--- a/services/crypto/modules/utils.js
+++ b/services/crypto/modules/utils.js
@@ -51,17 +51,20 @@ this.CryptoUtils = {
 
   /**
    * Treat the given message as a bytes string and hash it with the given
    * hasher. Returns a string containing bytes. The hasher is reset if it's
    * an HMAC hasher.
    */
   digestBytes: function digestBytes(message, hasher) {
     // No UTF-8 encoding for you, sunshine.
-    let bytes = Array.prototype.slice.call(message).map(b => b.charCodeAt(0));
+    let bytes = new Uint8Array(message.length);
+    for (let i = 0; i < message.length; ++i) {
+      bytes[i] = message.charCodeAt(i) & 0xff;
+    }
     hasher.update(bytes, bytes.length);
     let result = hasher.finish(false);
     if (hasher instanceof Ci.nsICryptoHMAC) {
       hasher.reset();
     }
     return result;
   },
 

--- a/services/sync/modules/record.js
+++ b/services/sync/modules/record.js
@@ -119,17 +119,17 @@ CryptoWrapper.prototype = {
   _logName: "Sync.Record.CryptoWrapper",
 
   ciphertextHMAC: function ciphertextHMAC(keyBundle) {
     let hasher = keyBundle.sha256HMACHasher;
     if (!hasher) {
       throw new Error("Cannot compute HMAC without an HMAC key.");
     }
 
-    return CommonUtils.bytesAsHex(Utils.digestUTF8(this.ciphertext, hasher));
+    return CommonUtils.bytesAsHex(Utils.digestBytes(this.ciphertext, hasher));
   },
 
   /*
    * Don't directly use the sync key. Instead, grab a key for this
    * collection, which is decrypted with the sync key.
    *
    * Cache those keys; invalidate the cache if the time on the keys collection
    * changes, or other auth events occur.