I just have a small question about Firefox Sync. As we know the data is symmetrically encrypted before it is sent to the server. However everything is of course additionally secured by TLS.
This is also stated in the protocol description:
Note that all messages are delivered over an HTTPS connection. The
client browser may also implement cert-pinning to improve on the
certificate validation process. The protections described below are in
addition to those provided by TLS.
“may implement cert-pinning” - So how is this currently done in Firefox. Is for the connection to the sync key pinning used?
If so what happens when you self-host your Sync server? Can you also define the public key used for pinning? (identity.sync.tokenserver.uri.keypin may be nice 
)
Additionally is the cipher used for connecting to the server maybe also “pinned”? Because actually the SSL config is not really optimal:
(first screen from the site taken from services.sync.clusterURL in about:config)
Also I’d like to mention that your Sync servers run on Amazon AWS (at least the two ones I ran the SSLLabs scan on), which is a bit disappointing, because I thought it were a bit more trustworthy (Mozilla-owned) servers which run there.
As the content is of course encrypted this is not that a big deal, but IMO it is still not so nice.
Another thing: When you create a FF account, change your password or sign up you always do this at https://accounts.firefox.com. I had in mind that this previously was done on an internal Firefox page (like about:<...>), but maybe I am wrong.
In any way this would certainly the better way to do it, because here the old Javascript-Crypto-Issue comes to my mind: You load JS from another server which contains the crypto part so the server could modify the JS file at any time and just add some code to send itself the password or do other bad things with it.
ANd if you would get the password you would obviously be able to decrypt all encrypted Sync content.
Additionally the same things I said earlier also apply to accounts.firefox.com: Amazon AWS server, TLS config could be improved (vulnerable to Logjam).