Thursday, January 1, 2009

Mozilla Weave

In my last post, I mentioned that Mozilla Weave is supported on the mobile version of Firefox (as seen on the Nokia N900) as well as "full" PC Firefox. I had just started trying Weave, and I think it's time to throw up a post specific to my thoughts of Weave and online syncing in general.

Two, maybe three years ago I was constantly getting frustrated by my un-organized bookmarks. I actually keep everything tidy on all my computers, but the problem was I had multiple computers, each for a different use. I didn't have one "Internet only" computer, I surfed on all my PCs. I tended to surf on whatever PC I happened to be sitting closest to. This means my bookmarks would be scattered across 3 different computers.

At this point I aware of file syncing utilities. I was currently using BeInSync (now shut down) to keep my notes, applications, spreadsheets, and whatever else synced between PCs. If you're not familiar with this type of program, it syncs files and folders of your choosing over the internet instead of over your home network, so if you're anywhere away from home with Internet access, everything stays updated. It's all automatic, and generally these programs save old revisions and backups in addition to syncing everything (Currently I use the mostly-free Dropbox to do this).

A little about security. Dropbox is really just a piece of software that acts as a middleman between your PC and an online storage service like Amazon S3. It also provides an in-browser dashboard to access and manage your files while away from the PC being synced. I like it a lot, but how secure is it?

With Dropbox, your files are protected by encryption as they're transferred and as they're stored on whatever server they're on. This is good. This should be the bare minimum. However, Dropbox has the keys. This means that while someone outside of Dropbox's system/company probably wouldn't have access to the encryption keys, there is still the possibility that someone inside the company could gain access and look at your files. I know nothing about how they safeguard their keys, I'm just stating the fact that when someone else holds the encryption keys, a lot of the security aspect moves out of your control.

Other utilities, such as SpiderOak, have you provide the passphrase (that the key is generated from) and they don't know it! Your files are encrypted on your PC before they're transferred to their servers, and they're not un-encrypted until they get back on your PC. If you find this confusing, look at it this way:

I'm a messenger, but I won't give the message to anyone who doesn't know the password. I may be very good at keeping other people from hearing your messages, but I myself have access to them. This doesn't mean I'm corrupt, or that I'm going to read your messages, it only means I could. This is comparable to Dropbox's security.

I decide to encourage more confidence in my services. I give all my clients access to cryptography tools. Now they give me coded (encrypted) messages which I deliver to other people. These recipients know the code and they can decipher them on their own. Everybody outside of this system is still prevented from seeing the messages, but now I, the messenger, cannot read them either. This is more similar to SpiderOak and Mozilla Weave's security.

(By the way, this second method still has a significant vulnerability. Since I, the messenger, have access to all the coded messages, if I'm smart enough and see enough of their messages I can probably figure out the code they're using. It's the same with encryption. The more you use a key the less secure it is, so if you have really important information you should change keys often.)

If you don't trust anybody's security, you can always use a free encryption program like TrueCrypt to secure files before any of these services sync them. Also, I recommend SpiderOak to anyone who has problems with Dropbox in Linux, SpiderOak was much easier to set up.

Back to my bookmarks problem, I eventually found FoxMarks, now called Xmarks, which started out syncing bookmarks and now syncs passwords as well. While I like Weave better (oops, spoiler!), Xmarks will probably work better for some people, because it not only supports Firefox, Internet Explorer, and Safari (with Chrome on the way), it syncs bookmarks across those browsers. If for whatever reason you use different browsers, you can keep your bookmarks updated across all three (I don't know if they sync passwords across different browsers, their "Feature" section only specified bookmarks).

Xmarks is extending it's use, or trying to, by also providing extra information in search results like how often a site is bookmarked. I completely ignore all this, I just want my stuff synced, but that's another feature others may find useful.

(Also, I can't speak to the security of Xmarks because when I started using it I wasn't security-minded enough to investigate, and now that I'm not using it anymore, well, I can't be bothered. Look it up for yourself.)

Now, Mozilla seems secure, they don't store our keys or probably even know them, so does it work?

It works really well. It syncs bookmarks, passwords, history, and open tabs. I can't express how cool this is. If you're at your desktop, but you want to go into the living room, just grab your laptop or netbook (or N900) and go. In the file menu, go to History > "Tabs from other computers" (it should be right above "Recently Closed Tabs"). That should list every tab currently open on any of your other PCs that have Weave activated. You can click on an individual page to open it, or you can click on a computer's name and open all of it's tabs.

As for syncing history, the pages listed under "History" in the file menu show the history of that specific computer. However, the CTRL+H history sidebar seems to show the history of all your computers. The collected history really comes into play when typing in the address bar. As most regular Firefox users know, you can type a web address, or even words from any page in your history or bookmarks and matches will pop up on a list below the address bar. Just type in one word of a page's title and that page will probably be suggested.

And that brings us to the drawback, the only one that I can think of. Some people don't like the added-functionality of the address bar (which Mozilla calls the "Awesome Bar"), in fact they disable it. Remember how, even pre-Firefox, when you'd start typing in the address bar all the recently entered web pages would show up? And some embarrassing entries were bound to be revealed? Crafty people like myself realized that if you typed the address into Google, Google would give you a link, and clicking on that link kept the website from showing up in the address bar's history. Easy fix.

Now, the address bar acts as a search utility that scans all bookmarks and history. See the problem there? And that gets transferred to all your computers? Firefox's answer to that is the fairly-recent "Private Browsing Mode". When in this mode no history is recorded anywhere on your computer. Another addition should be made to allow the hiding of bookmark folders, or allowing certain bookmarks to be excluded from "Awesome Bar" searches.

You know, an even better solution would be a "guest mode" you can activate if someone wants to check their email on your computer, a mode that can't be exited without a password. There's more applications than just shielding porn surfing. Some of my admin user names are stored in my browser, I don't want people seeing them. So are searches for Christmas and birthday presents for friends (I have friends! Who says I don't?)

In a lot of ways, giving someone full access to your web browser is like giving someone full access to your diary. Weave will make it slightly more so. That doesn't mean 'don't use Weave.' It means, use Firefox, use Weave, because they're awesome. Then, if someone wants to check their email, launch Internet Explorer.

That's what I do anyways,