Being able to sync
- between multiple browsers on the same computer,
- or multiple browsers on different computers
Being able to sync
I’m really concerned about sync encryption. What’s the point of encryption if you hold the encryption keys?
It appears you are not giving us an option to choose a password/key to encrypt, hold onto the encryption keys instead using keys which you alone have control and could decrypt at any time.
If I’m using a service to sync which encrypts personal data I’d expect to have control of the encryption keys. I assume background sync would require storing encryption key always on the browser which is a sizable security risk you could prompt users to enter the encryption key right before the background sync starts and removing it from the memory as soon as the sync is completed or interrupted. A bit untraditional and merely an inconvenient side effect of reliable high-security . You could also consider adding a “remember key” checkbox so that people would at least know what the potential tradeoff is, and agree to storing their keys on their device knowingly.
If you want to really keep your customers safe and keep things “private.” You would let your customers hold on to their encryption keys.
To ensure security please have the code audited and release audit report before public release.
I think there is a misunderstanding. We will never know those keys. Otherwise, as you pointed out, the end2end encryption would indeed be pointless.
The keys are only stored on your devices.
It would not be suitable to recreate keys on every new sync batch though, because otherwise you would need to do that every few minutes.
Also the purpose of the encryption is not to shield you from every attack vector (like your own computer that is hacked) but that you can safely sync your data with whatever provider you use now and in the future.
If someone would obtain the encryption keys, its 1) already too late because they had access to your computer and would not need the keys anymore and 2) they could not hijack the sync because they would still need to register another device to sync which we/you would notice.
Does that make sense?
We will never know those keys.
Key could be compromised while sending from extension to mobile app.
The keys are only stored on your devices. It would not be suitable to recreate keys on every new sync batch though
As you aren’t using asymmetric encryption and using symmetric encryption it’s just a single key and you’re just randomly generating a string which you’re using as a password to encrypt/decrypt data. What I’m proposing here is to grant us more control over the key.
When doing sync for the first time allow us to manually choose the key/password to encrypt data along with your default option. When a user selects manual option store a hash of key on device instead of storing the plain key.
Like mentioned previously, you prompt users to enter the encryption key(selected in first step) and check if the hash matches the hash stored on device right before the background sync starts and removing it from the memory as soon as the sync is completed or interrupted.
As for mobile app you transfer the hash value of user key instead of sending the actual encryption key and user enters the password selected during initial sync stage om mobile to verify.
You could also consider adding a “remember key” checkbox so that people would at least know what the potential tradeoff is, and agree to storing their keys on their device knowingly.
A bit inconvenient, yes, but secure.
This way even if someone managed to gain access to my device they won’t get access to the encryption key.
Can you also try to answer all the questions so I don’t have to repeat? Missed a couple of questions in my previous posts as well.
Will the code be audited? To ensure security please have the code audited and release audit report before public release.
The connection runs over SSL, so if SSL is not compromised there is not much we can do - except if we would create a backdoor, which we obviously would not because it could destroy trust and the very foundation to run our company.
What I’m proposing here is to grant us more control over the key.
Your ideas are great but they are more for a later stage / optimisation.
For now we don’t have the capacity to develop a 100% secure system or implement the suggestions your propose.
Will the code be audited?
Sorry if I missed that. No the code will initially not be audited, for the same capacity reasons. We are focused to get something usable out of the door asap, that provides enough privacy that we can’t know your data. Our focus initially here is privacy, not 100% security.
Also to note:
Key sending from extension to mobile happens by scanning a QR code and from computer2computer via WebRTC, so they never even land on our servers.
Are there any updates on this? It seems like the recent updates are only for syncing between one desktop browser and one phone.
Adding an additional browser into the syncing is currently not supported, right?