24 votes

Introducing Firefox Monitor, helping people take control after a data breach

5 comments

  1. [2]
    dblohm7
    (edited )
    Link
    Hi everybody, I posted this as a follow up to the previous discussion about the Firefox Monitor update. EDIT: My colleague has created a medium post that tells the story of how this feature came...

    Hi everybody, I posted this as a follow up to the previous discussion about the Firefox Monitor update.

    EDIT: My colleague has created a medium post that tells the story of how this feature came to be. I don't expect it to placate everybody, but hopefully it gives you a bit of insight into how the decision was made to build and ship this feature.

    9 votes
    1. tildez
      Link Parent
      Very cool! I'm also surprised that compromised password notifications were ranked almost as high as general web compatibility.

      Very cool!

      I'm also surprised that compromised password notifications were ranked almost as high as general web compatibility.

      2 votes
  2. kfwyre
    (edited )
    Link
    This is great, and it solves my main beef with Have I Been Pwned?. HIBP provides a fantastic service, but I strongly feel it could benefit from better branding. The name makes it sound exactly...

    This is great, and it solves my main beef with Have I Been Pwned?. HIBP provides a fantastic service, but I strongly feel it could benefit from better branding. The name makes it sound exactly like the kind of site I would tell people to never put any personal information into. "Firefox Monitor" comes across as much more professional and trustworthy.

    4 votes
  3. [2]
    balooga
    Link
    This is a fantastic service! I highly recommend everyone run their email addresses through it, I was aware of a couple breaches I had personally been included in, but not all seven of them. What I...

    This is a fantastic service! I highly recommend everyone run their email addresses through it, I was aware of a couple breaches I had personally been included in, but not all seven of them.

    What I don't understand is how the fxmonitor@mozilla.org.xpi add-on discussed previously is involved. Seems like everything this service is doing is processed remotely, using just email addresses as identifiers. What role is the browser extension playing?

    3 votes
    1. cfabbro
      (edited )
      Link Parent
      If you read dblohm7's comment from the previous topic it clears it up. Basically its not an extension or add-on in the way most people think of those things, "system addons" are just a way for...

      If you read dblohm7's comment from the previous topic it clears it up. Basically its not an extension or add-on in the way most people think of those things, "system addons" are just a way for them to roll out dynamic updates (hotfixes and additional functionality) without needing to compile new binaries and release a totally new version of the browser. In this case I assume it's the Have I Been Pwned API integration discussed in the security blog blog post:

      When a user submits their email address to Firefox Monitor, it hashes the plaintext value and sends the first 6 characters to the HIBP API.

      So the system addon is likely just a function for hashing your email address to send to the HIBP API so that HIBP doesn't even get to see your email address.... and possibly some sort of function for breach alert notifications as well, if you choose to sign up for that.

      6 votes