Google knows all the things!
Published September 14th, 2013 under General
Since writing this post, I believe Chrome has implemented a system to cater for this by encrypting your data via your Google login credentials.
This is somewhat of a community security notice, but also a request for a sanity check. If I have misunderstood how the data storage works, please let me know so that I can correct this post 🙂
I’ve been ranting for a while now that using (some) password backup systems is not the best idea, but my ranting however has fallen on deaf ears. You know that thing in Android and Chrome that “safely backs up” your passwords and other private data? Ever wondered what happens to that data when it is “backed up”?
Encryption
You may have been thinking that the data is encrypted and can only be decrypted by you. But then you need to ask the question “what is the decryption key?”. You can’t encryption something without a decryption key to get the data back out (except for hashes, but that’s somewhat different). Presumably the data you submit is encrypted, but how?
Many responses to this question have been “they’ll be using a device specific encryption keys”, but that can’t be the case here, since you can transfer your passwords to a new device should you lose the first one. The other option would be using your main password as the key, but in the case of Google, that would just be your Google password. But if your Google password is being used as a decryption key, and Google knows your password (or can learn it by forcing you to reauthenticate), then your passwords may as well be stored in plain text.
Google and the NSA know all the things!
The implication here is that both Google and the NSA can know all of your passwords. That may include bank passwords, email passwords, Facebook passwords, basically anything and everything that you don’t want other people finding out. To me, this is scary. For this reason I have never used the automatic password backup systems in Chrome or Android.
iOS devices?
I don’t own any iOS devices, but iOS expert Thomas Hedderwick has informed me that the Apple iCloud service likely suffers from a similar problem. You can apparently turn that off, which I recommend you do.
Solution? Firefox to the rescue!
When I posted this initially, I recommended the password service LastPass. This is still adequate advice IMO, particularly if you are partial to Google Chrome, but Blair McBride from Mozilla kindly pointed out that Firefox uses end-to-end encryption on it’s Firefox sync service. I was intrigued by how this would work, and sure enough, when I tried to sync my passwords via Firefox, it immediately asked me to create a new login for that service. Presumably those login details are used by Firefox as the decryption key, but since they are specific to the browser, they never need to actually leave the browser, hence can be used securely. Mozilla will never know the decryption key, only Firefox the browser. This is a perfect solution to the problem and is exactly how Google should be solving this issue.
The Firefox sync service
I lied a little bit …
I do actually use the built in password backup system in both Chrome. But I use it for unimportant stuff. Things I don’t mind if the NSA or some chump at Google finds out. But I do not and will not store anything important in there, as I don’t think that is a good idea in the slightest. I really don’t care if some NSA punk really wants to log in as me at WPTavern.com, but I would be grumpy if they could log in as me at Facebook.com. I even store my WiFi passwords in my Android phone, but my banking and some other password information aint going anywhere near Google if I can help it.
Conclusion
Sooo … if you want your passwords kept secret, use a proper password service like LastPass or change to a browser like Firefox with proper end to end encryption. Don’t trust the half-baked system built into Chrome, Android, iOS and probably many other systems.
Pauli Loeffler says:
i don’t disagree with you, but I do marvel at NSA paranoia coming from a Kiwi living and working in Norway.
September 14, 2013 at 6:16 am # //
Ryan says:
Non USA citizens are at more risk of NSA monitoring than USA citizens since they aren’t allowed to actively monitor USA citizens.
My own country is in direct cahoots with the NSA since it’s part of the Five Eyes group, plus we had a major law change to enable that NSA connection to continue unabated after revelations from Edward Snowden. Norway is probably safer in some respects, but almost all of my stuff is hosted in the USA, including the Google data I discussed above. So where I am has very little to do with my concern over NSA behaviours.
September 14, 2013 at 10:05 am # //
Andreas Nurbo says:
Sweden, is apparently a significant collaborator with the US/NSA as well and we lend out our cable listening capabilities. Also we have big ears on all communication that goes out from Sweden. Cant spy on activity within Sweden but how much communication is limited to geography nowadays.
If the Norwegian cables pass Sweden I wonder if us swedes arent spying on our neighbors as well.
September 14, 2013 at 11:00 am # //
Ryan Hellyer says:
I would be stunned if Sweden was not spying on Norway.
I was a little surprised that Sweden was so tightly involved. I knew my own country was, but I assumed Sweden had a much tighter reign over it’s government 🙁
September 14, 2013 at 11:31 am # //
Andreas Nurbo says:
Well Sweden has helped with CIA kidnappings in Sweden to enable suspects to be tortured in Egypt so our government is not the human rights proponent it claims. Their defense was the the eqyptians said no torture would occur. So much bullshit. The suppositories, diapers, handcuffs and specialized airplain might have given a hint that not everything was up to par. But the Swedish secret police went ahead with the extradition regardless and gave away the two citizens.
Swedens ruling elite have their noses all the way up through the US bonghole.
September 14, 2013 at 11:45 am # //
Brian Lacouvee says:
I love LastPass! and their new cousin Xmarks does a great job managing Firefox bookmarks. Yes Firefox does a lot of things well, offered up a few nickels to their donation drive this year.
If you are up to no good I hope everyone is looking you up on their radar, otherwise you got nothing to worry about if your being a good citizen.
February 22, 2014 at 6:06 am # //