[liberationtech] Is spideroak really zero-knowledge?
elijah
elijah at riseup.net
Tue Aug 13 02:52:50 PDT 2013
On 08/13/2013 12:32 AM, Tony Arcieri wrote:
> On Mon, Aug 12, 2013 at 11:02 PM, Percy Alpha <percyalpha at gmail.com
> <mailto:percyalpha at gmail.com>> wrote:
>
> @Tony,
> "The secret that keeps your data accessible to you alone is your
> SpiderOak password, which is never transmitted to SpiderOak in its
> original form." https://spideroak.com/engineering_matters
>
>
> Again, they seem to be talking about client-side encryption here. A
> zero-knowledge proof around a password looks a bit more like this:
>
> https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol#Protocol
>
> Short of implementing something like SRP they don't have a true "zero
> knowledge" system IMO
Curious, they used to actually include some notes on how they use a zero
knowledge proof for authentication, but it has been taken down.
Waybackmachine has the old text:
http://web.archive.org/web/20130430135938/https://spideroak.com/engineering_matters
Perhaps they changed how they do authentication.
-elijah
More information about the liberationtech
mailing list