Ubuntu One needs cloud encryption like LastPass does it

Bedwell, Jordon jordon at envygeeks.com
Fri Mar 23 23:25:04 UTC 2012


On Fri, Mar 23, 2012 at 1:34 PM, Sam Smith <smickson at hotmail.com> wrote:
> Everything you said, you can do with LastPass: "make it more convenient,
> access your files from anywhere (including the website), stream your own
> music, share your files"
>
> Using secure encryption that occurs on the computer before it leaves for the
> cloud does not prevent any of the things you seem to think it does.

The other gentleman is correct, for a service to be considered secure,
in real world terms and real world application you would not have
access to your data in decrypted form via a website, you would only be
able to download the encrypted pieces.

Secure encryption is not so secure when you decrypt it from a website
using a server that you originally tried to avoid having encrypt it.
What I am saying is, what is so secure about the encryption you are
using if you let a third party decrypt it, one that can obviously
intercept your key quite easily and decrypt it anytime they want to.
It's no more secure then just having them encrypt it with their own
keys that they make up for you, sort of like drop box.  Actually, it's
a false sense of security they are giving you at this point, and in my
eyes a fraudulent claim of being more secure then others because 'you
control the encryption key' when in all honest opinions, they could
just intercept it anytime they wanted to so you are back to square
one.   At this point, secure is out the door, and it's just become
another drop box, actually, one that just hasn't been called out about
it yet.  Be round-a-bout with your terminology all you want so people
don't realise that they are no more secure then they were but the
truth is still there when you read between the evasion.

The short of the short is, for a service to be truly secure the
company hosting it must not have access to any of the encryption keys
and only the encrypted data, your data is either encrypted and
unavailable, period, or your data is decrypted and available, not a
false sense of security where Jim thinks he's secure because he
controls the encryption key, not realising that the company claiming
he's more secure because he controls the encryption key, can in fact
intercept said key anytime they want to.  It's not security, it's
not-so-clever marketing.




More information about the Ubuntu-devel-discuss mailing list