

Mozilla uses server-hosted JavaScript to 'secure' user passwords - wtbob
https://accounts.firefox.com/scripts/0f968594.main.js

======
striking
[http://hg.mozilla.org/mozilla-
central/file/0a8b3b67715a/secu...](http://hg.mozilla.org/mozilla-
central/file/0a8b3b67715a/security/manager/boot/src/StaticHPKPins.h#l729)
shows that [http://accounts.firefox.com](http://accounts.firefox.com) cert is
pinned. Only Mozilla has the power to attack you.

Also, if you think there's a security issue, maybe file it on Bugzilla before
HN. Probably a better place to put it.

(Password stuff in JS is truly sketchy though. That much I can agree with.)

~~~
wtbob
> Only Mozilla has the power to attack you.

Ah, good to know, but still not good. The whole point of a secure password-
storage mechanism should be that all they can do is delete passwords, not
decrypt them.

> Also, if you think there's a security issue, maybe file it on Bugzilla
> before HN.

I took a look at Bugzilla, but it looked like a pain to sign up and I couldn't
tell quickly where & how to file security issues vice bugs.

And to be honest, I was also a bit angry about how they completely removed the
brilliant crypto they used to use. Given that they seem to think that this
reduction in security is perfectly acceptable, I figured that publicity was
more likely to effect change.

------
wtbob
This means that at any time Mozilla can replace that JavaScript and steal end-
user passwords. Anyone who can successfully MITM Mozilla (i.e., anyone with a
trusted certificate: this includes CNNIC, the Government of the Netherlands,
the Government of Spain and others, as indicated in
[https://wiki.mozilla.org/CA:IncludedCAs](https://wiki.mozilla.org/CA:IncludedCAs))
can successfully do the same.

And yes, this means that anyone with a Lenovo laptop who changed his Firefox
Account password must now change every single password he has ever synced,
even if he's never logged onto a particular site with that laptop.

