Feb 22 2020 05:51 PM
Firefox, Vivaldi and even Chrome have end-to-end encryption for sync. For Firefox, it's on by default.
Edge doesn't have that. That means that Microsoft can see all your bookmarks, tabs and history.
Edge's privacy policy doesn't say much specifically in regards to how data from Sync is used, only about history and tabs are used for analytics if you opt in to that.
Feb 23 2020 12:51 AM
"Firefox, Vivaldi and even Chrome have end-to-end encryption for sync. "
Source?
Feb 23 2020 01:52 AM
Vivaldi: "The data on your Sync account are encrypted. Please provide your encryption password to decrypt them."
Firefox: "Firefox Sync by default protects all your synced data so Mozilla can’t read it. We built Sync this way because we put user privacy first. In this post, we take a closer look at some of the technical design choices we made and why."
Chrome: "With a passphrase, you can use Google's cloud to store and sync your Chrome data without letting Google read it. ... Passphrases are optional. Your synced data is always protected by encryption when it's in transit."
Right now, Edge really is unique in offering no end-to-end encryption.
Sep 13 2020 08:07 AM
@ragingrei I agree here very strongly.
Browser sync is about as sensitive as data can get, as it is likely to contain all kinds of personal information, ranging from political opinions to social security numbers* and similar. If there is no end-to-end encryption, all of these can be exposed by rogue employees, successful external attacks, or plain misconfigurations. So it isn't even about trusting Microsoft as a company, E2EE is simply essential for damage mitigation.
Given that end-users cannot be expected to be aware of these concepts, really only Firefox gets it right, but Chrome at least allows the end-user to make it so.
Additionally, Edge is the first browser I have seen to enable Sync by default, making the default settings even more important.
* It isn't unlikely to see some websites transmit sensitive information through URI parameters, against all recommendations, so things like social security numbers can end up in the synchronized data like favorites. Other sensitive personal information is directly encoded in the bookmarks and, once sync for those is implemented, open tabs and history.
Dec 29 2020 12:50 AM
@ragingrei IMHO this thread remaining open is misleading. The use of "primary password", or former "master password" for example in Firefox is quite different than what is implied by your statement. It is utilized for local encryption.
Typically this is not be required in a user's environment in Windows as apps and users can benefit from other means to protect their local data with their logon password. I won't go into details.
Of course data are encrypted by all browsers when synched with a backend service in a manner that in theory is not reversible by the service owners, as it requires the original account password of the user account on the service. The latter is available to the local browser but typically not to the service itself as it should in principle only store the hashed password.
Of course there are several techniques that allow secondary keys (backup or recovery keys) to unlock encrypted data with user's password, however I want to believe that none of the big ones employs such a technique... I hope I won't prove wrong, but in any case this has nothing to do with the master/primary password thing.
https://support.mozilla.org/en-US/kb/use-primary-password-protect-stored-logins
Dec 29 2020 01:22 AM
Questions & answers about Microsoft Authenticator app - Azure AD | Microsoft Docs
This is the Same database and same encrypted passwords that Edge and Authenticator app both use.
this is because the Authenticator app on Android and IOS are now password managers too.