
Introducing Firefox Monitor, Helping People Take Control After a Data Breach - sciurus
https://blog.mozilla.org/blog/2018/09/25/introducing-firefox-monitor-helping-people-take-control-after-a-data-breach/
======
newscracker
This is a good development. Since this is integrated with haveibeenpwned, I'd
expect the next step to be integration with Firefox Lockbox [1] and Firefox
Sync (with password sync selected). That would be quite helpful – a _free_
password storage/sync app/service that can also monitor and alert users on
Lockbox/Firefox (as opposed to having to sign up on Firefox Monitor with every
email address that one uses). This is what 1Password did a few months ago,
integrating with haveibeenpwned to alert users.

Right now Firefox Lockbox is not available everywhere and is not out on
Android yet. That also would need to change fast for this to be adopted
widely.

[1]: [https://lockbox.firefox.com/](https://lockbox.firefox.com/)

~~~
techntoke
Mozilla has very poor justification as to why. It's not like they have a
light-weight cross-platform UI framework to build their applications with,
much like their web browser should be.

~~~
rexpop
You think browser teams should develop UI frameworks?

~~~
devwastaken
Every browser creates their own UI framework. They just don't want anyone to
make software with their stuff unless its made for their specifically marketed
purpose, web sites. Firefox used to have XUL, still completely does, but they
removed the ability for XULRunner API's that worked pre-57. Firefox's UI is
still very much XUL, and it's a very slow process for them changing it to 'Web
Components'. You actually still can create specific components using XUL and
make your own stuff, just that it'll break at any moment.

They hid the decision to remove browser application extensibility behind 'web
extensions' and refuse to acknowledge how they screwed over devs that relied
upon it, and have a significant failure of the potentials of browser
technology. There is a big difference between an extension _in_ a browser, and
extending the browser itself.

If there was a browser right now that could have its UI replaced in a standard
way and updated just like the normal browser, most electron apps would not be
required. It'd be far safer, performant, and would solve a lot of the big
problems in the web app as a desktop app ecosystem. However, that's not their
market. All browsers are in this for market.

This is not a new development either. Look at the JSApi for SpiderMonkey and
they'll purposefully break compatibility on any and all versions. They don't
understand what an API means. You can look at WebAssembly, too. There is no
engine you can use to run independent wasm from mozilla, even though mozilla
are the ones who pushed the spec which includes many claims outside of browser
usage that Mozilla never persued.

At the end of the day Mozilla does not deliver on their ideas or technology
unless it's firefox or something related. If you ever want to use 'web
technology' in your own applications you will end up using Webkit. Which I
think is super funny given that's Apple.

~~~
techntoke
I agree 100%, however WebKit isn't the only solution. Even Qt now uses
Chromium from my understanding:

[https://wiki.qt.io/QtWebEngine](https://wiki.qt.io/QtWebEngine)

I think CSS is pretty great, but I would like to see something like
Sass/Jade/Mustache/etc rendered client side. If browsers would focus less on
JavaScript, and more on improving markup languages under the core Unix
Philosophies, then we wouldn't be where we are today. I hope eventually they
will let containers or the API in Linux handle permissions/security, and
improve that. Android has it's own issues with Java. With Vulkan, Linux is
ready for a very efficient and ever-evolving scalable solution. Heck, a modern
UI scripting framework for the terminal similar to kmscon would be incredible.
No reason the terminal can't support markup and assets. My vision is something
similar, but definitely more friendly than DolDoc:

[https://news.ycombinator.com/item?id=13962436](https://news.ycombinator.com/item?id=13962436)

------
kgwxd
I like that subscription is email verification only, I didn't have to create a
"Mozilla Account" with a password or anything like that. If Google or MS
offered this, I'm sure you'd need an account that would also sign you into
their entire ecosystem.

~~~
ndnxhs
Its amazing how nice things are to use when they aren't trying to sell your
data

~~~
profalseidol
The world would be a lot nicer when profit is not the goal

~~~
profalseidol
And we would have probably reached Alpha Centauri by now.

------
lmcarreiro
It seems that it is just an UI over the haveibeenpwned.com service

~~~
iscrewyou
You are correct. They discuss here how it works:
[https://blog.mozilla.org/security/2018/06/25/scanning-
breach...](https://blog.mozilla.org/security/2018/06/25/scanning-breached-
accounts-k-anonymity/)

~~~
romanovcode
So how is it different then?

~~~
groovecoder
No difference on the site/service side (yet). Stay tuned for more, though! ;)

------
Mediterraneo10
Am I the only person worried about how this represent a potential violation of
privacy? You can not only enter your e-mail address to see how you are
affected, you could also put in the e-mail addresses of _other people_ , and
boom, you can see what communities they have signed up for, assuming those
sites have suffered a breach some time in the past. I might have given Last.fm
my e-mail address during the signup process, for example, but I might not
necessarily want the whole world to be able to determine that I have signed up
for Last.fm.

Yes, I am aware that the breached data is already floating around on the
internet, but it isn’t so convenient to consult it as on this website (or Have
I Been Pwned?). These sites ought to require that a person prove they own that
e-mail address before returning data concerning it.

~~~
ndnxhs
The database leaks are usually very easy to obtain. You can just run grep over
them and find anyone's account

~~~
RadioactiveMan
There's seven billion people in the world for which running grep is not easy.
This makes it easy.

~~~
ndnxhs
And anyone could do the same. It would probably take me the afternoon to
create a service that searches an email address in some text files. Overall
having people be aware of data leaks is more important than attempting to hide
already public data.

------
e1ven
I'm curious why they're applying the "Firefox" branding to this.

I suppose it makes sense as a Mozilla project, but what does it have to do
with the browser?

~~~
dblohm7
Market research has shown that "Firefox" has much better brand recognition
than "Mozilla."

~~~
cyborgx7
And it will probably lose that brand recognition if they keep attaching it to
everything and dilluding the brand. This is a dangerous game they are playing.

------
heroprotagonist
While interesting, Firefox Monitor is itself leaking data about my online
activities by providing this scan service. Anyone with my email address can
get access to various hobbies and even potentially learn where to find more
information (and what kind).

While they are not primary leaker, Firefox Monitor providing the information
this way is disheartening.

Most people in my network do not know about Have I Been Pwned (the source of
the scan data), but they _do_ know about Firefox.

This brand recognition and resulting media impact will spread my bits of
personal information wider and into my direct network of contacts.

I'd much prefer a qualification requirement. Make me click a link in an email
you send when I ask for information about an email address instead of
providing unfettered access to a list of (breached) services the email was
used for over the past decade.

I expect better from Mozilla/FF.

~~~
groovecoder
Thanks for taking the time to provide feedback.

As mentioned in another comment, you can opt-out of the HIBP database here:
[https://haveibeenpwned.com/OptOut](https://haveibeenpwned.com/OptOut)

I also filed [https://github.com/mozilla/blurts-
server/issues/466](https://github.com/mozilla/blurts-server/issues/466) to
consider making this visible in the Monitor UI.

~~~
gbrayut
I wasn't aware of the opt out. Thansk!

------
onedognight
I have many email addresses, so this service is useless to me. However, it
seems like Firefox could integrate this into the browser itself to check all
email/password combinations protected by its master password.

Slightly related, why the doesn’t Firefox offer to generate strong passwords
like Safari does?

~~~
davidy123
I have a similar issue. I use 'keyed' email addresses, in my case the domain
is contained in the address (myname_domain@mydomain.com). This is an included
feature in many mailers, even google supports it youraddress+key@gmail.com.
Anyway, it won't work unless Firefox Monitor supports wildcards.

~~~
snowwolf
I posted the same elsewhere in this thread, but if you are actually using a
domain you control (@mydomain.com) then
[https://haveibeenpwned.com/domainsearch](https://haveibeenpwned.com/domainsearch)

They don't support the gmail alias issue though
([https://haveibeenpwned.uservoice.com/forums/275398-general/s...](https://haveibeenpwned.uservoice.com/forums/275398-general/suggestions/6774229-enable-
search-and-notifications-for-email-addresse))

~~~
davidy123
Thank you!

------
userbinator
IMHO the choice of name is unfortunate --- "Firefox Monitor" just sounds more
like another invasive telemetry thing than anything else, and the word
"monitor" itself (outside the context of the computer display) carries
surveillance connotations. "Firefox Leakchecker" or similar would be clearer.

------
paulintrognon
FYI, [http://monitor.firefox.com/](http://monitor.firefox.com/) does not seem
to work. [https://monitor.firefox.com/](https://monitor.firefox.com/) does
work.

~~~
sciurus
You should be getting a 301 redirect from the former to the latter.

------
whyever
Is this more than a reskinning of Have I Been Pwned?

~~~
kibwen
It's basically an effective way to get HIBP out in front of more people. The
announcement from Troy Hunt's side: [https://www.troyhunt.com/were-baking-
have-i-been-pwned-into-...](https://www.troyhunt.com/were-baking-have-i-been-
pwned-into-firefox-and-1password/) :

 _" This is major because Firefox has an install base of hundreds of millions
of people which significantly expands the audience that can be reached once
this feature rolls out to the mainstream. [...] I'm really happy to see
Firefox integrating with HIBP in this fashion, not just to get it in front of
as many people as possible, but because I have a great deal of respect for
their contributions to the technology community. [...] They've also been
instrumental in helping define the model which HIBP uses to feed them data
without Mozilla disclosing the email addresses being searched for."_

------
billysielu
No good if you use catchall to give every site a different email address?

~~~
snowwolf
If you use your own domain,
[https://haveibeenpwned.com/domainsearch](https://haveibeenpwned.com/domainsearch)

~~~
deadbunny
Fantastic, thanks.

------
AdmiralAsshat
What protects the database of people who have signed up for e-mail
notifications when their given e-mail has been involved in a breach?

(Put another way, "What stops this database of breaches from becoming another
entry in the database of breaches?")

~~~
SentientNo4
In that case, all that is leaked is your email address, which is probably in
every email database already. Email addresses are not terribly easy to keep
secret anyway.

------
tumetab1
Would be great if they could workaround haveibeenpwned lack of support to
gmail alias.

I understand Troy assessment on the issue but would be great nonetheless.

------
eklavyaa
the only reason I will try it because its from Mozilla, an org I have been
following from many years otherwise I dont beleive in have I pawned or sth. It
looks very fishy providing your email ID, ok if I am not pawned but I ended up
providing my email id, which might be sold further :|

------
fogetti
Interestingly the monitor and HIBP give different results (the monitor
excludes unverified breaches).

------
jesuisuncaillou
But. What if Firefox Monitor had a data breach ?

Just trolling here, don't pay attention.

------
hadrien01
Such a shame the website isn't available in multiple languages. It seems it
would be easy enough to understand for non-technical people, but in English
only.

~~~
groovecoder
Stay tuned! Localization is our next highest-priority enhancement.

------
augbog
I get a 429 response sometimes?

~~~
groovecoder
We have wrapped the /scan endpoint in rate-limiting to mitigate and alert on
abusive scanning. We are fine-tuning the rate limit as we see more real user
traffic coming in.

------
Hasknewbie
This is a good thing, but frankly I would rather Mozilla fix their own stuff
first, like that password manager that is synchronized across instances but
unlocked by default... You have to remember to set a (new and local) master-
password after each install. Not optimal.

~~~
TheRealPomax
Why would you think this project, and the things you're talking about, are the
work of the same teams in a 1000 employee company? It's far more likely that
there's twenty different things all moving at the same time, and this happened
to be just one of them.

------
_6413
Your isValidEmail() function is incorrectly and redundantly implemented.

    
    
        function isValidEmail(e) {
            const b = /^(([^<>()[\]\\.,;:\s@"]+(\.[^<>()[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/;
            return b.test((e + "").toLowerCase())
        }
    

1\. The valid email address n@ai (which used to be the real maintained email
address of Ian Goldberg) doesn't pass this function. People can put DNS
records on TLDs.

2\. You're calling toLowerCase() yet the regex is already case-agnostic.

If you're going to attempt email address validation, either go all out[1], or
just use isValidEmail=(e)=>~e.indexOf("@")

[1]: [http://www.ex-parrot.com/~pdw/Mail-RFC822-Address.html](http://www.ex-
parrot.com/~pdw/Mail-RFC822-Address.html)

~~~
DanBlake
I disagree. While n@ai might be a technically valid email, its such a extreme
edge case ( maybe 1 out of 1,000,000 people have a email like this) that its
worth denying that person registration to keep the likely thousands of
erroneous emails from being entered incorrectly and the time that goes into
correcting them. Same thing goes for addresses like
"<>;@\'`{}|.a"@παράδειγμα.δοκιμή

Honestly, if you decide to use a email like n@ai you already know what to
expect. Most services wont let you sign up, And even if they do most will
likely incur errors in the application when you attempt to do things.

In reality, while it may be 'in spec' to use such a email, we can all hope
that edge cases that allow it are changed and the legacy 'rules' that allowed
it in the first place phased out completely.

So, in practice in the 'real world'\- n@ai is not a valid email address and
never will be. If I create a web application you can bet your bottom dollar I
wont allow it and I will create less work for myself by doing so.

~~~
saagarjha
It might be worthwhile presenting a warning to the user, with an option to
forcefully override it.

~~~
DanBlake
So, thats more code you want me to write, to support how many total potential
users on the planet? I'm good. They knew what they signed up for when they
chose to use an email like that and I am sure every single one of them has
another email they use for this case.

In fact, I bet many of them are so frustrated with the errors of nothing
working that they dont even attempt to sign up for things with the email most
times.

