Forgot your password?
typodupeerror
Mozilla The Internet

Weave... Mozilla Is Trying To Be More Social 156

Posted by CmdrTaco
from the how-about-trying-to-leak-less dept.
Cassanova writes "Weave is the newest Mozilla Labs project. It allows the user to save browser settings on Mozilla servers (Favorites, sessions, passwords, etc.) and load them from anywhere. With this project, Mozilla is trying to be an online services provider, which is an important step. But can Mozilla labs get over the privacy issues?"
This discussion has been archived. No new comments can be posted.

Weave... Mozilla Is Trying To Be More Social

Comments Filter:
  • so use encryption. (Score:5, Insightful)

    by gbjbaanb (229885) on Saturday January 05, 2008 @12:19PM (#21923432)
    anyone can get over the privacy issues, Mozilla just needs to encrypt the user's settings with a strong key and store the encrypted data to the server. Only the user can decrypt it (assuming he remembers his passphrase) and you're done.

    If you make this a non-optional feature then it can be touted as a big privacy win and people will surely be happier wit it. If you allow the passphrase to be stored locally then ease of use is solved too (obviously you'd still need to enter it if you used a browser not on your home PC, but that's ok).
    • by Negatyfus (602326) on Saturday January 05, 2008 @12:25PM (#21923514) Journal
      Actually, that's what they do now. From the article:

      • We currently encrypt on the client all data that gets placed on the server, with an encryption passphrase that only the user knows.
      • We kept the server intentionally dumb and standards-based, so that anyone can set up a server for themselves and/or their friends or company.
      • Re: (Score:2, Insightful)

        by Anonymous Coward
        This is slashdot, don't expect anyone to RTFA.
      • by Henry V .009 (518000) on Saturday January 05, 2008 @12:43PM (#21923750) Journal
        I've always hoped that Google would make this an option with gmail. Encrypt all data stored on their servers, add encryption on sending, and they'd have a wonder application. Not that Google (owner of Doubleclick) makes any money from user privacy, of course.
        • Re: (Score:3, Informative)

          by xenocide2 (231786)
          It wouldn't matter. At some point, email is transmitted in the clear. Either you trust Google or you don't. If you don't trust Google, they're receiving all your mail in the clear, so they're already capable of violating your "privacy". If you do trust them and still want your data encrypted, you're not getting much benefit -- the data still goes to recipients in the clear, and they can still receive copies.

          You're probably better off with thunderbird or evolution or something and gmail IMAP, where you can s
          • by mi (197448)

            If you do trust them and still want your data encrypted, you're not getting much benefit

            If the mailboxes are stored in the encrypted form and Google does not store the content in the plain-text somewhere else (for their "unobtrusive context-sensitive advertisements"), nobody — not even with a government-issued subpoena — can read the mails, until the owner logs in and reads it themselves...

            That could be a huge benefit for someone some day...

        • by NickCatal (865805)
          Google doesn't own Doubleclick yet
      • So THEY say, but how do we really know?
        • by Nullav (1053766) <moc&liamg,valluN> on Saturday January 05, 2008 @01:19PM (#21924122)
          You're right. If only we could force them to release the source code or something, then we could just look.
          • by JustOK (667959) on Saturday January 05, 2008 @01:32PM (#21924256) Journal
            look and see the actual source code running, or look at what they say is the source code?
            • by Nikker (749551)
              There's a way! I just sent out the patent, I'm calling it "compiling". See you "compile" the "source code" then you can check to see using a program that I will write called "diff"(like difference) to see if the files differ. If they do then its not the same! Wow I'm gonna be rich!
              • There's a way! I just sent out the patent, I'm calling it "compiling". See you "compile" the "source code" then you can check to see using a program that I will write called "diff"(like difference) to see if the files differ. If they do then its not the same! Wow I'm gonna be rich!
                And somehow you're gonna access google's servers and diff with their binaries?
            • Re: (Score:2, Insightful)

              by caferace (442)
              Build it yourself from source, and run it on your own server. Gosh.
            • by ketilwaa (1095727)
              Paranoiaville, here we come!
            • look and see the actual source code running, or look at what they say is the source code?


              Simple. First you build a silicon foundry...
            • by Kidbro (80868)
              look and see the actual source code running, or look at what they say is the source code?

              *blink*

              It's being encrypted client side. You can be pretty damn sure it's the source code that's running. Build the binary yourself.

      • any sort of server side vulnerability means your passwords and destinations can be acquired by law enforcement with a court order (you cannot otherwise be compelled to give them). However, the fact that they are saying _all_ client data gets encrypted is important, because it means they cant issue subpoenas to other sites based on link information stored on the server.

        not that i'm paranoid, but that information request could become a trivial law enforcement action in the near future...and we already have e
      • by Jartan (219704)

        We kept the server intentionally dumb and standards-based, so that anyone can set up a server for themselves and/or their friends or company.


        This is actually really great idea for backup purposes. It would have to take data archival problems into account but I'd love to see more programs do this in a standard way. It could help out a lot with simplifying the backup process for people who don't really have the ability to do a comprehensive full drive backup.
    • by RonnyJ (651856)
      Firstly, this looks basically like Opera's Link [opera.com] (although I don't think that supports passwords etc yet).

      Security-wise, although I can see that many people would like any stored data encrypted so the service provider can't make use of it, that'd mean the user's computer would need to encrypt/decrypt it client-side. If you want to be able to access information from a bog-standard HTML interface (which I believe Opera Link allows), the service provider needs to be able to decrypt your information server-sid

    • by Jartan (219704)

      anyone can get over the privacy issues, Mozilla just needs to encrypt the user's settings with a strong key and store the encrypted data to the server. Only the user can decrypt it (assuming he remembers his passphrase) and you're done.


      Clearly you are not up to date on the tinfoil. What happens if they store that data till quantum computers come out?! They'll just break the encryption and years later they'll know about all your goatse links.
  • by johannesg (664142) on Saturday January 05, 2008 @12:20PM (#21923448)
    After all, this is a magnificent opportunity to build the greatest list of porn links the world has ever seen!
    • Re: (Score:2, Funny)

      by Anonymous Coward
      no way, I'm not sharing and I'm responsible for over 30% of internet masturbation!

  • I understand that all this online frenzy hit all major players in the IT field, but I still think that the Internet as it is now is not ready for this, and, in parallel, a lot of people don't feel ready for this.
    By the way, good luck to Mozilla; it is always good to have more than one player.
    • Re: (Score:3, Insightful)

      by KlaymenDK (713149)
      I think anything that can make a computer workstation as generic as a television is a good idea; the challenge lies in handling the user data/settings. If everything was online and online again, you would not need X-on-a-stick but only to log in to your online profile from any workstation.

      Hm, imagine that. Having a workstation that from the ground up is equipped to handle roaming users, even across the internet. There would be issues with compatibility and installed software, but assuming the basics (OS log
      • Re: (Score:2, Funny)

        by Enleth (947766)
        Well, you can pry my self-contained, customised ultraportable laptop from my dead, cold hands. And only then. I have yet to see a web-based application that is as fast and convenient to use as a native program and doesn't get in the way due to being a slightly overpowered web page. And I have yet to see two (let alone any more) separate web applications that have a consistent look&feel, which is a critical feature of any *work*station, that is, a computer used for doing some kind of *work*, not wasting
        • Re: (Score:3, Insightful)

          by KlaymenDK (713149)
          True, that. The eye candy is always the first thing to go in, and the productivity last (if at all).
      • by peragrin (659227)
        Unix was there for the local network 15 years ago. You would walk up to any terminal and could log in with all your settings, preferences intact.

        It worked over the Internet too, but the general internet had way to much lag for X applications to run that way. It would be possible now if it weren't for MSFT and thier silly dog Apple. MSFT has done one good thing though, they brought down the cost of the hardware so everyone can afford some. Now if only they would bring down the cost of their OS so people
        • by KlaymenDK (713149)

          Unix was there for the local network 15 years ago. You would walk up to any terminal and could log in with all your settings, preferences intact [...] but the general internet had way to much lag for X applications to run that way.

          I'm not talking about running apps remotely, which is basically a thin client with or without X-the-windowing-system; when I said X-on-a-stick I meant X as in whatever-app-you-would-be-running ("the X that is seen is not the true X", and all that). Hmm, imprecise wording on my part.

          What I am talking about is remote storage between sessions. While logged in your apps would run on the local workstation, only reading your profile from your remote store when logging in, and writing changes back when logging ou

          • by esper (11644)
            I'm not talking about running apps remotely... What I am talking about is remote storage between sessions. While logged in your apps would run on the local workstation, only reading your profile from your remote store when logging in, and writing changes back when logging out.

            Yes. As the GP said, unix was doing that 15 years ago, in the form of NFS-mounted home directories. (15 years is actually a rather conservative estimate, but that's beside the point.) Works great for applications running on the loca
            • by KlaymenDK (713149)

              [...]I'm not interested in entrusting my data (much less my secrets) to $RANDOM_CORPORATION, no matter how convenient that may make things. [...]

              That's basically what I said in another post in this thread, "allow me to type in the credentials to *my very own* FTP server, tenjewberrymuds". Glad to know I'm not alone.

              Incidentally, I had quite the head-to-head with my brother who's the "family webmaster", because he wants to change from Dreamhost to GMail, and I opposed having my data on Google's servers. Dreamhost I trust (and besides, my email must arrive *somewhere*); Google I don't.

        • Where the FUCK are you buying Windows, that it costs $400?
          • by peragrin (659227)
            In order to get the same functionality as any linux distro, or even Leopard you have to buy Vista Ultimate. You pay a premium for it. Even OEM installed versions go for $130 bucks a piece. Not everyone can legally use the OEM versions so in order to be legal, you have to pay street price.

      • by Nullav (1053766)

        Hm, imagine that. Having a workstation that from the ground up is equipped to handle roaming users, even across the internet. There would be issues with compatibility and installed software, but assuming the basics (OS login, browser bookmarks, yadda yadda) it would be a fair step towards ubiquitous computing. Ah, the future ... are we there yet? Are we there yet? Are we there yet?...

        Well, I've run across two [gopc.net] services [zonbu.com] like that recently.
        GOPC, while closer to 'save once, read anywhere' is ridiculously limite

  • Browser sync already does this. I've often felt the implementation was a bit cumbersome though. It's good to see competition in the field.
    • I wish Google did a similar thing for thunderbird - mail account settings and/or contacts, I am sick and tired of finding that someone's email address is stored on a different computer's address book.
      • by baxissimo (135512)
        Mod this up! Email your congressman even!

        Thunderbird sync would be great not just for contacts, but also for the newsreader. I'm sick of having to look over all the same usenet articles again to figure out what I've read and what I haven't when I go from home to work and back.

        • Frankly, I see absolutely no reason why someone can't whip up an extension storing and syncing the TB address book from several TB installations in a common WebDav-enabled webserver or other kind of fileserver. It's bloody trivial, all it takes is uploading/downloading a CSV file and diffing and merging it on the fly. In fact, I wouldn't be surprised to learn it's already been done.

          FoxMarks does this for the bookmarks in Firefox and I've been using it to keep the bookmarks in sync between my work installati
  • I dislike the sexist nature of this article.
    • Re: (Score:2, Informative)

      by ParaShoot (992496)
      Why? What would you rather see - "she" written throughout the article? How would that be any better? "It"? "He/she" or "s/he" everywhere? Cumbersome and ugly. "They"? Grammatically incorrect, despite being used everywhere. "One" just sounds weird and formal (and the article isn't written in German).

      An arbitrary choice was made. Pick "he" sometimes and "she" at other times, if it bothers you that much. More importantly, stop making big issues out of nonexistent ones - you understood the article, didn't yo
      • Re: (Score:3, Interesting)

        by McDutchie (151611)

        Why? What would you rather see

        Yo. [metro.co.uk]

        • Personally I prefer Spivak pronouns. However, I still agree with the gist of the GP - using 'he' to refer a person of unknown gender is an acceptable use of the word in English. Making an issue out of it is petty and confers some of that pettiness by association to any other ideals you might put under the same banner.
        • by aj50 (789101)
          If they'd used yo instead of he, I wouldn't have understood what it meant. I would probably assume it was a typo for you or some slang meaning your (which would make even less sense in the context. Yo might be the word we've been looking for the last 200 years, but I doubt it and I certainly hadn't heard it used that way.
      • by mecenday (1080691)

        "They"? Grammatically incorrect, despite being used everywhere.
        The singular "They" [wikipedia.org] dates back to at least Shakespeare (1594). I think your grammar teacher lied to you.
      • by esper (11644)

        Singular "their" etc., was an accepted part of the English language before the 18th-century grammarians started making arbitrary judgements as to what is "good English" and "bad English", based on a kind of pseudo-"logic" deduced from the Latin language, that has nothing whatever to do with English. (See the 1975 journal article by Anne Bodine in the bibliography.) And even after the old-line grammarians put it under their ban, this anathematized singular "their" construction never stopped being used by English-speakers, both orally and by serious literary writers. So it's time for anyone who still thinks that singular "their" is so-called "bad grammar" to get rid of their prejudices and pedantry!

        - http://www.crossmyt.com/hc/linghebr/austheir.html [crossmyt.com]

        Our modern confusion stems from eighteenth-century grammarians who analysed English according to the structures of Latin and imposed stringent and irrelevant rules (such as the one about not splitting infinitives) that have bedevilled everybody since. In this case, they proposed that he should instead be the standard in cases in which the sex of the person referred to isn't known.

        - http://www.worldwidewords.org/qa/qa-the2.htm [worldwidewords.org]

        So, do you choose to reject the dogma of those grammarians who tried to impose Latin rules upon English which claims that singular "they" is incorrect or embrace the teachings of those same grammarians which state that "he" is the appropriate gender-inspecific pronoun? If you choose to reject the latter rule by considering the use of "he" to be horribly sexist, then you can just as easily reject the former a

  • Useful enough? (Score:4, Informative)

    by headkase (533448) on Saturday January 05, 2008 @12:24PM (#21923504)
    I think it depends on personal preference. If it was opt-in and encrypted on your end before it was stored on Mozilla servers then they send you the (encrypted) data on local load of Firefox then you enter your secret password/phrase (or have it come out of the wallet or equivalent) to decrypt it, again, locally then there wouldn't be *any* privacy issues. And if you chose to use it it would definately come in handy for those instances where the OS unexpectedly borks itself on you and you have to reinstall. Then install firefox, enter your access code and at least that part it back to pre-bork settings.
  • by caluml (551744) <slashdot AT spam ... OT calum DOT org> on Saturday January 05, 2008 @12:29PM (#21923562) Homepage
    I wouldn't use this. After all, the bookmarks I have at home are different from the ones I have at work. :)
    I can't envisage a time when I'd need this. Plus it's very easy to SCP my bookmarks.html from my PC at home if I need them - or a simple SSH and grep to find the precise one I want. A solution in search of a problem?
    • by cavtroop (859432)
      No, just a solution that doesn't fit what you are looking for. Me? I use Foxmarks to keep my bookmarks synced between my multiple machines. Having sessions/passwords etc sync would be great, once I could get over the privacy issues.
      • by caluml (551744)
        Oh, my comment wasn't that it'd be no good for everyone, just that it wasn't much use for me.
      • Having sessions/passwords etc sync would be great, once I could get over the privacy issues.
        Maybe they should do what Foxmark does: allow you to use your own server as the back end, instead of their own. Since all the support that's needed is a standard protocol (FTP or WebDav) I'm able to use my own home server without a hitch. End of privacy issues.
    • Re: (Score:2, Insightful)

      by noamt (317240)
      Not a solution in search of a problem, but maybe a solution you (and others) don't need. You have SCP/SSH set up, 99.9% of the people don't.

      Google also have such a thing, can't remember what they call it but there's a Firefox extension. So it's nothing new either.
  • Tried to install it on FF 2.0.11 and it told me it only works on FF 3.0B2pre and 3.0.*? How far is FF 3.0 off? A few months or so?
  • by FooAtWFU (699187) on Saturday January 05, 2008 @12:35PM (#21923630) Homepage

    If you haven't looked at Firefox 3 beta, there are some crazy new bookmark features, including "smart" bookmarks generated from frequently-visited sites and such. There's also bookmark tagging. This must fit in very nicely with the "weave" strategy.

    I'd be worried if I were del.icio.us. Not panicked, just worried. :)

    • by Anonymous Coward
      There are a lot of new features in Firefox 3. But there has also been a serious neglect of the maintenance aspect of software development.

      I know maintenance is not as glorious as adding new features, but it's still very important with each new release to fix the problems that were found with previous versions (or at least verify that such problems no longer exist).

      While some small number of people might like these new bookmarking capabilities, I think they should have spent more time on fixing some of the i
      • Re: (Score:3, Informative)

        by bunratty (545641)

        They have been spending lots of time fixing those issues. Are there any specific bug reports you think should be addressed? Any particular site or feature you're having a problem with?

        If you cannot or will not track down the problems you're complaining about, and they persist even after creating a new profile and trying other fixes in the MozillaZine Knowledge Base [mozillazine.org] and asking for help in the MozillaZine Forums [mozillazine.org], you should simply switch to another browser. Why put up with serious problems when there are so

    • by maxume (22995)
      Is Yahoo! making any money with del.icio.us, or should they be worried that somebody is doing something that is 'more neater'?
  • a way to save bookmarks, etc on *MY* server. (By "My server", I mean my personally owned and operated FreeBSD box I have colo'ed', not what the average moron might mean where they confuse 'server' with 'service provider' and use 'my server' to refer to their ISP)

    So privacy and security concerns go away (or at least, would be under my control rather than someone else's), but all the same functionality is there.
    • Re: (Score:3, Interesting)

      [I'd like to see] a way to save bookmarks, etc on *MY* server. (By "My server", I mean my personally owned and operated FreeBSD box I have colo'ed', not what the average moron might mean where they confuse 'server' with 'service provider' and use 'my server' to refer to their ISP)

      From TFA:

      We kept the server intentionally dumb and standards-based, so that anyone can set up a server for themselves and/or their friends or company.
  • and someone should already have done it already?
  • by One Childish N00b (780549) on Saturday January 05, 2008 @12:44PM (#21923770) Homepage
    If you don't want to use it, don't download the extension. To use it, you have to:

      - Go to a site
      - Create an account
      - Download an extension (on every single computer you use)
      - Put in your username and password (again)
      - Put in a private encryption passphrase
      - Manually click the 'Sync' button.

    Only then will it start automatically updating your bookmarks. If you have privacy issues about uploading your bookmarks to Mozilla's servers, then you can quite easily back out at any of these points, or not bother at all. If the fear is that they will share your bookmarks, then simply don't give them any to share. This is not a feature that is on by default, and the blog linked to even specifies that, if you're that paranoid about giving them your data, there will be a way to set up your own Weave server, so no-one but you will be able to know you visit PissMidgets.com

    Slightly sensationalist article methinks.
  • host it yourself? (Score:4, Informative)

    by evilmoo (1213394) on Saturday January 05, 2008 @12:50PM (#21923828)
    From the debugging logs, it seems like the information is just stored on a server via HTTPS+WebDAV. So if you control a web site (and you trust it more than you trust Mozilla), just change the Server Location (in Advanced Settings) from "https://services.mozilla.com/" to your own server. You will have to create a directory underneath that is the sha1sum of your account name, and it is up to you to set the permissions on the directory properly so that no one else can access it. Of course, this is all just an educated guess, but... "The rest is left as an exercise to the reader." :)
  • Great to have another choice of vendor to store my browser profile at. I've been asking Mozilla for a roaming feature for years. I've seen the plugins that do this, but they host my data either at a company that's unknown to me, or that I don't trust.

    I have suggested the option of entering login info for an FTP server that you own (or have access to), so you don't have to rely on someone else, but it's no surprise that it's not going to happen unless Mozilla themselves go after it (or I write it myself, exc
  • Google Browser Sync (Score:4, Informative)

    by eht (8912) on Saturday January 05, 2008 @12:55PM (#21923868)
    Google Browser Sync [google.com]

    And it's about as secure as your Google account already is. Whatever that means.
    • by zlogic (892404)
      I use this thing both at home and at work, and everything's encrypted with a passphrase (separate from the Google Account Password) that's not transmitted to Google, so they aren't able to decrypt the data without using brute force.
      I once had a funny experience with this thing - one weekend my boss logged in from my (google-synchronized) computer to check his email - well, his Gmail cookie synchronized to my home PC and I was able to read his mail. He hacked his own mailbox and I didn't even need to do anyt
    • by draziw (7737)
      I use the software just syncing bookmarks (with encrypted checked). It works great - but it doesn't work with Firefox 3 beta yet. :( I may try Weave as a workaround.

      --
      +1 for karma, +2 for low user id, -2 for mention of user id.
    • by ImaLamer (260199)
      I found the Browser Sync to be good for Firefox installs on new computers around the house. Besides that I didn't want it to actively update my bookmarks, I wanted to just copy the essentials over.

      But on the note of encryption... Yeah, Google could never have the computing power to break that encryption! I'm betting they are few years off from running their own distributed cracking program that can break pretty strongly encrypted stuff (all in house). Imagine if they used the browser sync install base (or b
  • But can Mozilla labs get over the privacy issues?

    Encrypt, encrypt, encrypt ... and then hope that nobody sues them anyway.
  • Why does this remind me of Opera Sync?
  • Opera? (Score:2, Informative)

    by JLennox (942693)
    I'm suprised at the lack of mention that Opera has had this feature since September.
  • Please, Mozilla people ... document and publish the protocol! We would like to be able to save our bookmarks/passwords/sessions on our own servers, not yours (or Google's). We would like to have our browsers talking to back end systems that can do something useful with that data. Please make this useful!
  • Why has this been tagged "kissramgoodby"? Presumably regardless of which model for storing favorites/passwords/sessions, when the browser is actually opened it goes in the RAM anyway? I don't see the meaning of that...
    • by BenoitRen (998927)
      It's just CmdrTaco trolling, I guess. Just look at the "dept." line: "how-about-trying-to-leak-less".
  • Put portable Firefox on a USB stick. It can be used anywhere and the user is always in control of the bookmarks, passwords, etc.

    I installeed portable Firefox, Thunderbird, OpenOffice on a USB stick and use it whenever I'm travelling. I can take my working environment anywhere.

    The downside is that if I lose the USB stick in my travels I'm screwed.

    • by couchslug (175151)
      "The downside is that if I lose the USB stick in my travels I'm screwed."

      Not if you periodically back up stuff that matters to a webmail account.
  • Link (Score:5, Informative)

    by jpkunst (612360) on Saturday January 05, 2008 @01:48PM (#21924418) Homepage
    Link to the actual Mozilla Labs project page instead of to some blog: http://labs.mozilla.com/2007/12/introducing-weave/ [mozilla.com]
  • by weave (48069) on Saturday January 05, 2008 @02:19PM (#21924692) Journal
    I should sue them for profiting from my good name, damaging my reputation and causing confusion among the masses.
  • This is really useful. At the moment there is the Foxmarks plugin for bookmarks, which is excellent, but it would be nice to have a sync for Firefox / Thunderbird / Sunbird with all my preferences. I could reformat a machine and be mostly operational within seconds (especially if I took the time to create my own custom Ubuntu [aperantis.com]). Then I would just need to import my Pidgin preferences.

    Other than passwords, there aren't any privacy issues for me. If someone hacks my account and discovers my bookmarks or which c
  • They could let you store it on their server, but allow you to encrypt the data with your own PGP key. You would have both the public and private keys for your data and only you would be able to access them.

    Or they could let you choose which server you want to store the data on, maybe you would have your own server setup and you want to use that instead of theirs.

  • You can get a Firefox >1.5 addon http://www.foxmarks.com/ [foxmarks.com] that saves your bookmarks and preferences on Foxmark servers already.
  • No effing way I'd ever use something like that. It's bad enough that I allow myself to store email addresses of people I know online.

As far as we know, our computer has never had an undetected error. -- Weisert

Working...