Firefox sync security followup
After writing my blog article about the imminent forced migration of Firefox sync 1.1 to 1.5, I did receive a few emails, so here's a followup.
I am an experienced IT-security engineer, consultant and project manager with more than 10 years under my belt. In this category I publish my own whitepapers and findings as well as warnings and interesting information from other corners of the web.
After writing my blog article about the imminent forced migration of Firefox sync 1.1 to 1.5, I did receive a few emails, so here's a followup.
A blog entry at the Mozilla website describes the roadmap for "upgrading" Firefox users to the new sync version 1.5, still without any functioning support for self-hosters.
German IT-news service heise online reports about a dangerous change which comes with the update of Google's Android app store "Play". According to heise, after the update, app permissions will be organized in groups and apps can request new permissions from a permission group for which they already have permission, without additional user approval. Until now, users have to explicitly approve every newly requested permission on update.
I hold a Finnish identity card with strong authentication certificate (FINeID). The FINeID website states, this card could also be used for online banking, so I contacted my bank Nordea and asked how to do that. The first answer was a mile long copy-paste text about the FINeID card which was no clear answer to my question, so I asked again and received the information that Nordea Finland offers any kind of card authentication only for business customers. After I pointed out that the current code system is obsolete and insecure and that I used HBCI cards for online banking in Germany already 10 years before I moved to Finland, the customer service replied that Nordea's netbank code system was oldfashioned but quite secure.
Well, let's have a look at how secure the system really is...
After finding out about Google using data from my Android device at least for targeted advertising, I looked for alternative cloudservices and other solutions.
Just a couple of days ago, I discovered that Google is analyzing Android address books to target advertising at the device's owner (see here). Now I discovered the next thing.