Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Monitor Will Inform You of Data Breaches (venturebeat.com)

Posted by msmash on from the good-moves dept.

Earlier this year, Mozilla announced Firefox Monitor, a service that will inform you if your online accounts were hacked in a recent data breach. It's now available to general public. A report adds: For the new security-focused tool, Mozilla partnered with Troy Hunt, the renowned security expert behind Have I Been Pwned? (HIBP), which is a database of data breaches that allows anyone to discover whether one of their online accounts has been compromised. The first iteration of Firefox Monitor is, for all intents and purposes, a clone of HIBP. After you enter your email address and hit the scan button, you're told which online services have leaked your personal details (if any). You can also sign up to be notified of any future data breaches involving one or more of your email addresses.

13 of 34 comments (clear)

  1. If you don't use Firefox... by The+Original+CDR · · Score: 2, Informative

    Try Have I Been Pwned website to check your email address against known data breaches.

    1. Re:If you don't use Firefox... by Anonymous Coward · · Score: 2, Informative

      Since you didn't read TFA...

      It is also worth noting here that Firefox Monitor isn’t actually restricted to Firefox — it‘s a web page that can be accessed from any browser.

      So, why even bother?

      So what is the deal here — why bother launching a Firefox-branded version of an existing popular database? Well, there are a couple of likely reasons.

      From HIBP’s perspective, having the weight of Mozilla behind it will significantly boost awareness of its database. HIBP currently has just over 2 million people signed up for breach alerts, which sounds like a lot until you learn that there are 3.1 billion unique email addresses in the HIBP database. This means less than 0.1 percent of breached email addresses are being monitored by their respective owners.

      and

      From Mozilla’s perspective, bolstering its security credentials through tie-ups with well-respected platforms such as HIBP can only add to its reputation. However, as noted already, Firefox Monitor in its current guise isn’t much of an integration because it doesn’t really feed directly into the Firefox browser. Instead, it appears Firefox Monitor as it stands is essentially a minimal viable product (MVP) upon which deeper integrations can be created.

      Finally,

      Mozilla is already piloting a password management tool called Firefox Lockbox, which enables users to store and auto-complete usernames and passwords for websites they visit. Have I Been Pwned? already integrates with password manager 1Password, and it would make a great deal of sense to properly integrate Firefox applications such as Firefox Lockbox with the HIBP database so that users can be informed the moment an online data breach is detected.

    2. Re:If you don't use Firefox... by sproketboy · · Score: 1

      And what do **they** do with that email?

  2. Yep, it's good. by raymorris · · Score: 1

    Troy and his site are good.

  3. It will probably be breached itself. by Anonymous Coward · · Score: 1

    Probably by a disgruntled XUL extension developer.

  4. A seed of an idea that never grew by raymorris · · Score: 1

    So far, this looks to me like something that happened with me once. The Firefox team liked the site and liked the idea of working together somehow. But then nobody really had a great idea of *how* they could work together in a way that really adds value. After the excitement of the idea of working together, what was left was how browsers work with web sites - they display them.

    After I read a book called Zero Bugs and Program Faster, I really liked what the author was doing. It aligns with my mission to improve the reliability and quality of software everywhere by teaching programmers how to make more reliable software. I emailed the author, Kate Thompson, telling her I enjoyed the book and "we should work together on something sometime". She replied "play how? Work on what?" Um, I don't know. :)

    I think some political ideas are like that. They sound great on a bumper sticker. Then when you try to actually put them into action, to decide exactly what to do and how to do it, it turns out the phrase is only good for a bumper sticker, there is no actual policy that makes any sense to do there. I ran into that the other day when someone knocked on my door to pitch the Democrat candidate running for the House in my district. She mentioned a couple bumper sticker slogans, so I asked "cool, what exactly do you mean by ____?â She had zero answers, no policy ideas, just a bumper sticker that sounded good until you ask what it means.

    1. Re:A seed of an idea that never grew by theweatherelectric · · Score: 1

      It aligns with my mission to improve the reliability and quality of software everywhere by teaching programmers how to make more reliable software.

      Tell me about it. Choosing better programming languages to start with is one of the most important steps to improving reliability and quality. It's amazing how much people want to stick with "what they know", even when what they know isn't borne out by the practical realities.

      What I find disappointing is that even when you demonstrate that the same result can be delivered in less time with higher performance in languages like Pascal or Rust, C programmers still try to justify the use of C based on articles of faith, camp fire stories, and straight up mythology. It's intellectually dishonest.

      Luckily, some C programmers are starting to see the light. We'll get there eventually.

  5. Re:If you want to be pwned by Shikaku · · Score: 2

    The only entrapment is not knowing. https://haveibeenpwned.com/Pwn... You could just manually browse this list if you are really that paranoid though.

  6. Damn FF by rojash · · Score: 1

    Ever since they forced that read later crap and no keywords in BMs...i think Vivaldi is the better option

  7. Conspicuously Absent? by gerald.edward.butler · · Score: 1

    Where is the information about the Equifax Breach? This is far more troubling than Last.fm, Disqus, LinkedIn, etc. How the Equifax corruption is permitted to stand by the American people is beyond me.

  8. Plugin/Extension? by coofercat · · Score: 1

    Once again, an excellent idea that should be a plugin (arguably pre-installed on new installs).

    The whole password store, and even form-filling feature should be a plugin. In my case, Dashlane does all of that stuff (including the Have I been Pwned thing, so I don't need Firefox doing it. It would be rather good to be able to remove all that code from the running browser by removing the plugin.

    1. Re:Plugin/Extension? by chrish · · Score: 1

      So, I had this idea a while back where I'd make a plugin or whatever to check for people re-using bad, pwn'd passwords. I diligently collected about 40GB of breached password data (that's after I threw out everything but the cracked passwords themselves).

      After filtering for uniqueness and slapping everything into a database, it was still something like 16GB. I lost interest in the project before I found a clever way to reduce this further.

      The data set is too huge to install on a mobile device, and pretty unreasonable for a browser plugin. And nobody would trust a website that says "type in your password to see if it's already part of a data breach!".

      --
      - chrish
    2. Re:Plugin/Extension? by coofercat · · Score: 1

      But this isn't that - it's basically a Have I Been Pwned service, integrated into the browser. It checks usernames, not passwords.

      I'd agree about your size issues and the privacy issues too. However, it could be solved by hashing the passwords before sending them to the server. The server would then not need any plaintext passwords either - just hashes of them using whatever hashing algorithm the plugin uses. You'd still have a trust issue to solve, but as I say, that's different to what's being offered here.