[liberationtech] Security / reliability of cryptoheaven ?
Nick Daly
nick.m.daly at gmail.com
Tue Oct 9 17:55:14 PDT 2012
On Tue, Oct 9, 2012 at 4:18 PM, Brian Conley wrote:
> Thanks for the interesting discussion, but its gone far afield from the
> original question.
>
> Does cryptoheaven seem like a reasonable tool to depend on for journalists
> or businesses requiring security for their communications?
The answer to this always depends on your threat model. In this case,
cryptoheaven holds your secret keys. That's a very important point:
On Tue, Oct 2, 2012 at 8:41 PM, Maxim Kammerer wrote:
> From Security FAQ [3]:
>
> “CryptoHeaven manages public keys automatically and securely. User
> simply allows others to communicate with him through the use of
> "Contacts" within the CryptoHeaven system. The system takes care of
> the exchange of the public keys automatically.”
>
> [3] http://www.cryptoheaven.com/Security/SecurityFAQ.htm
This means that anybody who can bring legal or technical pressure
(security holes) to bear on cryptoheaven can expose your secret keys:
your data's private to everybody but cryptoheaven and the folks they
decide to/are forced to share your data with. If you're writing nasty
things about the country in which cryptoheaven's incorporated (or
where their SSL CA is incorporated), I'd advise finding a different
service provider. For journalists who don't have a particular
geographic focus, the issue becomes even broader: they might have
different service providers (different identities) for different
places.
This issue is why the Certificate Patrol Firefox extension exists (to
address this at a few different levels) and why this paper was
produced:
http://files.cloudprivacy.net/ssl-mitm.pdf
Nick
More information about the liberationtech
mailing list