Last November, we announced that Mozilla engineers were working on an upcoming feature in Firefox that will warn visitors to a site if their credentials have been compromised. The notification system will rely on the database of Have I Been Pwned ?, the website developed by security researcher Troy Hunter that indexes public data breaches and allows users to search and see if their data were compromised in one of these incidents.
At that time, the tool was still just a prototype and the system boiled down to displaying a notification bar when a user visits a site registered on haveibeenpwned.com as having been violated. The system also included an input field. It must be said that this field did nothing, but we assumed that it is there to allow users to search and see if their data was exposed during the security breach of the site they visit.

This time, Mozilla has announced that in the coming weeks, it will launch its Firefox Monitor tool that will return the results of the service Have I Been Pwned (HIBP). Firefox Monitor will initially be open to approximately 250,000 users, primarily in the United States, with a release schedule to follow once the tests are complete.
Commenting on the announcement, Troy Hunt said "last November, the press relayed the fact that Mozilla will integrate HIBP in Firefox. I was a little surprised at the time because it was nothing more than their Breach Alerts feature that simply highlighted if the visited site had ever been a victim of a data breach (it pulls it from the API HIBP). But the press picked up some signals that in the long run we had more ambitious plans than that and the whole thing got too much attention. I ended up launching a bunch of media calls just to talk about this little feature - people liked the idea of ​​HIBP in Firefox, even in a very simple form. In the end, we had much more ambitious plans and that's what I share here today. "

For Hunt, this tool is important "because Firefox has an installation base of hundreds of millions of people that greatly expands the audience that can be reached once this feature is widespread."

Rather than passing the entire Firefox Monitor plain text email address to HIBP, the tool will use Cloudflare's k-Anonymity, which sends the first six characters of a SHA-1 hash to HIBP, and is returned with the corresponding hashes prefix. Hunt said that an average of 185 hashes returned.

He said, "When this feature was launched, Cloudflare did a good job on a" k-anonymity "model that works like this: when searching for a HIBP password, the SHA-1 client actually a hash then takes the first five characters that it sends to the API. In response, a hash collection is returned that matches this prefix (477 on average). Looking at the hash prefix sent to the service, I have no idea what the password is. It could be any of those 477 hash or it could be something totally different, I do not know. Of course, I could always speculate based on the prevalence of each password, but it would never be anything more than that - speculation. "

For privacy reasons, Hunt explained that he had to decide how many characters of the SHA-1 hash to allow the search so that a sufficiently large number would be returned to have no reasonable way of knowing which address was searched. At the same time, it had to be taken into account that the system had to respond quickly.

"For Pwned passwords, this number was 5 characters, which gave 16 ^ 5 possible search ranges, which on a 500M data set meant the above 477 results per range. However, if I had used 5 characters with 3.1B email addresses, each range would contain an average of almost 3K results that is starting to become quite large. Reason why I decided to leave on the basis of 6 characters, which means 16 ^ 6 ranges possible with an average of 185 results per range.

Leave a Reply