Kim Dotcom’s Mega.co.nz launched as the ‘Privacy Company’ with a special emphasis on the security of its users’ files. The company says that due to encryption, no one can access a user’s files hosted on Mega unless the user gives his permission.
In the wake of the NSA scandal the usefulness of encryption has really come to the forefront and MEGA is now placed to release encrypted messaging and email services utilizing similar technology. However, the company’s claims also mean that it becomes a target for those seeking to point out potential weaknesses in its system.
A few hours ago a software developer called Michael Koziarski released a new tool which he claims highlights a fundamental issue with the encryption mechanism implemented by Mega.
However, this is not the most controversial claim. Koziarski says that MEGA itself is able to grab a key and use it to access a user’s files.
“Your web browser trusts whatever it receives from MEGA, which means they can grab your master key whenever you visit their site and then use it to decrypt and read your files. You’d never know,” Koziarski explains.
The revelations provoked an exchange with MEGA programmer Bram Van der Kolk, who questioned how MEGA would stop anyone gaining access to a user’s computer.
“You seriously want MEGA to protect users against this?” he said.
“No, I want users to understand just how easily you could read all their files if you wanted to,” Koziarski responded.
“You mean how easily the user himself can read his own files. How exactly can an external attacker take advantage of this?” der Kolk questioned.
“So you agree MEGA is only secure against external attackers, that you can read my files if you wanted to?” Koziarski fired back.
Update: Both MEGA and Koziarski are preparing answers to our questions so those will be published here as soon as we have them.
Update 2: Comments from Michael Koziarski
By contrast, if you encrypt your files with PGP before uploading them, there’s nothing MEGA or anyone else can do to recover them. We already have the tools we need to [cure the problem].
I released MEGApwn to make it easier to show novice users how easily MEGA (or the Feds with a warrant) could circumvent the encryption if they wanted to. Everyone in the infosec industry already knew this.
Fundamentally the problem is that your browser will faithfully execute any code it downloads from mega.co.nz, and your browser has to download that code basically every time you visit the MEGA site.
MEGA have configured their web servers for SSL and HSTS, and don’t embed any third party code on their site, so it’s relatively secure against a 3rd party injecting code.
If they wanted to, any MEGA employee could include code which extracted your secret key and uploaded it to their servers. It wouldn’t warn you, it wouldn’t be obviously broken, you’d just never know. We know from the Hushmail case that courts will issue warrants compelling them to do so in some circumstances,
When you get down to the root of the issue, MEGA’s approach to cryptography is secure if, and only if, you trust MEGA not to extract your keys. From where i sit that’s not all that different from having to trust any other more traditional cloud storage provider not to read your files.
It’s important people understand that.
Update 3: Comments from Bram Van der Kolk of MEGA
1. If you have access to a computer, you can break MEGA (and everything else, too)
This problem is illustrated by a MEGA-specific browser bookmarklet that allows the victim to break into his or her own MEGA account. A more generalized approach is outlined in Brian Kaplan’s paper RAM is Key – Extracting Disk Encryption Keys From Volatile Memory. And, needless to say, if the victim installs remote monitoring software (such as a keylogger/screen grabber) on his machine, the potential security breach becomes pretty much all-encompassing.
There are two trust issues associated with on-the-fly code loading: How secure is the delivery mechanism? And will the service provider send me trojaned code upon receipt of e.g. a National Security Letter?
In addition, we are continuously monitoring our root and API server SSL certificates from a variety of points around the globe. Should any breach be detected, we will immediately shut down MEGA and only resume service once the situation is clarified.
The fundamental difference between traditional (server-side encrypting) and secure (client-side end-to-end encrypting) cloud storage providers is that the former can intercept all data of all users without the victims having a way of finding out, while the latter have to do something that is detectable on the client side.
If you are worried about the risks outlined above, you should use MEGA in a way that does not rely on code delivered on the fly.
We offer a browser extension (currently available for Chrome, coming soon for Firefox) that holds all of MEGA’s code locally. If you install a version that someone you trust has code-audited and turn off automatic updates, we cannot backdoor you even if we wanted to.
2.3.2 Using a client application
In a similar vein, non-autoupdating client applications that were written or audited by someone you trust are immune against dynamic backdooring.