Dnia poniedziałek, 19 sierpnia 2013 08:02:38 Dan Staples pisze: > On Mon 19 Aug 2013 07:35:10 AM EDT, rysiek wrote: > > Dnia poniedziałek, 19 sierpnia 2013 13:12:35 Lodewijk andré de la porte pisze: > >> AES-128 is obviously not secure enough against NSA-type attacks. It works > >> against the random raid of the servers, the exploitative sysadmin and > >> perhaps even the remote exploit in the software. It also allows Google to > >> run storage nodes at a lower security level, which might help them smooth > >> operations. > >> > >> Nothing there to help against the agencies. > > > > But the algo is really completely irrelevant here. They could have used > > OMGWTF-8096 and it would still be irrelevant. If the keys are being held > > by > > Google -- and as far as I understand, they have to -- the whole encryption > > is moot. > > > > They don't have to give the government the keys. They can just hand over > > the cleartext... > > > > The point about running nodes at a lower security level is interesting, > > > > though. Maybe that's the whole point: > > - Hey Joe, if we encrypt user data (and hold the keys), we could care > > less > > > > about these nodes' security. > > > > - Hey, yeah, Jack, this seems to be a good idea; and we could sell it to > > > > people as a "security enhancement", esp. after PRISM. > > > > - Oooh, I like this. I'll be talking to PR dept right away! > > Not so sure we need to be quite so cynical. Obviously this encryption > is useless against state-level agencies, since data is encrypted > server-side and Google manages the keys ( although the fact that they > think they won't be obligated to hand the keys over to the gov't is > bullshit). However, what I think is important to see in this story, is > that Google is responding to pressure from the public to take privacy > and encryption more seriously. This is an opportunity for security and > privacy activists to push for real security solutions for user data > storage, that involve strong *client-side encryption* of data.
I see it purely as a PR stunt, a pre-emptive strike against services that are bound to spring-up, offering *real encryption* and *real security*. Now Google can say "we're already offering that" and good luck with explaining to John Doe why this is not quite the same... -- Pozdr rysiek
signature.asc
Description: This is a digitally signed message part.
