[Owncloud] Mozilla sync integration project
Michiel de Jong
michiel at unhosted.org
Tue May 8 12:33:54 UTC 2012
right! oh, i hadn't thought of that option. treating the ownCloud
instance as a Sync client device rather than as (only) the Sync
server. i still think it breaks the security model though.
if you're going to store the data without encryption on an always-on
server like ownCloud, then why not just use transport layer
encryption? Mozilla Sync goes through the painful restrictions imposed
by end-to-end encryption because no trusted server is available. if
you start trusting the server, then it's silly to keep encrypting the
data at rest.
i mean i don't want to poop the party if people want to implement it.
you can certainly do it. i'm just saying that from an architecture
perspective it's a bit silly. because the key would be right next to
the encrypted data.
On Tue, May 8, 2012 at 1:52 PM, Stephan Schulz <lists at seron.de> wrote:
> Great to have that discussion over here. I partly disagree with Michiel. If a user decides to trust his own cloud on his own server by storing the private key on it, it is very similar to trusting another instance of Firefox on a different computer by providing the key there. That of course does only apply if the user is also the owner of the own cloud, but that might often be the case here.
> What would be great if the user can decide to trust the ownCloud instance or not, by providing the user the option of both possibilities.
>
> Stephan
>
>
> ----- Original Message -----
>> On Tue, May 8, 2012 at 7:45 AM, Timmeey <timmeey at timmeey.de> wrote:
>> > I don't think that it is possible to access these firefox sync data
>> > if we use the Firefox sync API. Coz by design everything gets
>> > encrypted by firefox it Self.
>>
>> exactly. it's host-proof hosting. ownCloud does not get to see the
>> data. the advantage is that if your ownCloud server gets hacked, your
>> bookmarks and potential other things you may have in there are still
>> safe.
>>
>> >
>> > Maybe there is a Way. If we find a way for the users to get the
>> > encryption key Out of firefox, Then they could give it to owncloud
>> > for "on the fly decryption" of the Data.
>> >
>>
>> no, that would totally break the design. the idea of Mozilla Sync is
>> that you store your private stuff on an untrusted server, using
>> host-proof hosting. if you start giving the private key to the data
>> server, then you end up with something that's broken.
>>
>> it is definitely an interesting goal to have your bookmarks and
>> browser settings on your ownCloud, but the way to achieve that would
>> be to allow a "don't encrypt" option in Mozilla Sync. It would also
>> be
>> very interesting to tie that in with the webfinger app and Mozilla
>> Persona.
>>
>> but if you're purely looking at using ownCloud for Mozilla Sync, then
>> IMO you need to respect its end-to-end encryption design.
>> _______________________________________________
>> Owncloud mailing list
>> Owncloud at kde.org
>> https://mail.kde.org/mailman/listinfo/owncloud
>>
More information about the Owncloud
mailing list