Hacker News new | ask | show | jobs
by pchowdhry 4799 days ago
Agreed, no magic here. I rolled a quick version using Squid and greasy spoon. Got it to work on SFDC and Gmail inside of a day. Using tags around the encrypted content and regex you could then feed the content into the decryption engine. Search works, etc. You could even using a unique IV per user to add a level of security, but it is by no means rock solid. It would however address some of the frequency analysis concerns, since if the encryption (tokenization??) was cracked it would only reveal the contents for a single user. That would work for the gmail side, but doing in in SFDC is a whole other issue, and unless the have some Harry Potter stuff going on, is likely huff and puff.
1 comments
rdl 4799 days ago
Maybe the correct response here is an open source version of CipherCloud, built on open/published principles (to make it easy to verify the level of security provided).
link
pchowdhry 4799 days ago
I would be happy to post my code, but honestly the process is so embarrassingly simple, I'm sure other could do it better. Setting up the squid proxy with SSL bump was more difficult than the code, as there are some great libraries out there. Using a reverse proxy and Icap server, you need to parse all content using something like jsoup (regex if you really wanna hack). Jsoup grabs the element and you then run it through a great encryption library like bouncy castle you then add some unique identifiers arounds it (!!) so that you can decrypt it using simple parsing to get the encrypted content. Plop it back into the content using your trusty greasy spoon. And walla magic! All persisted data is encrypted. When data is pulled out you simply parse for the unique tag, and then run it through the decryption side. There are a number of things that you can do to increase the security of this implementation, with a little tweaking it works for searching, and the such, so gmail is no problem. An app like SFDC with joins between records would be significantly more difficult to do properly. Doing it improperly is trivial, as you could just just all of the same keys and IVs per org (the unit of work in SFDC).
link
DanBC 4799 days ago
The response will be along the lines of "lacks our secret patent-pending military grade algorithms".
link