Mozilla has finally launched Firefox Monitor a website that connects to the TroyHun’s Have I Been Pwned? (HIBP) one of the biggest breach notification databases which can be used to check in an email address for known breaches or also can be used to register for a breach notification so that if the address is detected in the future breaches are logged by HIBP.
What are the advantages of using the Firefox Monitor?
There are many advantages of using the Firefox monitor as the connection of HIBP website brand being used in conjunction with the Firefox name will allow them to grow significantly and therefore will also help to promote the breach checking. This in turn will help the users of HIBP as the increased notifications from many users will increase the chances of the major advanced breach detection as it helps the users know before even the company knows that it has been breached.
When the user hears that their email address has been part of a data breach they (should) change it immediately but in the case of HIBP, it could take years to appear in their domain. The Mozilla Foundation has been integrating breach notification into the Firefox browser itself. At present, it is managed by the password management tool called 1Password. Matt Grimes for Firefox advised;
The product we shipped today isn’t the end of the road for Firefox Monitor. This is just an MVP [minimum viable product]. We aren’t done iterating and we probably won’t ever be.
There is also some extra hurdles for a service like HIPB and its partners to overcome regarding how the internet users can enter searches for the breached email address or even specific password which is most commonly used all over the world. In theory, the search could be entered as a salted hash but that would greatly improve the computational demands when coping with large numbers of queries. The company is planning to host the service on Cloudflare and the mathematical data is called k-anonymity and the company has also offered a description of how the algorithm works.
How does the website work?
The website sends a local hash of the given email address using the SHA-1 hashing algorithm to HIPB using its API which returns a list of hashes and they compare these hashes and if there is a hash that has been matching with the existing generated hash on the client side then the website is breached. Cloudflare who host Firefox monitor advises;
Instead of seeking to salt hashes to the point at which they are unique, we instead introduce ambiguity into what the client is requesting.
To protect the user’s privacy Firefox doesn’t store any password hashes and it only caches the user’s results in an encrypted session.
Take your time to comment on this article.