Should Mega’s encryption be trusted?
By Meghan Kelly | VentureBeat.com,
Mega, the file storage and sharing company from the famed Kim Dotcom, launched last with intent to let you securely send and receive files in the cloud. The company promises that all transactions and files are encrypted, but some researchers are saying that encryption should not be trusted.
“Quite frankly it felt like I had coded this in 2011 while drunk,” Nadim Kobeissi, founder of CryptoCat, told Forbes.
Mega promises that all your files are encrypted while being transferred or stored, and that you are the only one with the power to grant people access to those files. The company says that you don’t have to download anything, “It’s all done in the browser!” That is, you, the user, hold the “decryption key” in your browser, as opposed to the cloud service provider holding the decryption key.
This means that not even Mega can get into your files.
But, as Forbes notes, researchers are saying this is easily broken into since the encryption is actually being handled all through code between Mega’s encryption server and your browser. Someone could theoretically jump into Mega’s servers, mess with the code being sent to your browser, and grab, change, or eliminate your decryption key.
Mathais Ortmann, Mega’s CTO, however, says that researchers didn’t check their facts. Mega explained to VentureBeat in an email that the site uses 2048-bit SSL, and says that a previously discovered cross site-scripting vulnerability was fixed an hour after it was originally reported to the site. Ortmann also says the company is working on a way to let users change their passwords — an issue that originally meant users would lose their content forever if they forgot their password or were hacked.
Some are saying the encryption might just be a way to alleviate Mega of any legal responsibility for copyrighted material — the issue Kim Dotcom had with MegaUpload. If all the data is encrypted, beyond Mega’s ability to decrypt and know what kind of data is flowing through it, then it seemingly can’t be held in court for copyright infringement.
DotCom announced yesterday that the site, which launched last week, has already seen upwards of one million users sign up. Of course, there’s no corroborating evidence, but the traction might make sense. MegaUpload, DotCom’s original company that got him arrested for copyright violations, money laundering, and other charges, claimed to service four percent of the Internet. All those users were dispelled after the shut down, and many loyalists might have flocked to Mega upon launch.
Copyright 2013, VentureBeat