My Pains with Firefox Sync

Let me start first about how I got here.
Quite honestly, I didn't use Firefox Sync when it got introduced. I didn't want to make an account for my web browser. (stares at Chrome users)

That changed when I started dualbooting Windows and Linux. Being able to access my browser data was important for me for the transition from Windows. If all my browser data was on Windows, then I would rather boot to Windows so that I can access it all. Having two isolated profiles was a problem.

So, I did what any reasonable person would do in this scenario: Create a cross-OS NTFS partition for shared data between the operating systems

That worked for a while really well actually! But at some point the data corrupted. My extensions stopped working and went poof until I disabled and enabled them again, loading websites took forever as if it didn't load sites at all. I remember I used a website to test if the storage of Firefox was working correctly, but I can't find the exact URL.
I believe the cache / storage of Firefox corrupted somehow, but I didn't have the expertise or skills to seriously analyse that.

While I could have just fixed that issue, creating a new profile and moved on with my day, it proved to me that cross-OS storage was probably unreliable.

So, what else can I use? I look up the web and

Firefox Sync #

That leads us here. The premise is simple, you log into your Firefox account and you can sync your settings, autofill things and history to other devices. Alongside that, you can also send tabs to your different devices in case you wish to work somewhere else.

And honestly, that's all I could ask for Sync but there's some glaring issues.

Syncing delay #

There is a delay for Syncing between devices. The main job of this feature is to synchronize my browser elements to other devices. When I open Firefox on Mobile for example, I expect my history to be there ASAP.

Right as I'm writing this, I have an article open about the Hippocratic Oath.
So say, I want to go downstairs and talk with somebody about the rabbit hole I went into.
I pick up my phone, I open the browser history on my mobile Firefox Developer edition and it's not there!

So I check the Account tab, I press Sync Now. I check again and it's not there.
So I go on Desktop, check the Account button and
Firefox Desktop being stuck on "Syncing..."
ah.

So after I ask for a manual sync on Desktop, resync on Mobile again, I can actually view my updated browser history.

It can take a bit before history properly synchronizes, if at all. That's a massive pain and hampers this system.

Syncing is hard on mobile / in general #

I disagree! I have another thing synced between my mobile and desktop (hello potential attackers), I sync my KeePass database file between my phone and my PC using Syncthing.

Despite the limitations of Android, Syncthing manages to perfectly sync my password database without a hitch and without noticeable delay.
I don't mind if Firefox runs in the background like a lot of apps do (Telegram, Syncthing) if this allows the app to more reliably operate (if a toggle is provided of course).

Same for sending tabs #

Sync allows you to send tabs to your device, I get a notification or a tab opens on my device. And honestly, this feature can be a bit of a dice roll.

I believe that's an Android issue though and probably closely related to everything above. Now that I have recently opened Firefox and often, the notification for the sent tab is almost instant. But I don't always have Firefox open, especially when I work at my desktop.

This is probably due to Android not allowing apps to have background activity without workarounds or only work delayed. I frankly aren't educated enough on the topic to elaborate much more on this as much as I'd like to.

KEY STUCK, KEY STUCK, PLEASE #

As much as I can bear those issues, there is an issue that I seriously cannot understand. Firefox Accounts does not have WebAuthn! That's unforgivable.
If you breach my Firefox Account, you can cause a lot of damage. Firefox Sync can synchronize: Credit cards, Logins and passwords, Addresses, History, Bookmarks, Open tabs, Settings, Addons.

If I were to save all my data into Firefox and sync it this way, an attacker breaching my account and becoming a synced device could cause a lot of damage!

There exists an issue on Bugzilla from 5 years ago as of writing which has been closed and there's a Mozilla Ideas.... Idea about Firefox Accounts WebAuthn which has been untouched.

How is this acceptable at this year? Big names in tech have already adopted WebAuthn and Mozilla shouldn't lag behind for an account which has so many critical things that should never ever get in the hands of someone else.

(sigh)

I digress.

On the sort of... positive #

As harshly as I'm criticizing Sync, I do want to commend Mozilla for not making a walled garden. mozilla-services/syncserver has a Python server for Sync, mozilla/fxa a NodeJS server for accounts and provides guides here and here on how to host your own Accounts and Sync server.
That's really good! If you don't trust or like Mozilla, you can simply run the server yourself. Security of these becomes your responsibility with this, and you aren't required to have an online component to sync your browsers.

While that last part might seem silly, Sync is also being implemented into Thundebird soon™! I could see how for example organisations or people who really value their internal emails might not wish to have them on an external online component (even if Mozilla promises to encrypt it).

... With that said, that repository is a Python 2.7 server that's unmaintained.
The syncserver repo reads:

Note that this repository is no longer being maintained. Use this at your own risk, and with the understanding that it is not being maintained, work is being done on its replacement, and that no support or assistance will be offered.

Python 2 also is no longer maintained.

Maintainer jrconlin explains in issue 198 on Dec 31, 2019:

First off, the team tasked with this (services-engineering) have been working on the new server (syncstorage-rs). The goal there is to make supporting Sync for millions of folks better. With the current python version, it's possible for us to lose your data if you don't have multiple clients doing regular refreshes. For us, that means using a different data storage back-end. This does not mean that we're requiring stand alone servers to do the same, and we're working hard to ensure that you can still use your SQL db of choice.

Needless to say, moving hundreds of millions of accounts to a new storage system is... tricky. We're moving slowly and carefully to make sure that we don't screw up. (We're also a pretty small team working on this, thus some of the radio silence since we're head down trying to get this working.)

[...]

So, the executive summary:

  1. Syncserver 1.5 should continue to be safe under python 2.7 for the short term.
  2. You may be able to run Syncserver 1.5 under Pypy 2.7 if some critical security bug hits python 2.7.
  3. We're working on a new rust based syncserver and hope to have it available with migration scripts in the next 6 months.

So yay, there's a Rust server coming! That surely will mean we don't have to use an outdat-
Github Readme of syncstorage-rs that reads: "2. Setup a local copy of syncserver, with a few special changes to syncserver.ini; make sure that you're using the following values (in addition to all the other defaults):"

... Well, it's only a storage server I suppose.

Reading into Mozilla Blog's "The Future of Sync" article written in 2020, it seems like the idea for the mozilla-services/syncstorage-rs is to become the eventual rewrite and replacement for the Python 2 syncserver.

I understand Rome was not built in one day, but now we write the futuristic year of 2023. LLMs are the hottest thing as AI writes you code, poems, songs and even creates ungodly art by amalgamating millions of images with tags,

and Mozilla uses software that hasn't been maintained since roughly three years to synchronize your porn history.

No harm to anybody #

Again, as harsh as what I've written is, I don't mean this to trash talk the people who work on this.
They're doing the best they can and I only wish to have the things I don't enjoy of Sync written in a place, especially since I'm likely required to use it going forward.

Lots of love to you folks and thanks for helping me sync my stuff!