Hacker Read top | best | new | newcomments | leaders | about | bookmarklet login

>Imagine how much less annoying e.g. syncthing UI would be!

Assuming you mean the local web app needing an self-signed certificate...

https://developer.mozilla.org/en-US/docs/Web/Security/Secure...

>Note: Firefox 84 and later support http://localhost and http://*.localhost URLs as trustworthy origins (earlier versions did not, because localhost was not guaranteed to map to a local/loopback address).

So if syncthing is reachable on a port on localhost you can just switch https off.

reply



sort by: page size:

Firefox Sync uses send-to-end encryption.

So self hosting isn't as necessary.

reply


Firefox Sync actually allows this! https://github.com/mozilla-services/syncserver

This still uses FxA for authentication. You can self-host that up as well, but it's not nearly as straightforward, and I'm not aware of good documentation on how to do so.

reply


Shameless plug: A while ago I wrote a cli for firefox sync [1] (in my case mostly to automate some stuff when I create bookmarks).

It does not really solve your problem for browser-history/credentials etc. But as long as you use a client that you verified you can be kinda sure the data is E2E encrypted and can't be read by Mozilla.

Also on a side note: To this day the weave protocol is one of the more (needlessly) complex protocols I ever implemented and I'm still not sure what problems some of the design decisions solve...

[1] github.com/mikescher/firefox-sync-client

reply


> Other approaches > [ list of 3 options ]

I would like to see an option 4:

Option 4: The server side of sync is open sourced, and I can run it on my own machine, and point my browsers at my personal instance. Then no data is ever on Mozilla's servers.

reply


Another alternative: Mozilla's FF Sync is all open source and can be self-hosted. It's easy enough. It still authenticates through their endpoints, though, so if you want to do it fully self-hosted, you also need to host their identity and accounts stack, which is doable but not for the faint of heart.

reply


Firefox Sync encrypts the data locally, and you can run your own server. There's actually a simplified one for running on your own home server (as opposed to the large Mozilla infrastructure).

reply


And that is why I use Firefox sync, and I work on hosting my own sync node on a VPS. None of my co-workers understand the utility boost in seeing, all from a server-side encrypted store:

- Passwords - Bookmarks - History - Open tabs on other devices - Extensions - The list goes on

You can say the other things about Chrome and Chromium (as of recently, even the encryption part) but I do not see the docs, the code, and infrastructure published and public like Mozilla has done. Hell, someone even built in a sync mechanism in PHP to ownCloud, to make it more useful.

It is efforts like this that make me, despite other warts, a militant Firefox user. The software is ok, but an institution that pushes standards and worries about my privacy, the whole shebang, is really worth it to me.

reply


You can actually self host Firefox Sync on your own server if you want.

reply


A lot of people don't realise but the weakest point in their setup (from a security POV) is things like the password used on their browser sync account. There is a huge amount of responsibility on the sync service providers. Firefox literally knows everything about me and my accounts. Hell it knows passwords for accounts I don't even remember opening.

Self hosting the sync server makes a lot of sense. I think I will spend some time doing this over the Christmas holiday.

reply


Firefox sync uses end-to-end encryption: https://support.mozilla.org/en-US/kb/how-firefox-sync-keeps-..., https://github.com/mozilla/fxa-auth-server/wiki/onepw-protoc....

There's nothing mandatory about the initial shortcuts - just remove them. It's trivial to change your search engine to Duck Duck Go too.

reply


You can: https://github.com/mozilla-services/syncserver

I hear, it's not that easy to setup, though, as Mozilla only really needed to set it up for themselves a handful of times, probably.

reply


Then host your own Firefox-Auth-Server and Firefox-Sync-Server. At least Mozilla has open-sourced those repos, and made their browsers capable of connecting to custom servers with a simple configuration change.

But hey, you'd still be running Mozilla's code in and as your browser. As you say, they can "decrypt your synced data" and "at any time target one a send one's password anywhere they wish" even if you self-host the sync and auth servers.

But at least Mozilla has a history of standing for the consumer and protecting user rights. And Firefox is perhaps the only browser that allows hosting your own sync and auth servers without having build your own copies of the browser.

reply


You can still run your own Firefox sync server! See: https://github.com/mozilla-services/syncserver

reply


With Firefox, you can also self-host the sync server on your machines, which is totally awesome.

https://docs.services.mozilla.com/howtos/run-sync-1.5.html

reply


As far as I know you can still self-host Firefox sync.

reply


Yes, but Firefox's Sync is open source [1], so you should be able to set up a private instance. IDK how easy or hard it is though.

[1] https://wiki.mozilla.org/CloudServices/Sync

reply


Though even the librewolf maintainers trust mozilla with the encryption

https://librewolf.net/docs/faq/#can-i-use-firefox-sync-with-...

reply


Oh my mistake. Thanks for clarifying.

So in that case, how would you securely sync your data using Firefox?

reply


Firefox does this as well, and it doesn't require an account to do so. It also encrypts your personal data in the client, and allows you to set up your own sync server so that even your encrypted data never touches their servers if you don't want it to.

reply

next

Legal | privacy