Have I been pwned, Firefox? OK, let's ask its Have I Been Pwned tool
Mozilla's Firefox Monitor makes a hash of email queries
Mozilla on Tuesday debuted a service called Firefox Monitor that it has been testing to help people see whether their email addresses have been compromised.
"We’ll let you know if your email address and/or personal info was involved in a publicly known past data breach," said Nick Nguyen, Mozilla's VP of Firefox Product, in a blog post. "Once you know where your email address was compromised you should change your password and any other place where you’ve used that password."
Firefox Monitor is basically a wrapper for Have I Been Pwned (HIBP), a sprawling database of several billion email addresses (and, separately, passwords) that have shown up in spilled data. Monitor consists of an input form – with Firefox download links – submits hashed email addresses to HIBP and performs a bit of processing on the returned data.
Its main virtue is the hashing, a mathematical mechanism for encoding data. The service creates an SHA-1 hash of the submitted email address and takes the first six characters –
firstname.lastname@example.org, for example, becomes
567159D622FFBB50B11B0EFD307BE358624A26EE – and submits them to HIBP's hash range query API. HIBP then returns a range of possible matches, if any, to the six character string, without ever handling the full email address.
Mozilla changes Firefox policy from ‘do not track’ to ‘will not track’READ MORE
Firefox Monitor then iterates through the supplied list, searching for a match of the full email address hash. If found, it tells the user that the email address at issue has been spotted in a data dump, which means the account owner should change the password to avoid being hacked.
HIBP works fine without Firefox Monitor – and has been integrated into other products like 1Password – but other systems involve submitting an email address directly to the site without hashing. This may seem like a quaint concern when looking into whether one's email address and password have already been exposed online. But it may matter to some.
In an email to The Register, a Mozilla spokesperson explained that Firefox partnered with Troy Hunt, who runs HIBP, to make it easier for internet users to access the service.
"Our first step is to bring the data in HIBP and surface it to users through our website and in-product notifications for Firefox users," Mozilla's spokesperson said.
"One difference for now is that sensitive sites will only be sent to you after you've verified your email to help keep you safe. There are future plans to integrate it more deeply into the Firefox and future products that are underway." ®