undefined | Better HN

0 pointsnly12y ago0 comments

This didn't need proving. They send you JavaScript code, which you trust to encrypt your files. Without a built-in, well-audited, static browser mechanism no web service can ever be trusted with confidential data.

If the Feds decide to raid MEGA again they can simply modify their server side script to recognise your IP and serve you bad JavaScript from the MEGA domain, revealing your keys the next time you login. Nobody would be any the wiser.

Personally I'm waiting for JS crypto to take off big time and idiots to start using it from a CDN.

0 comments

the_mitsuhiko12y ago

> Without a built-in, well-audited, static browser mechanism no web service can ever be trusted with confidential data

That's why mega has a separate app: https://mega.co.nz/#chrome

nhm12y ago

The article isn't proving anything, it's an example of how a known problem affects MEGA. It's saying encrypt your files first, because trusting MEGA (or anyone who uses that kind of encryption) is not enough.

nlyOP12y ago

You're right, this just highlights the nature of the site in a very effective way. The message here is nobody should be surprised.

traskjd12y ago

Sure, but don't you think it's important that they make this clear?

So far they market heavily on the fact that it's secure when this is simply not true.

If you read their security page, they do say you shouldn't use it if you don't trust them. But that's about it for any warning that you're basically sitting there naked.

I know no security system is entirely secure, but they aren't generally targeting security minded folks, they're targeting the layman who reads what they say and then thinks they're secure due to their weasel worded security page.

nlyOP12y ago

Meh. Should every site using HTTPS make it clear that hundreds of CAs whom you've never heard of have the capability to perform a MITM?

At least with MEGA you know the security framework is something they've engineered themselves, so you know you have to trust them. With SSL/TLS you're deferring to authority simply because it's convenient.

e12e12y ago

You still have to trust SSL, in the case of MEGA, COMODO is their CA, and they appear to use 128bit RC4.

Of course, if you've not cleaned your trusted certificates, someone like CNic can just MTIM you.

j / k navigate · click thread line to collapse

0 pointsnly12y ago0 comments

Personally I'm waiting for JS crypto to take off big time and idiots to start using it from a CDN.

0 comments

the_mitsuhiko12y ago

> Without a built-in, well-audited, static browser mechanism no web service can ever be trusted with confidential data

That's why mega has a separate app: https://mega.co.nz/#chrome

nhm12y ago

nlyOP12y ago

You're right, this just highlights the nature of the site in a very effective way. The message here is nobody should be surprised.

traskjd12y ago

Sure, but don't you think it's important that they make this clear?

So far they market heavily on the fact that it's secure when this is simply not true.

If you read their security page, they do say you shouldn't use it if you don't trust them. But that's about it for any warning that you're basically sitting there naked.

nlyOP12y ago

Meh. Should every site using HTTPS make it clear that hundreds of CAs whom you've never heard of have the capability to perform a MITM?

e12e12y ago

You still have to trust SSL, in the case of MEGA, COMODO is their CA, and they appear to use 128bit RC4.

Of course, if you've not cleaned your trusted certificates, someone like CNic can just MTIM you.

j / k navigate · click thread line to collapse