Development [LWN.net]

Mozilla Weave 1.0 makes the browser experience portable

February 3, 2010

This article was contributed by Koen Vervloesem

After two years of development, Mozilla Labs has released Weave 1.0, a Firefox add-on that synchronizes browser data among desktops, laptops and smartphones that are running the open source web browser. This is a perfect solution for users who want to take their bookmarks, history, passwords, filled-in forms, and open tabs with them on multiple devices or for dual-boot environments.

The Weave project is aimed at increasing the user's control over their data and personal information. Users can tap into these possibilities by installing the Weave Sync add-on for Firefox on their desktop, laptop, or mobile phone. Weave Sync 1.0 requires Firefox 3.5 or later or the newly released Firefox Mobile 1.0, also known as Fennec, for Maemo.

By installing the Weave Sync add-on on different devices, users can have their Firefox experience synchronized on all their devices. For example, they can visit several web sites on their Windows desktop at work, go home, open Firefox on their Linux desktop and have everything waiting for them as they left it at work: browsing history, open tabs, bookmarks, the contents of the Awesome Bar, and so on. When they leave the house with their Nokia N900 device to go out for a drink, they have all this in their pocket.

Hands-on

After installing the Weave Sync add-on, Firefox shows the Sync preferences and asks the user to create a Mozilla Weave account (on the first device) or to sign in with a username and password that was previously created (on the other devices). When creating a new account, the user has to choose a username and a password, solve a CAPTCHA (which your author failed miserably at, as always), and then enter a secret passphrase, which must be at least 12 characters long and cannot match the account password.

The user then has different options to synchronize the browser's data. The recommended option is to merge the browser's data with data on the Weave server (from devices that already synced with Weave). The other two options are more destructive, but could come in handy in some situations: one replaces all Weave data on the browser with data on the Weave server, and the other replaces all data on devices using the same Weave account with the local data.

The release notes warn of problems with stale data. If a device that has been inactive for a while reconnects to the Weave Server, the server's current data could be overwritten by stale data from that device. As a result, an old password or an older collection of bookmarks might reappear on other devices even though they have been changed. This is one of the circumstances where the user should choose "Start Over" in the preferences and replace the local data of the stale device with data from the Weave server.

After Weave is set up, it shows an icon with the user's account name at the right side of the status bar. A notification will be shown there while the Weave Sync add-on is synchronizing with the Weave Server. In the menu that pops out when clicking on the icon the user has the possibility to disconnect from the server (to stop synchronizing), to trigger a synchronization manually, to read the (very verbose) activity log, or to change the add-on's preferences.

Weave has a preferences pane in the Firefox settings, where users can manage their account and select which types of data they want to synchronize. By default, Weave synchronizes bookmarks, passwords, preferences, history, and tabs, but they can be ticked off individually. The user can also disconnect here and click on "Start Over" to create another account or shift to different one. This makes it possible to use one Weave account for work and another one for personal browsing.

Weave synchronization doesn't happen continuously. The FAQ mentions that, for most users that are synchronizing multiple devices, the Weave Sync add-on connects to the server every hour. If Firefox is heavily used, synchronization happens more frequently. Of course, the user can always trigger synchronization manually. Bookmarks and history items are synchronized in chunks for better performance, but because of this, uploading the complete set could take hours. Favicons for the bookmarks are currently not synchronized to the server. Weave synchronizes the 25 most recently-used tabs from other synchronized computers and does this in a non-intrusive way. That is, the local tabs are not changed to the synchronized tabs, but the tabs from other computers are shown in the menu "History -> Tabs From Other Computers".

Encryption

The Weave Sync add-on encrypts all user data before uploading it to Mozilla's servers and the secret passphrase the data are encrypted with is only known by the browser and not stored on the server. This means that the server cannot read the contents of the data. For example, the server can't read the bookmarks a user has synchronized, but it can tell how many bookmarks the user has. When the user sets up a new browser to synchronize with his Weave account, the secret passphrase has to be entered again, to decrypt the data stored on the Weave server and give the browser the ability to read it.

The low-level details of the encryption Weave uses can be found on the Mozilla wiki. In short, when a user first signs up for Weave, the Weave Sync add-on generates a random pair of public and private keys, 2048-bit RSA. Then, the PBKDF2 (Password Key Derivation Function) algorithm uses the user's passphrase to create a symmetric key, 256-bit AES. This symmetric key is used to encrypt the user's private key and the result is uploaded along with the public key to the Weave server.

Whenever a particular data engine like Bookmarks or History is to be synchronized, Weave Sync generates a random symmetric key for the engine. The key is then encrypted using the user's public key and uploaded to the Weave server. All entries in that engine, such as individual bookmarks, are encrypted with the engine's symmetric key. Because the Weave server only holds the encrypted symmetric key, only the user with the private key corresponding to the public key that was used to encrypt the symmetric key is able to retrieve the original symmetric key.

If this all sounds needlessly complex, it is because the Weave developers have a bigger purpose in the pipeline. With this cryptographic scheme in place, it should be possible for Weave users to share items securely. For example, a user that wants to share his bookmarks just has to encrypt the corresponding symmetric key with the public key of the person he wants it to share with. This is even granular to the level of an individual synchronizable item, such as a specific bookmark.

A private Weave server

Concerned users that don't feel comfortable with their data on Mozilla's servers (even if they are encrypted and the passphrase is never stored on the server) will be happy to hear that there is also a standalone server component, the Weave Server, that can be installed on their own private server. By default, the Weave Sync extension synchronizes with Mozilla's server, but users can point the client to their own server by selecting "Use a custom server" in the Weave preferences and point it to the URI of their own Weave server.

The Mozilla wiki has some documentation about the Server APIs and some instructions to set up the synchronization and user registration parts of the server. Because the Weave Server uses standard HTTP authentication, it should be set up over HTTPS to prevent the password from being sent in the clear. Moreover, the server should have Apache, PHP with PDO, UTF-8, and JSON support installed, and it should have MySQL available for storage.

Setting up a Weave server is not rocket science, but it's a fairly laborious task and can break in a lot of ways. It's also overkill for users that want to have synchronization for themselves or their household. Therefore, the developers have made available a Weave Minimal Server which they recommend over a full install. It requires just one alias line in the Apache configuration and sets up a SQLite database. Creating and deleting users is done manually on the server by a PHP script.

If even this is too difficult, Felix Hummel has written an almost foolproof installation script for the minimal Weave server. Your author tested this by setting up an Apache server on his home network, downloading Hummel's script and changing some variables there. After running the installation script, it shows the steps to configure the Weave client to work with this Weave server. One important thing to remember here is that the user first has to visit the URI of the private Weave server, to accept the SSL certificate, before entering the custom server URI in the Weave Sync preferences. After this, working with a private Weave server is exactly the same as working with Mozilla's Weave server, except that creating users doesn't work from the Weave Sync preferences but requires running a commandline script on the server.

Protect your passwords

But even when users install their own private Weave server, the mere user-friendliness of the synchronization of passwords with Weave poses a risk. As Michael Froomkin mentions on his blog:

Since I travel with my laptop, and there's always a chance it might get stolen, I don't want to have my password-protected data accessible to someone who gets a hold of the machine.

And this risk is real, Froomkin adds:

I often hibernate my machine instead of turning it off. What worries me is that this sync will become so seamless that I'll forget my passwords are accessible. Either that, or I'll have to always at least close the browser between sessions.

This is of course not a problem specific to Weave, but is a more general issue for hibernating laptops: the concerned user should encrypt the laptop's hard drive and turn it off before leaving it unattended. However, there is one tip that can reduce the risk substantially: use a master password in Firefox and shut down Firefox before hibernating or leaving the computer alone. After setting up a master password and restarting Firefox, the user will be asked for this master password the first time he goes to a page with a saved password. This ensures that no one else is logging onto the user's web site accounts without explicit authorization. Moreover, the master password only has to be entered once a session.

Mozilla Weave taps into the master password feature to protect the synchronization of the user's data: if Firefox is configured with a master password, Weave Sync stays disconnected until the user enters the master password for another site or chooses to connect to the Weave server manually (after which the master password is asked for). But one warning: the master password itself is not synced, so to protect the passwords on all computers that are synchronized with Weave, they each have to be protected by a master password.

More synchronization in the pipeline

The current incarnation of the Weave Sync add-on is just a first step in a bigger vision. In the long run, the Weave project aims to integrate all kinds of other services more closely with the browser. For example, the roadmap mentions that Weave Sync 1.2 should bring synchronization of installed add-ons and search engines. And some of the ideas for the more distant future are syncing Jetpacks and preferences.

The Weave wiki also publishes a Client API, which can be used to write 'sync engines' to synchronize new data types. This can be anything that the extension JavaScript code has access to through any Mozilla API. To add synchronization of a new data type, the programmer writes an engine class and some helper classes and registers them with Weave. One of the helper classes called CryptoWrapper handles all the encryption and decryption of the new data type. It's also possible to add a check-box to the Weave preferences screen to let the user turn the engine on and off.

Conclusion

Mozilla Weave is a very user-friendly way to synchronize the user's browser experience between different computers with Firefox. The API is set up in such a way that other browser add-on writers can add support for their own data types to Weave and the security architecture hints at a future that allows granular sharing of data between users. A lesser visible, but in your author's opinion nonetheless important, feature is that the Weave server code is also available and can be set up on a private web server. In the spirit of the open web, this is an example that should be followed by other services that handle user's private data.

Comments (7 posted)

System Applications

Database Software

MySQL Community Server 5.0.90 released

Version 5.0.90 of MySQL Community Server has been announced. "Please note that the active maintenance of 5.0 has ended,and this version is mostly provided because of the fix to security bug#50227 as described below."