Google Releases Google Browser Sync Extension

Pneuma ROCKS writes "Google has just released the Google Browser Sync extension for Firefox. This extension allows you to save your bookmarks, history and passwords on Google servers, effectively giving you a 'roaming profile,' which you can sync on any computer running Firefox (and the extension, of course)."

Encrypted?

[Buran]

This says nothing about whether the data is encrypted in transit or, more importantly, on the servers. I don't like the idea of Google or anyone who might hack in snooping on this data.

Re:Encrypted?

[0racle]

Well if you already use GMail, what's a little more personal information? Of course Google can index it and add it to the increasingly large profile of you.

Re:Encrypted?

[Jah-Wren+Ryel]

Actually, it does say it will be encrypted:

Its not really clear about how much of your information is encryped. Your passwords yes, but your browsing history? Your bookmarks?

I would expect google to want to datamine both of those things, but I would not feel comfortable giving it to them in a form that they could use because it means that someone else, like our friendly NSA for example, could use it too.

With that in mind - does anyone know of an extention that does the same sort of sync, but encrypts everything and lets you store it on the website or ftp server of your choice (presuming of course that you have write permission there)?

Re:Encrypted?

[Random+Destruction]

by saying nearly, they saved themselves a world of hurt if someone manages to crack one some day. Pretending encryption is 100% secure is foolish.

Re:Encrypted?

[Kadin2048]

The "nearly" is just them doing the usual corporate CMA.

If I were overseeing a high-profile company who was releasing a product that in any way used encryption, you can bet I would couch every claim about its security with some sort of qualifier.

No intelligent person ever uses superlatives when discussing encryption, unless you want to be on the hook in case it ever gets broken.

Re:Encrypted?

[MobileTatsu-NJG]

"It depends on how much of correct data you provided when you signed up."

I don't think it's as simple as that. If you're using GMail, you're likely logged in to Google every time you do a search. Do a bunch of porn viewing, and Google has the means to link that to your login. Take it a step further and keep your bookmarks there.. well... they certainly have more to draw on.

Personally, I'm not so worried about what Google sees. I'm worried about the recent moves by the gov't to collect that info. Google is unintentionally setting up a nice little trap for a bunch of people. (No, this isn't a Google is evil statement, just pointing out the dangers of centralizing all this stuff.)

Re:Encrypted?

[tftp]

If you're using GMail, you're likely logged in to Google every time you do a search.

Why should I do that? No, of course I don't stay logged in any more than it is necessary.

Google is unintentionally setting up a nice little trap for a bunch of people.

I don't believe that founders and managers of a multi-billion dollar enterprise are so dumb that they don't realize what they are doing. I am convinced that they are perfectly aware of all the implications - they know them better than we do, it's their business after all. Also, the government is not silent on the matter - it approached Google already, so claiming innocence won't work. Google knows damn well what it is doing, and that is to become the ultimate data warehouse for, and about, everyone on the planet. And all that data will be for sale.

Re:Encrypted?

[MobileTatsu-NJG]

"I don't believe that founders and managers of a multi-billion dollar enterprise are so dumb that they don't realize what they are doing."

I was not trying to imply that. They obviously feel very comfortable with what they're doing, but that alone will not protect their users. In theory, the gov't shouldn't have even asked them for the records, yet it still happened. Worse, we've got a monkey in the white-house that may bend the rules a bit to try even harder. Now maybe my imagination's getting ahead of me, but just because they think they know what they're doing doesn't mean anybody's safe. Once you've commited the data to Google, that's it, you cannot undo it.

Re:Encrypted?

[the100rabh]

Its clear that its a HTTPS thing...so how security is not much of concern.....I browse in office and home....Now I have the bookmarks perfectly synchronised....whats better for me than this...Its just a matter of trust thats all...the day trust is broken its all over

Re:Encrypted?

[Red+Alastor]

And what prevents you from unzipping the extension and looking inside ?

Re:Encrypted?

[azuretek]

I'm pretty sure from what I read of their FAQ that the encryption/decryption is all client side. I wouldn't imagine they keep the PIN on their server.

I haven't looked at the actual firefox extension but it wouldn't make sense to offer encryption and still store the PIN.

Re:Encrypted?

[vux984]

I haven't looked at the actual firefox extension but it wouldn't make sense to offer encryption and still store the PIN.

It would if the point of encryption is to keep it private *in-transit*. Just as HTTPS doesn't prevent the site you are interacting with to get all that data you submitted, the encryption prevents bystanders from seeing it.

So all this encryption does is give you some security that nobody but google will be able to see it. So if you value your privacy at all the question remains, do you trust google with it? Do you trust google to look out for your interests, even under government pressure?

Just for Now? or Always and Forever?

I'm with that other individual: Is there any extension that does this with an ftp/webdav/... server of *my* choice?

Re:Encrypted?

[blirp]

> If you're using GMail, you're likely logged in to Google every time you do a search.

Why should I do that? No, of course I don't stay logged in any more than it is necessary.

Unless you make sure to clear all Google-cookies after logging
out and before logging back in GMail, it won't really matter
if you're logged in at the time you're searching or not.

M.

Re:Encrypted?

[ergo98]

People that have access and sufficinet skill and the motivation, find much more profitable ways
to exploit their power than to read your ultimately important personal data from gmail. I find
it interesting that people have such an ego boost that they imagine that from the half a billion
interactive net users, they and their pocket money are the targets of all the hackers.

I'm amazed that anyone would still say something this stupid (and that others would actually moderate it up). I seem to get several dozen phishing attempts per day, with people trying to gain access to my PayPal, Ebay, bank accounts, and other online services. I guess I must be stupid and rich to gain the attention of such target limited hackers, right?

No, of course not. Not only are there countless hackers out there with nefarious intentions, but usually their dirty work can be automated -- e.g. a simple trojan that your cousin has on his laptop, which then takes over your router in a method only possible from the inside (or installing a net listener), then automatically relaying whatever information they want. This is ignoring the fact that carriers aren't exactly the pinnacle of security, and it's entirely possible that curious or criminal employees have net monitors, and that's not even including the whole government angle.

The "security doesn't matter because no one cares about you" angle was dumb when people were saying it in the 90s. Now it just strikes me as unbelievable.

I have zero trojans of viruses on my PC (despite your defeatist "why bother fighting them?" attitude), and I want sensitive communications to be encrypted. Everyone should demand the same.

Ps. if you are familiar with how SSL or any exchangeable keypair based encryption protocols work,
you should realize that people who have constant access to your network traffic, will find out your
information anyway.

Wow, really? Care to enlighten us on how that could be, apart from some temporary implementation defects in a couple of clients (such as Internet Explorer). I call bullshit, and say that the entire foundation of your argument is ignorant nonsense.

Re:Encrypted?

[jdbartlett]

Just tested your theory using "personalized search". If they are logging search results of logged-out users, they aren't displaying them in the "personalized search" database. It'd also give them pretty inaccurate data - people logging out of a public machine aren't necessarily going to wipe all cookies in the browser for the next user (unless a very sensitive sysadmin has set the machine up to do this every time the browser closes).

I call tinfoil hat.

Re:Encrypted?

[nacturation]

So the information you're revealing is your personal interest in the subject matter of those mailing lists. Marketers don't necessarily care what your name is... they just want to know what to market at you. If you buy, they'll get your particulars then.

Ads will conveniently follow your bookmarks

[atlacatl]

Google's brand, I think, is being devalue with their main revenue stream being advertisement.

You know that all that information about bookmarks and favourites will be of use to marketers.

From my part, for now, I will pass...

Re:Ads will conveniently follow your bookmarks

[generic-man]

Google can already follow you around the 'net using their ad network. Blogs, photos, news sites, etc., all have Google Adsense. That same cookie builds up a wealth of data about you. If this offends you, putting your bookmarks up on Google shouldn't be any worse -- what could you possibly be telling them that they don't already know?

(Besides your passwords to other sites...)

Re:Ads will conveniently follow your bookmarks

[bergeron76]

He's actually right. If your main source of revenue is advertising dollars, your biggest asset is your "client base" and all the information you have about them - basically a big database about who likes what and how you can contact them. Put those two things together, and you have a goldmine for corporate marketing/advertising departments. They even have a very ubiquitous software application called "Goldmine" (a CRM app).

Joe Q. Public likes Jessica R. Abbit, but he's a high-schooler on a budget. Instead of sending him the add for the Tacori Diamond bracelet, let's send him the advertisement for the CVS box-o-chocolates. He's more likely to respond to that ad, which results in increased revenue for GOOG.

Information is valuable. Organized information that no one else has is "invaluable"!

Re:Ads will conveniently follow your bookmarks

[jhoger]

Yes, because as everyone knows, businesses being able to more effectively communicate and accurately target the right customers is the worst thing that can happen.

Really, marketing is not a dirty word...

-- John.

Re:Ads will conveniently follow your bookmarks

[killjoe]

Any information Google can collect, MS can collect. They own the OS remember?

Re:Ads will conveniently follow your bookmarks

[Stop+Or+I'll+Noop]

The data is encrypted before being sent to Google's servers. Nice knee-jerk reaction though.

Mod parent down. So what if it's encrypted iF Google has the encryption key. From the FAQ:

Why do I need to provide a PIN?
The PIN you create during setup is used to encrypt information that's synced between your computers, which may include sensitive information such as your passwords for websites. We use your PIN to unlock that information.

Re:Ads will conveniently follow your bookmarks

With all of the unnecessary account fees banks charge, some might argue that yes, they are in fact stealing your money.

Re:Ads will conveniently follow your bookmarks

[RedWizzard]

He's actually right. If your main source of revenue is advertising dollars, your biggest asset is your "client base" and all the information you have about them - basically a big database about who likes what and how you can contact them. Put those two things together, and you have a goldmine for corporate marketing/advertising departments. They even have a very ubiquitous software application called "Goldmine" (a CRM app).

All of which is completely irrelevant to this discussion because the information you are givng them is encrypted and they can't read it.

Re:Ads will conveniently follow your bookmarks

[krunk4ever]

This can really be interpreted in 2 ways:

We, Google Server, will use your PIN to unlock that information
OR
We, Google Client App, will use your PIN to unlock that information.

I personally don't see why Google would ever need to unlock the encrypted information on their side (unless they want to be evil), and obviously, it won't be you who's unlocking the information, but the firefox extension (we, google client app) will be.

Eggs in one basket

[RapedByKateMorrow]

Even with Google's recent show of contrition over their actions with the Chinese Government, I'm not sure I'm willing to trust them to know which sites I think are worth visiting repeatedly. Granted, they have many details on me already - I have a gmail account and it's not a secret to them which IP I use when I search for, um, educational material, but I'm not ready to put my personal documents in Google's hands, and I consider my list of favorite sites very personal (for educationl reasons, of course).

Trust

[Ajehals]

If you trust Google then this could be great! if you don't then feel free to bash this as a blatant grab for yet more personal data.

Either way you cant say Google aren't pushing to see what users want, and integrating it into whats good for Google. My opinion? I don't know, I like and trust goggle as much as I trust any corporation, but do I want them to have yet more information about me? Probably not. So personally I will give it a miss, although it might be useful in the future, and if it takes off in internet kiosks (and why not) then all the better. It has some serious benefit to people who travel regularly and don't own laptops and PDA's.

Cue the "tin foil hat" posts, closely followed by the "there is no privacy anyway" posts possibly followed by some random "I don't like the new layout" posts.

My passwords trough the windows ?

[Mike+Zilva]

I do store localy *some* passwords on my Linux's Firefox, but when I'm not home I don't even login to some websites just cos I don't trust all the software instaled on that machine (including the OS).
How can this extension protect in any way some personal data on forign computers from spywares and viruses? (not to mention they will be on an internet server somewhere)
Maybe I'll use it for the bookmarks, after all it might be very handy ;)

PageRank?

[cashman73]

I can see how they might be interested in the bookmarks and browser history information. This could help augment the PageRank algorithm to possibly cut down on all the scammers trying to increase their PageRank by google-bombing. If they can collect data on what sites people actually visit, based on their own browsers, this would be very useful. Of course, the NSA might want this information, too,... ;-)

Pretty much no security

Google says you can encrypt your data with an 8 character password so that "not even Google" can see it [1].

Quick math. 26 lower case letters + 26 upper case + 10 numeric characters. (should cover most users)
62^8 possibilities. Google probably has about 100,000 servers [2], so that's about 2 billion combinations per server [3] - chump change.

AYPABTG.

8 character passwords work because servers can throttle bogus logins - few seconds delay after 3 failed attempts for example. There's very little security against an "adversary" like Google who is able to try all the combinations unabated.

Thanks for playing!

[1] http://www.google.com/tools/firefox/browsersync/fa q.html#q10
[2] http://www.intel.com/cd/ids/developer/asmo-na/eng/ 202679.htm?page=3
[3] http://www.google.com/search?hl=en&lr=&q=(62%5E8)% 2F100000

It's to protect themselves

[FhnuZoag]

In a word, they won't. The data's encrypted, so there is literally no way they can enforce it.

The 'pledge' is basically legal protection, so that if someone did use the extension to do whatever bad things, (and really, most of them seem pretty impossible to use the extension to do) Google will not themselves be blamed. Realistically, this sort of measure probably won't get them very far in a real court case, but hey, every little helps.

You can encrypt everything it can sync

[Dan+Berlin]

If you look at the settings, next to every checkbox for "sync this", there is another check box for "encrypt this".
Literally everything it can sync can be encrypted.

Second, it syncs much more than bookmarks.
I for one, enjoy having my history, tabs, and windows saved between the laptop and desktops I work on.

Re:For those who are loathe ...

[Blakey+Rat]

When he says "any computer" he means "any computer except the 95% running Windows." Just clearing that up for you. :)

Re:For those who are loathe ...

[NoMaster]

Yes, because nothing protects your bookmarks more from the prying eyes of the world's biggest web-crawler than dropping "bookmarks.html" into a publicly-viewable web directory...

(I just tried it on your site, Roberto Sanchez; noticed you haven't done it ;-)

Ironically

[StarKruzr]

Personally I have been copying my bookmarks.html to ~/public_html for years.

This is precisely what a "home page" originally was.

Re:Pr0n

[Zathrus]

Wait, I don't want all my bookmarks from home in my work browser!

And I don't want all of my work bookmarks in my home browser. I have a number of work-related bookmarks that point to local files (such as Oracle docs) and to places on the corporate intranet. Both are useless to me from home (the intranet ones may be useful if I was VPN'd, but that's exceptionally rare).

I would love to find a bookmarks synchronizer that allows you to exclude bookmarks and still work through the regular bookmarks menu.

Ultimately I'd like to have "groups" of bookmarks and be able to synch particular groups between systems. I've seen some that have this concept, but they don't work through the regular bookmark menu.