"99% of the police make the rest of them look bad." - Jacob Appelbaum
Home Services Downloads About
Posted on 2013-01-21 by IceBear

Since the illegal closure and take-down of Megaupload in January, 2012 people were anxious what might happen with the case and whether a new Megaupload will follow. Kim Dotcom has already announced the relaunch of Megaupload in November, 2012 and an exact year after the raid the new Megaupload now simply called MEGA (MEGA Encrypted Global Access) has launched.

What MEGA supposedly makes different from every other file hosting service such as Dropbox, Google Drive and more is the built in and mandatory end-to-end encryption. A reason for them to implement this is of course so they can have plausible deniability and claim that they have no idea what kind of content is hosted on their service. A side product of that is also privacy for their users hence MEGA also calls itself "The privacy company". Is it really, though?

A quick look at the Security & Privacy page of their Help center shows this:

"All encryption is end-to-end. Data uploaded is encrypted on the uploading device before it is sent out to the Internet, and data downloaded is decrypted only after it has arrived on the downloading device. The client machines are responsible for generating, exchanging and managing the encryption keys. No usable encryption keys ever leave the client computers (with the exception of RSA public keys)." - MEGA Help center

That sounds pretty awesome. Real end-to-end encryption, that seems pretty safe to me. Let's take a closer look. They are kind enough to lay out their exact process with their MEGA API on the developers page. There it reads:

"Each user account uses a symmetric master key to ECB-encrypt all keys of the nodes it keeps in its own trees. This master key is stored on MEGA's servers, encrypted with a hash derived from the user's login password." - MEGA API

Eh? So, the master key is after all stored on MEGA's servers? I'm confused.

"In addition to the symmetric key, each user account has a 2048 bit RSA key pair to securely receive data. Its private component is stored encrypted with the user's symmetric master key." - MEGA API

What? So... the symmetric master key is stored on MEGA's servers albeit "encrypted with a hash derived from the user's login password". Well, they can grab my password every time I log on or simply save it in plain text in the first place. The private component of my RSA key pair is also stored on their servers albeit "encrypted with the user's symmetric master key", where we just stated why that is broken. But wait a minute. Didn't it clearly state "No usable encryption keys ever leave the client computers" in their Help center? Oh, I see. They are encrypted, hence they are obviously not "usable". Yes. That makes sense.

Now to be honest with you, I'm by no means an expert in cryptography nor have I checked any of their source code and what it actually does. But you can all get down to it with a simple assumption and raising one single question.

Let's assume all the encryption and decryption is in fact done on the client side only. How is it possible to simply switch browsers and/or computers and use all of the encryption and decryption functions without transferring any keys between them whatsoever? Because all of your keys are stored on their servers whether they are stored "encrypted with a hash derived from the user's login password" doesn't matter. They are stored there.

That concludes that in theory it is totally possible for them to decrypt all your files, whether they do that or not is up to your belief and imagination, the ability stands.

How does the upcoming case against MEGA look like? Judge: "Is it true that you actually were able to decrypt and read all the files hosted?" - Kim: "Yes, but we never did."

Real end-to-end encryption does not require you to trust the file hosting service. MEGA does.

"The privacy company"

MEGA fail.

Dynamically generated

2 unique sql queries
page executed in 400ms
load 0%

Served by dd6922
© myRL.net
Font Awesome SIL OFL 1.1 Dave Gandy