[Freaky]

> I've used CrashPlan a lot and basically take it on faith that it's secure

They use Blowfish. Says it all really - their default encryption is a long-obsolete 64-bit block cipher you might have picked in 1999 because it was faster than 3DES.

I can only assume they do this because migrating would cost them money, and being able to advertise "448 bit encryption" actually sounds like a plus to most people and not the glaring red flag it actually is.

> it seems like their software is still first rate

What, like their backup client that can't actually do restores? It's still all "log in to our website and let us decrypt your data for you" :/

[Osmium]

> They use Blowfish. Says it all really - their default encryption is a long-obsolete 64-bit block cipher you might have picked in 1999 because it was faster than 3DES.

Not defending it, because I know it's old and there are weaknesses, but aren't Blowfish and 3DES both still technically secure? This is a genuine question. It was my understanding that if implemented correctly, with a random key etc., that neither has been formally broken. 3DES is 2^112 no? which is still not practically accessible by brute force. Not that this means anyone should use them, of course, AES is a standard for a reason...

As you say, I had just assumed the migration cost was too high to move to something newer, but I don't think it necessarily means data stored there is unsafe?

[Freaky]

Sure, but it's not exactly putting them in a good light is it? Dressing up obsolete stuff as state of the art "same as your bank uses", while either being unwilling or unable to migrate to something more era-appropriate.

Calls into question their competence, their honesty and their architecture all at once.

[dragontamer]

Wait, what about Blowfish is insecure? BCrypt is built on top of Blowfish.

Blowfish supports key-lengths up to 448-bits. And I've never heard of a single criticism of the function. Its just kinda... less used than Rijndael because it didn't "officially" win the contest. But otherwise, it is a fine function.

EDIT: Confused Twofish with Blowfish in the AES finalists.

[Freaky]

Obsolete is not the same as insecure. But it is old, it does have its weaknesses, and there have been better options out there for a very long time. Why continue to use it? Is upgrading your crypto that difficult that you'd rather just leave it for another decade or two?

It also calls into question the nature of all the other crypto they're using - is that all >20 years old too? Still tuned for a world of 486's and 68040's?

[tedunangst]

The 64 bit block size is a (minor) problem if you're storing lots of data because you start seeing duplicates.

[Osmium]

Doesn't this depend on the mode of operation/block chaining? Or is it an issue regardless?