Tuesday, January 22, 2013

MEGA may have MEGA security issues??????

For those of you who are living under a rock, Kim Dotcom launched his new file-sharing website this past weekend called MEGA. It supposedly provides 50GB of FREE online storage with encryption capabilites.

The encryption "is less then ideal", according to Allan Woodward, from the Department of Computing at the University of Surrey. It's because it is all done through Javascript within a web-browser, which means that anyone who can break the SSL encryption on Mega could get a hold of the keys. The SSL encryption being used is only 1024-bit encryption, which can be broken easier then say 2048-encryption which is viewed as best-practice amoungst security experts.

Deduplication is another area of a possible security vulnerability. Deduplicaion of encrytped data requires that information to be decrypted, repackaged and then encrytped again. Basically this means that the files have the opportunity to be seen by someone if there was a man in the middle at which point the data was in the process of being decrypted and then repackaged and encrypted again.

Mega also uses Javascript's pseudorandom-number generator to produce keys which is also an issue as it is a method known to be predictable.

Last but not least is that currently a user has no way to recover their account if they forget their password. Mega has promised to let users reset passwords soon. So if you lose or forget your password, say goodbye to your files regardless of the level of encryption.

Keeping in mind all the security issues I have listed above, will you still use Mega to house your files? I am still undecided on whether I want to use the service and if I do, what files I may store there.

-Ubu out

No comments: