Mozilla's security-focused Firefox Monitor tool is expanding to be more proactive at notifying users about past...
data breaches, but one expert worries about the consequences.
Mozilla began testing the initial integration between Firefox Monitor and Have I Been Pwned (HIBP) -- a website that enables users to find out if their email addresses were in data breaches, run by Troy Hunt -- in June with an option to search the HIBP data. Now, Firefox Monitor is expanding to include breach alerts when a user visits a website that has been recently compromised. When a user receives an alert, they will be able to click it to search HIBP and find out if their email address was involved in the breach.
Luke Crouch, privacy engineer at Mozilla, said breach alerts will include incidents that have been added to HIBP within the past 12 months, but only for the first alert sent. If the user has already seen a breach alert from Firefox, future alerts will only be sent for sites added to HIBP in the past two months.
"We believe this 12-month and two-month policy are reasonable timeframes to alert users to both the password-reuse and unchanged-password risks. A longer alert timeframe would help us ensure we make even more users aware of the password-reuse risk," Crouch wrote in a blog post. "However, we don't want to alarm users or to create noise by triggering alerts for sites that have long since taken significant steps to protect their users. That noise could decrease the value and usability of an important security feature."
Ilia Kolochenko, CEO of High-Tech Bridge, said users need to be aware that Firefox's breach alerts cannot be comprehensive since they rely on data from HIBP.
"The core problem is that the vast majority of data breaches do not become public, are disclosed with a considerable delay or, in the worst case scenario, are never even detected. If a website is not in a public database of recently breached websites, that does not mean anything," Kolochenko said. "The website can have critical vulnerabilities, backdoors and a long history of previous breaches that have skipped the public radar. Consequentially, the new feature may mislead future victims by providing them with a false sense of security."
Crouch said the aim of Firefox Monitor is to help bring awareness about data breaches to users who might not know if they've been affected, but admitted there are limitations to the scope of the breach alerts.
"Neither HIBP nor Mozilla can confirm that a user has changed their password after a breach, or whether they have reused a breached password elsewhere," Crouch wrote. "So we do not know whether an individual user is still at risk, and cannot trigger user-specific alerts."
Kolochenko also worried that Firefox's breach alerts may unfairly punish companies for past issues.
"Another serious issue here is that many customers will be scared by such notifications and will likely leave a previously breached website. However, most of those companies only started taking care of their corporate cybersecurity after a major and publicly exposed data breach," Kolochenko said. "Therefore, we may perfectly imagine a scenario when a breached company has a much better security than its careless but unexposed competitors. The road to hell is paved with good intentions, and this laudable initiative by Mozilla may unfortunately have more negative consequences than positive ones."
The new breach alerts will roll out to those using Firefox Quantum over the next few weeks and Crouch noted the current process of breach alerts "is an interim approach" and will change based on user feedback.
"When we launched our Monitor service, we received tremendous feedback from our early users that we're using to improve our efforts to directly address users' top concerns for their online service accounts," Crouch said. "Over the longer term, we want to work with our users, partners, and all service operators to develop a more sophisticated alert policy. We will base such a policy on stronger signals of individual user risk, and website mitigations."