This is still possible with the new system, although I'll admit the ease and usability of such a setup needs work (and IIRC there are some changes required before android devices can properly use a third-party server; it may take a few releases before this become as easy as it was with the old system).
> As it is, it's possible the new sync has a backdoor,
> even one many people at Mozilla don't know.
Both the client and server are open-source, and you can verify that the client follows the protocol [1] and doesn't leak anything more than a PBKDF2-stretched password derivative to the server. It's about as backdoor-proof as any client/server system is likely to get.
But yes, it is more dependent on the strength of your password than the previous sync system.
This is still possible with the new system, although I'll admit the ease and usability of such a setup needs work (and IIRC there are some changes required before android devices can properly use a third-party server; it may take a few releases before this become as easy as it was with the old system).
> As it is, it's possible the new sync has a backdoor, > even one many people at Mozilla don't know.
Both the client and server are open-source, and you can verify that the client follows the protocol [1] and doesn't leak anything more than a PBKDF2-stretched password derivative to the server. It's about as backdoor-proof as any client/server system is likely to get.
But yes, it is more dependent on the strength of your password than the previous sync system.
[1] https://github.com/mozilla/fxa-auth-server/wiki/onepw-protoc...