Keeping Hosted Data Secure from Its Host
As more and more applications move online, the issue of keeping secret data secret remains important. Lots of attention is paid to keeping third parties from snooping or stealing your hosted data — force SSL for your Gmail connection — but much less attention is paid to keeping data hidden from the host.
Nobody seems to mind Gmail’s bots reading through their email, and it seems to be widely okay that, for the convenience of putting your data on someone else’s server, you trust them to play nice with it.
That seems like a bizarrely trusting security model. It reminds me of the trusting design of SMTP, which worked great at first but, as it turned out, did nothing to inhibit spam. I think distrust should be the default.
When I played around with gmailfs, a clever hack that lets you mount all six-plus gigs of free Gmail storage as a Linux filesystem, I didn’t like the idea of Google having my data. So I wrapped it in encfs, which transparently encrypted everything I put on Google’s servers.
Likewise, when backing up to a third-party host, I use duplicity, which encrypts incremental archives.
Before smart people would consider keeping their password database remotely hosted, they’d want to feel pretty secure. Clipperz, an online password manager, manages that by doing JavaScript encryption, in the browser, so that the host never has the unencrypted data, ever. They can’t use it themselves, they can’t leave it on a bus, and they can’t be subpoenaed for it.
The “zero-knowledge” algorithm and protocol are designed to be fully auditable by the user. Here is a detailed explanation of how it works. The JavaScript crypto library they use is open-licensed and freely available.
I’d love to see that sort of security become standard for any web application that stores user data! Till then, there’s FireGPG.
See Also:
