Edge continues to be the only major browser with no end-to-end sync encryption

Contributor

Every other browser, including Chrome, does end-to-end encryption.

 

Before, there was no mention of Sync privacy under any privacy pages. The Edge Privacy Whitepaper now describes how Edge secures Sync data:

 

All synced data is encrypted in transit over HTTPS when transferred between the browser and Microsoft servers. The synced data is also stored in an encrypted state in Microsoft servers. Sensitive data types such as addresses and passwords are further encrypted on the device before being synced. If you are using a work or school account, all data types are further encrypted before being synced using Microsoft Information Protection. All other synced data types are stored until you delete the data, the account is deleted, or the account becomes inactive. An account ID is attached to all synced data, as the ID is necessary to perform sync across multiple devices.

In other words, Microsoft employees can still see your browser history and any other sensitive information with the only exception of securely stored passwords.

 

Intentions aside, this is really just not a good look.

98 Replies

@ragingrei I may be wrong, but actually i think it's more not implemented for now than we don't want to implement it.

 

Because for instance the sync isn't finished on stable one, so i definitely thing they will do it later but, not forget even if they do it, some data will be accessible by Microsoft employee.

 

But in my end i prefer Microsoft employee than Google employee/bot, because if Microsoft screw up their privacy they have a lot to loose (since Entreprise use them), where Google read openly your data whiteout any shame.

 

but i really thing they will implement it later (if the US law don't forbid them before).

@Wittycat I'm not too sure why US law would forbid them from implementing proper e2e encryption if it allows every other major browser to do it.

 

I agree that I would much rather a Microsoft employee have access to my browser data than a Google employee, but the fact of the matter is that unless you have a weak key, they can't, whereas Microsoft, through Edge, can.

 

I don't think they're going to implement it unless they receive enough pressure. The fact that they updated their privacy page to include a lot of convincing-sounding talk about encryption, without actually doing it correctly, is very discouraging. It reads to me like they're trying to weasel their way out of it.

@ragingrei For the us law i think about the earn it law and other attend from all surveillance country to break encryption.

 

For Microsoft i just think they need more time to finish the sync (and since they are the first a really implement correctly the passwordless it's even possible that data are already planned to be encrypted without entering a password.

 

but like i said on stable one, sync isn't finished so i definitely think e2ee will arrive when they will have finished and totally stabilized the sync feature.

@Wittycat Is Sync really not complete? It's available in 86.0.622.63.

@ragingrei if you have access to it, you are a lucky person, because they have started the activation on dev very recently and me on stable it's disabled

Capture d’écran 2020-11-09 034713.png

 So i will wait and i'm pretty sure they will provide e2ee but only a member of microsoft can say for sure if it's in development or even planed.

@Wittycat Guess we'll have to see, but I'm not convinced that we shouldn't keep reminding them that this is important.

oh it's true and don't worry about that i will one of those who will ask them often where they are about that ^^, but for now i wait they have finished to implement sync on stable to everyone before asking them ^^
On Google Chrome, if you use end to end encryption (which Im sure they can still decrypt on their side) and then use Google search engine for your daily searches, then they still have your search history.

@HotCakeX That's true of any site that has cookies or requires user accounts. That's not a case where there's a reasonable expectation of privacy, so it's not nearly as much of an issue (though I personally use alternative search engines for this reason). Nor, importantly, is Google aware of what you do on the sites you navigate to from the search results, especially if you block tracking cookies, which a large portion of Internet users do. That's a massive difference from knowing every step you take and every tab you have open or have had open.

 

End-to-end encryption inherently is unbreakable by whomever is storing the data. That's the whole point of it. In fact, there are famous cases where Apple can't break phone encryption for police access.

 

There are probably some well-funded, shady organizations out there who can break it, but they can rarely act on it overtly, as then they would be revealing their capabilities to their adversaries, who would then change their encryption scheme.

 

Meanwhile, without end-to-end encryption, a disgruntled Microsoft employee, or one who gains permission for the sake of the interests of the company, can easily decrypt your entire browsing history and view everything you do in Edge. I'm not even sure it would be illegal for them to, outside the EU.

@ragingrei Microsoft employees should have access to our data, the only difference is that Google is stealing data while Microsoft gives you the option to disable tracking. Go to https://account.microsoft.com/privacy

@Kam 


@Kam wrote:
@ragingreiMicrosoft employees should have access to our data, the only difference is that Google is stealing data while Microsoft gives you the option to disable tracking. Go to https://account.microsoft.com/privacy

Wrong,

there is no "should" here. that's not how "privacy" works.

@HotCakeX Sorry, I meant we have control over our data if we use Microsoft.

@ragingrei 

Spoiler

@ragingrei wrote:

@HotCakeX That's true of any site that has cookies or requires user accounts. That's not a case where there's a reasonable expectation of privacy, so it's not nearly as much of an issue (though I personally use alternative search engines for this reason). Nor, importantly, is Google aware of what you do on the sites you navigate to from the search results, especially if you block tracking cookies, which a large portion of Internet users do. That's a massive difference from knowing every step you take and every tab you have open or have had open.

 

End-to-end encryption inherently is unbreakable by whomever is storing the data. That's the whole point of it. In fact, there are famous cases where Apple can't break phone encryption for police access.

 

There are probably some well-funded, shady organizations out there who can break it, but they can rarely act on it overtly, as then they would be revealing their capabilities to their adversaries, who would then change their encryption scheme.

 

Meanwhile, without end-to-end encryption, a disgruntled Microsoft employee, or one who gains permission for the sake of the interests of the company, can easily decrypt your entire browsing history and view everything you do in Edge. I'm not even sure it would be illegal for them to, outside the EU.


apple,. they can do it themselves, never believe just anything you read on the news.

there is also Israeli company that breaks apple phones and sells these technologies to whoever pays.

 

I have a legitimate question though, how can you know Google chrome has end to end encryption? how do you verify that?

 

how to be sure the password field for data encryption in Chrome isn't just a password field to grab your keywords, save them on their server as plain text, and then you get a message that your data is encrypted, and then you believe it. you can't know what actually happens on their end and whether or not your data is actually encrypted.

if you can, enlighten us too.

 

@Kam 

Okay, those privacy options on Microsoft website is different than the Edge history.

@HotCakeX so what does ragingrei even mean?!

@Kam 

Well, If you don't know what a topic is about you don't have to comment on it. that's what I'd do.

there is already enough explanation here.

@ragingrei @HotCakeX @Kam Don't forget that even if Edge exist on stable version it's an unfinished product for now (since all chromium function isn't there).

So all we have to do is wait, and ask Microsoft if they have planned this function and those wo want it will respond to them they want it.

If even if we argue 10 years here that will not change anything, so some of us already have done an asking for this feature, and if some don't have done it and want the feature they do it and after that we wait for edge to have finished to implement all chromium features.