Ubuntu One needs cloud encryption like LastPass does it

Sun Apr 8 13:06:48 UTC 2012

On Sun, Apr 08, 2012 at 11:55:25AM +0800, John McCabe-Dansted wrote:
> > LastPass may be secure today, but it is trivially easy for LastPass
> > (or a hypothetical attacker who gains access to LastPass's
> > infrastructure) to compromise that security simply by replacing the
> > javascript code which does the client side encryption and decryption
> > with some code that also passes the encryption key back up to the
> > server (or wherever).
> 
> Hmm, in principle Firefox could support native encryption, where you
> add the key to Firefox directly before even visiting the website.
> Being a bit careful about frames and/or javascript should give you a
> secure solution. The major issue then is, if security matters to you,
> why do you want to access these files from the web? Are you sitting
> down on an untrusted computer and just blindy entering your encryption
> key?
> 
> Still, adding support for securely encrypted files as a cross browser
> standard seems like a fundamentally cool thing to do.

When Mozilla first came out, they had some built in 
encryption capability. The NSA folks forced them to
remove it and even the hooks. I kept my own copy
patched for awhile I just lacked the time. And then
Zimmerman and his pgp pretty much broke the back of
those efforts to keep strong encryption out of the
hands of real people and the capabilities gradually
returned.

Do not ever trust these people. If you have a company
that is US based (some other countries are probably
even worse), someone will show up (or less melodramatically,
you will receive a very official letter) and tell you who
you are going to co-operate with them. And that you really
do not have a choice.

A friend of mine who had his own small ISP for a few customers
had the FBI show up at his door to tell him that he 
had to supply them with a link for for monitoring his
dial up connections. He chose to remove the dialups entirely
and they went away.

Some ISP's here in the UK at one point got told they
had to supply a leased line to the police at their
own expense.

So make no mistake. Point to point encryption with
locally held secure keys it the *ONLY* choice if you
actually want privacy and not pretend privacy.