> I'm aware of the Chrome sync passphrase. If I used Chrome on Android (I don't—I use Firefox), would Chrome back my passphrase up to Google's systems? I dunno.
At least the docs claim that it's only saved on your device. You can believe it or not. There may be a way to verify that it's not being backed up with your normal Android data, but I'm not sure.
> Is the crypto behind Chrome's sync anywhere near as good as that behind Firefox's? Not last time I looked.
It's never been not good. Maybe you're thinking of back when they didn't have the option to encrypt all your sync data locally, just your passwords? It uses Nigori[1] and the source is all available[2].
At least the docs claim that it's only saved on your device. You can believe it or not. There may be a way to verify that it's not being backed up with your normal Android data, but I'm not sure.
> Is the crypto behind Chrome's sync anywhere near as good as that behind Firefox's? Not last time I looked.
It's never been not good. Maybe you're thinking of back when they didn't have the option to encrypt all your sync data locally, just your passwords? It uses Nigori[1] and the source is all available[2].
This is a little old, but it compares browser syncing security: http://gregoryszorc.com/blog/2012/04/08/comparing-the-securi...
> I'm also aware that email often travels via SSL—but it's always cleartext to the sending and receiving hosts
Fair enough, but if you're using PGP, those hosts are only the actual sender and recipient (and anyone the recipient shares an email with, of course).
[1] http://www.links.org/files/nigori-overview.pdf
[2] https://src.chromium.org/viewvc/chrome/trunk/src/sync/util/n...