Implement Web interface to view Vivaldi Sync data online in any browser
-
Vivaldi Sync contains useful data, that needed often, especially Bookmarks, Notes, Passwords. And quite often this data is needed when you are not using your computer.
And now for gain one-time access to your synced data in some external computer (eg in grandma computer) to quick one-time lookup some one thing, we need to install Vivaldi, configuring sync and wait for sync to finish, and not forgot to remove all data, after you finish working.
The very convenient solution for this problem can be implementing web interface on Vivaldi website for view and operate (filter, search) with your synced data online from any other computer.
At least read-only viewing will be great, but writing will be good to have too.
This will be the great benefit of Vivaldi Sync, comparing to other browser's Sync solutions. Mozilla tried to do this on first stages of developing Weave, but seems abandoned it.
-
@murz It would be both a major undertaking and a significant security risk. So I would not expect it any time soon.
That said, back the the day, MyOpera offered it, so it could potentially come here, too.
-
@ayespy said in Implement Web interface to view Vivaldi Sync data online in any browser:
significant security risk
Installing Vivaldi on other people PC and temporary configuring sync to your account is much more security risk, than one-time logging into Vivaldi account in Guest window, looking needed info and logging out
But I understand that this is the long way to implement such feature, so will very wait!..
-
@murz Just having web interface available for sync data is the security issue. It means a hacker does not need physical access to your machine to access your data.
-
@ayespy But what is the difference of web access security, vs when hacker installs the Vivaldi browser on his own computer and configure the sync to your account?
-
@murz technically, very little. But first the hacker must know how to be "you" in Vivaldi. A web interface is a larger attack area.
-
Because Sync contains potentially very sensitive information (possibly including passwords), we are very serious about the security of the synced data. You may remember that you were asked to create an encryption password when setting up Sync, in addition to logging in with your vivaldi.net account password. When you connect to Sync, your vivaldi.net password is sent (hashed and encrypted) to our login servers to verify your access to the account. However, the encryption password is never sent to our servers. It is kept solely on your device(s) and used to decrypt the data locally. This is how we ensure that your data is end-to-end encrypted.
What this means in terms of this request is that any web server we would set up to provide access to your synced data would not actually be able to decrypt your synced data, and we definitely would not want to provide users with the ability to enter their encryption password in to a web form to do the decryption. Anyone doing so would immediately defeat the benefits of end-to-end encryption.
Having said that, it would theoretically be possible to have Javascript on the page perform the decryption of the data without ever sending your encryption password to the server, but you would have no guarantee of that safety without thoroughly auditing the source code of the web page.
So, this request is not impossible, but it definitely has security implications.
-
@Murz I think there is definitely something to be done about web access to at least some of the data. Even in read-only form as suggested.
I did a search in the forum, and did not find this page, so I went ahead and created a new feature request. Maybe we can concentrate on that one: https://forum.vivaldi.net/topic/77855/make-bookmarks-and-tabs-available-on-the-web
It seems a fair number of people want access to some of their data on the web. And one of the major reason is iOS.
-
@thomasp You do realize that this is how respectable password managers do it; They decrypt locally in javascript, never sending the password away.
As for the "guarantee" of the page source code, it would be on you. I understand that you may be reluctant to take that responsibility, but you are also responsible for the source code of Vivaldi, which has a similar threat model.
Not only that, but the access could be controlled by a setting: If I don't want access to passwords on the web, I remove the setting for password access on the web. Of course at this point you can start chasing your tail by arguing that hackers could change the settings too, etc. But if those settings can only be done in the Vivaldi browser, you're back to the same threat model you have now, and everybody is happy (ier).
In any case, it might be better to let users decide what is "sensitive" information. If you don't want to take responsibility for the password, that is understandable, but other aspects could be made available.
PS: Since you mention it, I just wanted to say that the dual password setup is cheap. There are better ways to manage dual access with a single password. Most password managers do.