[liberationtech] Is spideroak really zero-knowledge?
Patrick Baxter
patch at cs.ucsb.edu
Tue Aug 13 03:07:27 PDT 2013
They've also been working on an open source version of their client
and server software called crypton (https://crypton.io/)
It implements the protocol originally listed on their site as Elijah
pointed out with the wayback machine.
On Tue, Aug 13, 2013 at 2:52 AM, elijah <elijah at riseup.net> wrote:
> On 08/13/2013 12:32 AM, Tony Arcieri wrote:
>
>> On Mon, Aug 12, 2013 at 11:02 PM, Percy Alpha <percyalpha at gmail.com
>> <mailto:percyalpha at gmail.com>> wrote:
>>
>> @Tony,
>> "The secret that keeps your data accessible to you alone is your
>> SpiderOak password, which is never transmitted to SpiderOak in its
>> original form." https://spideroak.com/engineering_matters
>>
>>
>> Again, they seem to be talking about client-side encryption here. A
>> zero-knowledge proof around a password looks a bit more like this:
>>
>> https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol#Protocol
>>
>> Short of implementing something like SRP they don't have a true "zero
>> knowledge" system IMO
>
> Curious, they used to actually include some notes on how they use a zero
> knowledge proof for authentication, but it has been taken down.
> Waybackmachine has the old text:
>
> http://web.archive.org/web/20130430135938/https://spideroak.com/engineering_matters
>
> Perhaps they changed how they do authentication.
>
> -elijah
> --
> Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu.
More information about the liberationtech
mailing list