<html> <head> <style></style></head> <body class='hmmessage'><div dir='ltr'> Even assuming this is true, why is it still not a good idea for Ubuntu One to implement the same encryption setup of the user having the only key.<br><br><div><div id="SkyDrivePlaceholder"></div>> From: m@funkyhat.org<br>> Date: Sat, 24 Mar 2012 02:00:20 +0000<br>> Subject: Re: Ubuntu One needs cloud encryption like LastPass does it<br>> To: jtodd929@hotmail.com<br>> CC: jordon@envygeeks.com; ubuntu-devel-discuss@lists.ubuntu.com<br>> <br>> On 23 March 2012 23:36, Jason Todd <jtodd929@hotmail.com> wrote:<br>> > Guys, please read these (or listen to the podcasts):<br>> > http://www.grc.com/sn/sn-256.htm<br>> > http://www.grc.com/sn/sn-257.htm<br>> ><br>> > Things being said seem to conflict with what I learned from this episode of<br>> > security now on how lastpass works. Essentially: LastPass is very secure and<br>> > no one can access the data except the user.<br>> <br>> LastPass may be secure today, but it is trivially easy for LastPass<br>> (or a hypothetical attacker who gains access to LastPass's<br>> infrastructure) to compromise that security simply by replacing the<br>> javascript code which does the client side encryption and decryption<br>> with some code that also passes the encryption key back up to the<br>> server (or wherever).<br>> <br>> -- <br>> Matt Wheeler<br>> m@funkyHat.org<br></div> </div></body> </html>