Naked Security Naked Security

Mozilla tests new Firefox Privacy Monitor tool

Mozilla’s enthusiasm for Troy Hunt’s Have I Been Pwned? service has cranked up a level with the news it plans to integrate its breach checking into a new tool called Firefox Monitor.

Mozilla’s enthusiasm for Troy Hunt’s Have I Been Pwned? (HIBP) has cranked up a level with the news it plans to integrate its breach checking into a new service called Firefox Monitor.
Once up and running, it will work in a similar way to the HIBP website itself – Firefox users will be able to check whether email addresses associated with online accounts have turned up in breached data know to HIBP.
Additionally:

The site will offer recommendations on what to do in the case of a data breach, and how to help secure all accounts. We are also considering a service to notify people when new breaches include their personal data.

The company will next week start sending out invites to 250,000 mostly US-based Firefox users to test Firefox Monitor for themselves.
The development is no surprise given that Mozilla last year trailed HIBP Firefox alerts, although these only activated when visiting a site that had been breached.
From Hunt’s point of view, the integration marks an important moment for HIPB, which despite its innovation still only reaches a tiny fraction of the 3.1 billion email addresses now in its database.
Wrote Hunt on the partnership:

I’m reaching 0.06% of them via the notification service and not a whole lot more in terms of people coming to the site and doing an ad hoc search (usually 100k – 200k people a day).

Adding Firefox to the fold extends that to the browser’s entire userbase, which numbers at least 170 million installs.
(In a separate announcement, HIBP is also being baked into 1Password, allowing users to search HIBP directly within 1Password, via the “Watchtower” feature.)
However, integrating with Firefox users comes with new demands – preserving privacy – which is why the other half of the Firefox announcement was taken up with how the two will ensure this when people run Firefox Monitor searches.


This will be done through Cloudflare’s implementation of a mathematical principle called k-Anonymity, which is already part of the way HIBP works as a way of ensuring performance but also to protect its API from abuse by cybercriminals.
The trick is to try and submit an email address without the service knowing for sure what it is. It sounds tricky but there is a way. Said Cloudflare in a recent blog:

The key problem in checking passwords against the old Pwned Passwords API lies in how passwords are checked; with users being effectively required to submit unsalted hashes of passwords to identify if the password is breached.

SHA-1 hashes of the email address could be submitted in a secure salted form but that would up the computational demands and slow response times.
In Cloudflare’s k-Anonymity, only the first six characters of the email address hash are sent to HIBP on Firefox’s behalf. The database then generates a list of all hashes it knows of that start with these characters, returning them in a single “bucket” to the client which compares them to a local hash – if it finds a match, then that email address has been leaked.
It’s a small trade-off, but also one that preserves as much privacy as possible without impacting performance.
To avoid the possibility of brute force attacks on the database itself, Firefox Monitor will not store queries or results.
It’s not clear how long Firefox Monitor’s testing phase will last but the company said it will announce its availability for all users in a future blog.