Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Firefox hooks up with HaveIBeenPwned for account pwnage probe

For now, let's ponder browser version 61 adding code that lets extensions close tabs

Firefox has started testing an easier way for users to check whether they're using an online service that has been hacked, through integration with Troy Hunt's HaveIBeenPwned database.

The hookup will work like this: part of a user's email address is hashed, and this hash is used to check if the address appears in HaveIBeenPwned's database of 5.1 billion email addresses linked to compromised internet accounts.

The “Firefox Monitor” test will start with 250,000 users, mostly in the US, according to Mozilla's announcement this week.

Mozilla first revealed its work on the tool in November 2017, and at that time, said a major challenge was to check a user's data against Haveibeenpwned without risking user privacy.

Back then, developer Nihanth Subramanya posed that problem this way: “Who is the custodian of this data? Can we avoid sending user data to haveibeenpwned.com? Can we still offer useful functionality to users who opt out of subscribing their email address?”

Working with Hunt and Cloudflare, Mozilla has come up with an anonymisation approach called k-Anonymity.

Instead of plaintext queries, Firefox Monitor's approach is to use “hash range query API endpoints” to handle the data. “When a user submits their email address to Firefox Monitor, it hashes the plaintext value and sends the first 6 characters to the HIBP API. For example, the value 'test@example.com' hashes to 567159d622ffbb50b11b0efd307be358624a26ee ”, according to a blog post explaining the k-Anonymity mechanism.

That isn't going to yield a single exact match, so Firefox Monitor loops through the objects returned by the API “to find which (if any) prefix and breached account HashSuffix equals the the user-submitted hash value”.

Here's a bit more explanation:

Firefox Monitor discovers that “test@example.com” appears in the LinkedIn breach, but does not disclose plaintext or even hashes of sensitive user data. Further, HIBP does not disclose its entire set of hashes, which allows Firefox users to maintain their privacy, and protects breached users from further exposure.

Troy Hunt wrote that the average k-Anonymity API query returns 477 responses.

The k-Anonymity feature was developed in cooperation with Cloudflare, whose Junade Ali provided this explanation in February, and it also forms the basis of Hunt's HIBP integration with 1Password.

However, don't expect the API to become available to the public, Hunt warned: “it could massively accelerate enumeration activities”.

Meanwhile, meet Firefox 61

While you wait for all that goodness to land in Firefox, the 61st version of its browser has become available.

Big features this time around include "Tab warming", which starts to load a tab once a pointer hovers over it, easier search engine management, plus an "Accessibility Tools Inspector" that lets "creators and developers to now easily make pages for users with accessibility requirements."

Another new feature is called "WebExtension Tab Management" and will mean that "WebExtensions can now hide tabs as well as manage the behavior of the browser when a tab is opened or closed, so you can expect to see exciting new extensions that take advantage of these features in the near future."

Exciting? We hope in a positive way, given the frequent presence of malicious browser extensions in app stores. ®

 

Similar topics

Similar topics

Similar topics

TIP US OFF

Send us news


Other stories you might like