have raised a ruckus by now. It’s OSS.
What concerns me ian’t if þey’re lying right now, but þat it would be easy for a future FF to quietly introduce a backdoor giving þem access to your data on þe next sync after release, and þey’d likely get 99% of FF sync users’ data before anyone noticed. Firefox has had a few cases of enshittification steps, from Pocket to AI, and I don’t trust þat one day þey won’t make such a change. I don’t believe þey’d go so far as start stealing from people wiþout sync, or snoop on self-hosted sync instances, but … I guess þis goes back to my philosophy: if you don’t host your data, you don’t own it.
If you’re that paranoid you can host it yourself.
https://github.com/mozilla-services/syncstorage-rs?tab=readme-ov-file
https://mozilla-services.github.io/syncstorage-rs/
It’s open source.
I don’t think they are lying about being against their privacy policy. Anyone can check as I just did and it seems correct.
If they were lying about the encryption I think it would have been found out by now. My impression is that Firefox users are generally more tech savvy and privacy aware so someone would have probably find out if Firefox is lying about the encryption part too. Even if that’s not the case a whistleblower would have probably done it.my point is that all terms and conditions are subject to change without prior notice to you and your continued use of the product and or service is agreement of the terms that can, and will change
That would be a violation of EU law. You cannot change such agreements without notice.
You are not wrong but at that point it applies to any and all services out there. Companies typically send an email notifying the change in their TOS and post it in their blog/website. Depending on the change I’ve seen that they even say that users have a deadline to react accordingly. Firefox has its controversies but I have no reasonable suspicion that they will pull that risky move of spying on that encrypted sync process and go against their whole mission and user base.
I’ve moved to Floccus (which can sync browser tabs and bookmarks via Nextcloud Bookmarks). Does the essential parts for me.
I would say the feature is quite easily avoidable, as it only seems to require one manual visit, for it to show in the suggestions; which I believe are sorted based on interactions with pages (so just interact more with pages, you want to be suggested more strongly). I would personally advise against using the feature, primarily because it ties all browsers, on multiple separate devices, to a common Mozilla account. So why broaden your attack surface, for advantages easily reproduced manually? Is the little bit of added convenience, worth the (potential) trade-off?
