This is a good development. Since this is integrated with haveibeenpwned, I'd expect the next step to be integration with Firefox Lockbox [1] and Firefox Sync (with password sync selected). That would be quite helpful – a free password storage/sync app/service that can also monitor and alert users on Lockbox/Firefox (as opposed to having to sign up on Firefox Monitor with every email address that one uses). This is what 1Password did a few months ago, integrating with haveibeenpwned to alert users.
Right now Firefox Lockbox is not available everywhere and is not out on Android yet. That also would need to change fast for this to be adopted widely.
Lockbox looks like a very appealing free alternative to various password management services. Once it's built into FF desktop and android browsers I would consider switching. The public detailed design documents are very much appreciated as well.
I second this. I've been very, very skeptical of most third party password managers so haven't really adopted one for my everyday use; this might change once Lockbox [0] goes mainstream across all major platforms -- given Mozilla's unblemished record on privacy and data security -- aside from the convenience of a direct integration with Firefox.
Mozilla has very poor justification as to why. It's not like they have a light-weight cross-platform UI framework to build their applications with, much like their web browser should be.
Every browser creates their own UI framework. They just don't want anyone to make software with their stuff unless its made for their specifically marketed purpose, web sites. Firefox used to have XUL, still completely does, but they removed the ability for XULRunner API's that worked pre-57. Firefox's UI is still very much XUL, and it's a very slow process for them changing it to 'Web Components'. You actually still can create specific components using XUL and make your own stuff, just that it'll break at any moment.
They hid the decision to remove browser application extensibility behind 'web extensions' and refuse to acknowledge how they screwed over devs that relied upon it, and have a significant failure of the potentials of browser technology. There is a big difference between an extension in a browser, and extending the browser itself.
If there was a browser right now that could have its UI replaced in a standard way and updated just like the normal browser, most electron apps would not be required. It'd be far safer, performant, and would solve a lot of the big problems in the web app as a desktop app ecosystem. However, that's not their market. All browsers are in this for market.
This is not a new development either. Look at the JSApi for SpiderMonkey and they'll purposefully break compatibility on any and all versions. They don't understand what an API means. You can look at WebAssembly, too. There is no engine you can use to run independent wasm from mozilla, even though mozilla are the ones who pushed the spec which includes many claims outside of browser usage that Mozilla never persued.
At the end of the day Mozilla does not deliver on their ideas or technology unless it's firefox or something related. If you ever want to use 'web technology' in your own applications you will end up using Webkit. Which I think is super funny given that's Apple.
I think CSS is pretty great, but I would like to see something like Sass/Jade/Mustache/etc rendered client side. If browsers would focus less on JavaScript, and more on improving markup languages under the core Unix Philosophies, then we wouldn't be where we are today. I hope eventually they will let containers or the API in Linux handle permissions/security, and improve that. Android has it's own issues with Java. With Vulkan, Linux is ready for a very efficient and ever-evolving scalable solution. Heck, a modern UI scripting framework for the terminal similar to kmscon would be incredible. No reason the terminal can't support markup and assets. My vision is something similar, but definitely more friendly than DolDoc:
Poorly documented, implementation-defined, fragile, in-house only, etc. Mozilla can't hire anyone with deep knowledge of XUL to maintain XUL, and they can't assume the current generation of experts will be around forever.
They're trying to get rid of it. Writing more of it as anything but a stopgap would be counter to their current goals.
I like that subscription is email verification only, I didn't have to create a "Mozilla Account" with a password or anything like that. If Google or MS offered this, I'm sure you'd need an account that would also sign you into their entire ecosystem.
Am I the only person worried about how this represent a potential violation of privacy? You can not only enter your e-mail address to see how you are affected, you could also put in the e-mail addresses of other people, and boom, you can see what communities they have signed up for, assuming those sites have suffered a breach some time in the past. I might have given Last.fm my e-mail address during the signup process, for example, but I might not necessarily want the whole world to be able to determine that I have signed up for Last.fm.
Yes, I am aware that the breached data is already floating around on the internet, but it isn’t so convenient to consult it as on this website (or Have I Been Pwned?). These sites ought to require that a person prove they own that e-mail address before returning data concerning it.
In response to your first paragraph: "...yes?" You're literally describing the ramifications of a data breach. Whether the data is easy to get is entirely irrelevant: once it IS available, you'll have to operate under the assumption that any damage that can be done, will be done.
As for the second paragraph, it is trivial to grab a copy of all this data. The only ones that are hard to get are the ones you (or even anyone) haven't been told about yet.
And anyone could do the same. It would probably take me the afternoon to create a service that searches an email address in some text files. Overall having people be aware of data leaks is more important than attempting to hide already public data.
And it will probably lose that brand recognition if they keep attaching it to everything and dilluding the brand. This is a dangerous game they are playing.
So funny that you had no interest in enforcing this rule in regards to the posts about Chrome/Chromium yesterday. Also, the topic is relevant to the comment/topic and organization being discussed. Why ignore it when your Mozilla sponsors can say whatever about Google and Chrome, even if they are obvious lies? At least what I said is documented and true.
I know it inevitably feels like bias to get moderated like that. But if you see a glaring case where the rules weren't enforced, the likeliest explanation is that we didn't see it. HN gets over 7000 comments a day. We can't read them all.
You are welcome to alert us to such cases, by flagging them (see https://news.ycombinator.com/newsfaq.html for how to flag comments), or by emailing hn@ycombinator.com about egregious ones.
We don't have Mozilla sponsors or any other sponsors, nor care which $BigOrg is up or down on the internet wheel of fortune this week. The waves make these things happen. We're just bobbing in the waves like everyone else, trying to keep the peace here and never succeeding completely.
They want to boost the Firefox brand and demonstrate to users how much Firefox cares about security.
The browser is also the main way users interact with the web, so associating this web security project with Mozilla's browser's brand seems fine to me.
Because this isn't the end goal of this integration, just a step towards it.
Two additional steps I've read somewhere a few days ago is that the Firefox is going to flag breached sites somehow upon visit (don't know the specifics), and that Firefox Sync users will get alerts whenever they appear in HIBP.
> I suppose it makes sense as a Mozilla project, but what does it have to do with the browser?
Those are my thoughts as well. Mozilla is like Google, and Firefox is like Chrome. If Google had introduced such a service, it would have be called Google Monitor, not Chrome Monitor. Because it has nothing to do with a web browser.
While interesting, Firefox Monitor is itself leaking data about my online activities by providing this scan service. Anyone with my email address can get access to various hobbies and even potentially learn where to find more information (and what kind).
While they are not primary leaker, Firefox Monitor providing the information this way is disheartening.
Most people in my network do not know about Have I Been Pwned (the source of the scan data), but they _do_ know about Firefox.
This brand recognition and resulting media impact will spread my bits of personal information wider and into my direct network of contacts.
I'd much prefer a qualification requirement. Make me click a link in an email you send when I ask for information about an email address instead of providing unfettered access to a list of (breached) services the email was used for over the past decade.
I look at this differently. Your leaked data are in the public domain. Efforts are made to reduce risk, but the issue of "leaking" info is a bit nickpicky as the data isn't a risk and your hobbies are already out in the open.
Public domain doesn’t mean easily accessible. Even if I’m able to find an organize this data from torrents and online pastes, I wouldn’t use it unless the effort was worth it.
With tools like this your grandma will find out where you’re registered to.
An easy fix would be to deliver the results to my email.
What this is effectively asking is that no non-technical person ought to have the ability to be made aware that their data has been stolen. As far as I'm concerned, the amount of actual good done by haveibeenpwned far outweighs these theoretical risks--especially so if it becomes popularized more among non-technical people, as is being done here, because it lessens the power asymmetry that technical people currently enjoy by dint of being able to find and process these already-public datasets.
I have many email addresses, so this service is useless to me. However, it seems like Firefox could integrate this into the browser itself to check all email/password combinations protected by its master password.
Slightly related, why the doesn’t Firefox offer to generate strong passwords like Safari does?
I have a similar issue. I use 'keyed' email addresses, in my case the domain is contained in the address (myname_domain@mydomain.com). This is an included feature in many mailers, even google supports it youraddress+key@gmail.com. Anyway, it won't work unless Firefox Monitor supports wildcards.
IMHO the choice of name is unfortunate --- "Firefox Monitor" just sounds more like another invasive telemetry thing than anything else, and the word "monitor" itself (outside the context of the computer display) carries surveillance connotations. "Firefox Leakchecker" or similar would be clearer.
"This is major because Firefox has an install base of hundreds of millions of people which significantly expands the audience that can be reached once this feature rolls out to the mainstream. [...] I'm really happy to see Firefox integrating with HIBP in this fashion, not just to get it in front of as many people as possible, but because I have a great deal of respect for their contributions to the technology community. [...] They've also been instrumental in helping define the model which HIBP uses to feed them data without Mozilla disclosing the email addresses being searched for."
In that case, all that is leaked is your email address, which is probably in every email database already. Email addresses are not terribly easy to keep secret anyway.
the only reason I will try it because its from Mozilla, an org I have been following from many years otherwise I dont beleive in have I pawned or sth. It looks very fishy providing your email ID, ok if I am not pawned but I ended up providing my email id, which might be sold further :|
Such a shame the website isn't available in multiple languages. It seems it would be easy enough to understand for non-technical people, but in English only.
We have wrapped the /scan endpoint in rate-limiting to mitigate and alert on abusive scanning. We are fine-tuning the rate limit as we see more real user traffic coming in.
This is a good thing, but frankly I would rather Mozilla fix their own stuff first, like that password manager that is synchronized across instances but unlocked by default... You have to remember to set a (new and local) master-password after each install. Not optimal.
Why would you think this project, and the things you're talking about, are the work of the same teams in a 1000 employee company? It's far more likely that there's twenty different things all moving at the same time, and this happened to be just one of them.
Your isValidEmail() function is incorrectly and redundantly implemented.
function isValidEmail(e) {
const b = /^(([^<>()[\]\\.,;:\s@"]+(\.[^<>()[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/;
return b.test((e + "").toLowerCase())
}
1. The valid email address n@ai (which used to be the real maintained email address of Ian Goldberg) doesn't pass this function. People can put DNS records on TLDs.
2. You're calling toLowerCase() yet the regex is already case-agnostic.
If you're going to attempt email address validation, either go all out[1], or just use isValidEmail=(e)=>~e.indexOf("@")
I disagree. While n@ai might be a technically valid email, its such a extreme edge case ( maybe 1 out of 1,000,000 people have a email like this) that its worth denying that person registration to keep the likely thousands of erroneous emails from being entered incorrectly and the time that goes into correcting them. Same thing goes for addresses like "<>;@\'`{}|.a"@παράδειγμα.δοκιμή
Honestly, if you decide to use a email like n@ai you already know what to expect. Most services wont let you sign up, And even if they do most will likely incur errors in the application when you attempt to do things.
In reality, while it may be 'in spec' to use such a email, we can all hope that edge cases that allow it are changed and the legacy 'rules' that allowed it in the first place phased out completely.
So, in practice in the 'real world'- n@ai is not a valid email address and never will be. If I create a web application you can bet your bottom dollar I wont allow it and I will create less work for myself by doing so.
So people with an exotic email address can't use your service because you don't think their email is valid? The reason you don't see those exotic addresses are mostly because of bad programs not knowing how email works.
This reminds me of that story of a Chinese man unable to get registered at the bank because the computer systems don't have a character required to write his name.
Sure, "it only affects a small amount of people", but it shouldn't be that hard to just flag strange but valid emails with "your email looks strange, check it again and tick this box if you're 100% sure you typed it right" instead of outright refusing to work. The check box doesn't even need to be interpreted server side, this can be done in one or two lines of javascript.
So, thats more code you want me to write, to support how many total potential users on the planet? I'm good. They knew what they signed up for when they chose to use an email like that and I am sure every single one of them has another email they use for this case.
In fact, I bet many of them are so frustrated with the errors of nothing working that they dont even attempt to sign up for things with the email most times.
This is the only reply by someone with the right attitude, your the sort of person I'd like to work with and would want building the software I use. I'm just shaking my head at the rest of them, proud of mediocrity.
Right now Firefox Lockbox is not available everywhere and is not out on Android yet. That also would need to change fast for this to be adopted widely.
[1]: https://lockbox.firefox.com/