Hacker News new | ask | show | jobs
by biot 4666 days ago
The issue here is that MEGA presents itself as "the privacy company" and makes some very careful claims about encryption:

  All files stored on MEGA are encrypted. All data transfers from and
  to MEGA are encrypted. And while most cloud storage providers can
  and do claim the same, MEGA is different – unlike the industry norm
  where the cloud storage provider holds the decryption key, with
  MEGA, you control the encryption, you hold the keys, and you decide
  who you grant or deny access to your files, without requiring any
  risky software installs. It’s all happening in your web browser!
It's true that everything is encrypted. And it's true that many cloud storage providers hold the decryption keys. It's also true that with MEGA, you hold the keys. What they carefully avoid claiming is that MEGA is unable to read the decryption keys.

All it takes is one court order in a country where MEGA operates ordering them to obtain the user-held decryption keys via the exact same method this bookmarklet demonstrates. MEGA doesn't even have to be involved. In the US, a National Security Letter to your ISP could lead to a man-in-the-middle attack with the help of an SSL certificate that the government orders a trusted CA to provide for MEGA's domain. At that point, all of MEGA's carefully-crafted claims about security are moot.
3 comments
mbq 4665 days ago
Come on, MEGA is not about secure storage but about Dotcom being able to tell any copyright enforcement party that he can't tell whether bits he store are illegal or not (and thus keep his business running).
link
pyre 4665 days ago
If the government has compromised trusted CAs to do man-in-the-middle attacks, my thought is that they are only for 'intelligence' levels of actions, at least at this point in time. The government isn't going to tip its hand to foreign adversaries even to jail a few pedophiles (or other breakers of Federal law).
link
andrewljohnson 4665 days ago
Maybe you missed it, but the DEA already uses the questionable NSA secret surveillance to find drug dealers, and constructs evidence against them to hide use of the surveillance.
link
pyre 4665 days ago
Well, that's acceptable. It is the War on Drugs after all. We have no War on Pedophilia, so we can't use it to go after the pedophiles. /s
link
jlgaddis 4665 days ago
That's way too much trouble.

It's much easier to compromise the user's computer and install whatever type of "utilities" they need to recover whatever data they want.

link