<html> <head> <style></style></head> <body class='hmmessage'><div dir='ltr'> I use "SpiderOak" because it offers client-side encryption. It provides the security & privacy I seek.<br><br>I'd prefer to use Ubuntu One, but until it supports client-side AES 256-bit encryption & additionally encrypts the decryption key itself (like SpiderOak does) I won't even consider it.<br><br><br><div><div id="SkyDrivePlaceholder"></div><hr id="stopSpelling">From: jtodd929@hotmail.com<br>To: m@funkyhat.org; ubuntu-devel-discuss@lists.ubuntu.com<br>Subject: RE: Ubuntu One needs cloud encryption like LastPass does it<br>Date: Sat, 24 Mar 2012 08:57:19 -0400<br><br> <meta http-equiv="Content-Type" content="text/html; charset=unicode"> <meta name="Generator" content="Microsoft SafeHTML"> <style> .ExternalClass .ecxhmmessage P {padding:0px;} .ExternalClass body.ecxhmmessage {font-size:10pt;font-family:Tahoma;} </style> <div dir="ltr"> Even assuming this is true, why is it still not a good idea for Ubuntu One to implement the same encryption setup of the user having the only key.<br><br><div><div id="ecxSkyDrivePlaceholder"></div>> From: m@funkyhat.org<br>> Date: Sat, 24 Mar 2012 02:00:20 +0000<br>> Subject: Re: Ubuntu One needs cloud encryption like LastPass does it<br>> To: jtodd929@hotmail.com<br>> CC: jordon@envygeeks.com; ubuntu-devel-discuss@lists.ubuntu.com<br>> <br>> On 23 March 2012 23:36, Jason Todd <jtodd929@hotmail.com> wrote:<br>> > Guys, please read these (or listen to the podcasts):<br>> > http://www.grc.com/sn/sn-256.htm<br>> > http://www.grc.com/sn/sn-257.htm<br>> ><br>> > Things being said seem to conflict with what I learned from this episode of<br>> > security now on how lastpass works. Essentially: LastPass is very secure and<br>> > no one can access the data except the user.<br>> <br>> LastPass may be secure today, but it is trivially easy for LastPass<br>> (or a hypothetical attacker who gains access to LastPass's<br>> infrastructure) to compromise that security simply by replacing the<br>> javascript code which does the client side encryption and decryption<br>> with some code that also passes the encryption key back up to the<br>> server (or wherever).<br>> <br>> -- <br>> Matt Wheeler<br>> m@funkyHat.org<br></div> </div> <br>-- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss</div> </div></body> </html>