The cloud-storage service Mega's automatic file-encryption process does a great job of protecting Mega's business model, but isn't so good at protecting users' files.
"All that matters is Mega's ability to plausibly claim they don't have any way to identify copyrighted material on their servers, and my intuition is that this probably meets that technical bar," said encryption and security researcher Moxie Marlinspike.
Mega may also be able to change or remove the encryption used to load and access files without telling users, which would undermine the protections it offers.
"Mega controls the encryption algorithms being served to you," said Montreal-based security researcher Nadim Kobeissi. "They can serve you anything in place of legitimate encryption code, even code that sends your prior encryption keys to Mega."
A new start
The latest creation of serial Internet scammer Kim Dotcom, born Kim Schmitz, the cloud-storage service Mega.co.nz launched yesterday (Jan. 20) to much fanfare in Dotcom's adopted New Zealand.
It's a successor to Megaupload, another Dotcom venture that was shut down by U.S. and New Zealand authorities one year ago for allegedly encouraging and rewarding massive copyright infringement.
(Dotcom was arrested and his property seized, but his lawyers got him out of jail and back home. He's been convicted in his native Germany of other crimes.)
Mega positions itself as a rival to cloud-storage services Dropbox, Google Drive and Microsoft Skydrive. But it offers 50 GB of free storage space, many times more than the others. Subscription plans are available for 500 GB, 2 TB and 4 TB of storage.
Encrypted from the get-go
"Your 2048-bit RSA public/private key pair is now being created," the Mega site tells users when they first sign up. "To strengthen the key, we have collected entropy from your mouse movements and keystroke timings."
On the face of it, that's great. Automatic encryption would seem to solve an ongoing problem with cloud-based storage, which is that uploaded files aren't very secure or private.
Even more importantly, it absolves Mega of any liability about what its users upload and share. Administrators can't know what each file really is, because only the user will have the private key.
Users can share URLs that link to specific files, and public keys to decrypt them, but they're not allowed to share, or even upload, files that infringe a third party's copyright — not, of course, that Mega would know.
Your problem, not ours
There are a lot of inconveniences and unanswered questions regarding the encryption scheme, however.
First of all, your password — which Mega provides — is a crucial part of the equation. If you lose it, or you lose the encryption keys, you'll lose access to everything you've uploaded to Mega. (The site strongly urges you to keep copies of all uploaded files.)
Michael Lee at ZDNet thinks this means Mega users couldn't even change their passwords if they wanted or to needed to, but Chester Wisniewski, a senior security analyst with the British anti-virus firm Sophos, disagreed.
"The way most encryption tools work (like full disk encryption) is that your password is used to encrypt the real encryption key that you encrypted the data with," Wisniewski said. "This way you can change your password and still retain access to the encryption key originally used to protect the files."
"You don't really encrypt the files with the password, you encrypt a key which encrypts the files," explained Robert Graham, chief executive officer of Errata Security in Atlanta. "Changing the password thus only requires re-encrypting the key."
Storage and management of the private keys appear to be the responsibility of the user.
"No usable encryption keys ever leave the client computers (with the exception of RSA public keys )," Mega says on its Security & Privacy page.
In order to access his files from another computer, a user would have to copy the keys from the first computer. That's inconvenient but more secure than storing all the keys on Mega's servers.
It somewhat mitigates the threat posed by cross-site-scripting or social-engineering attacks that could be used to steal a user's password, or even take over a user's account.
Unless the attacker has access to the private encryption keys, he wouldn't be able to read the files. (He would be able to lock out the user, however.)
No choice but to trust us
But user-machine encryption method leaves each user's data susceptible to attacks on his own computer or browser.
Marlinspike suspects that Mega's built-in encryption isn't the site's real appeal.
"Users probably don't care that the cryptography is insecure," he said. "It seems more plausible that Mega got 500k users in 14 hours because those users are interested in using it as a file-sharing website, not because those users had all been longing for a place to securely store their secret data so that nobody could ever access it."
Even more importantly, Kobeissi pointed out on Twitter today (Jan. 21) that whether, or how, that encryption is deployed is entirely up to Mega.
"Mega can selectively disable crypto for targeted users without them noticing," he wrote. "Crypto also uses insufficient sources of randomness."
"In order for the user to notice, they would have to carefully examine all of the Mega website code being served to them," Kobeissi told TechNewsDaily. "Mega can do this [change the encryption parameters] selectively per username or per IP address, and unless careful examination is done every usage, it is very difficult to detect."
Furthermore, Kobeissi suspects that Mega's encryption isn't very strong.
"Mega claims to use mouse movement and key input to strengthen its encryption," he said. "However, keyboard input is not properly gathered, mouse input is not asked for at any point in time, and on top of this a very weak randomness function (called Math.random) is relied upon. This is a very bad combination."
So should users trust Mega with their data?
"Mega currently has some severe flaws that nobody should trust it at the moment," Graham said. "Maybe it'll get better."
"I wouldn't recommend storing your most sensitive information in the cloud, 2048 bit encryption or not," Wisniewski said. "How much trust do you grant to convicted felons under other circumstances?"