[liberationtech] Is spideroak really zero-knowledge?

Tue Aug 13 15:32:37 PDT 2013

Oh. Yes. I definitely remember reading " User Authentication Process"  a
few weeks ago. That's why I feel like they implement the zero-knowledge psw
proof.
Why did they take it down? NSA on the move already?

Percy Alpha(PGP <https://en.greatfire.org/contact#alt>)
GreatFire.org Team

On Tue, Aug 13, 2013 at 2:52 AM, elijah <elijah at riseup.net> wrote:

> On 08/13/2013 12:32 AM, Tony Arcieri wrote:
>
> > On Mon, Aug 12, 2013 at 11:02 PM, Percy Alpha <percyalpha at gmail.com
> > <mailto:percyalpha at gmail.com>> wrote:
> >
> >     @Tony,
> >     "The secret that keeps your data accessible to you alone is your
> >     SpiderOak password, which is never transmitted to SpiderOak in its
> >     original form." https://spideroak.com/engineering_matters
> >
> >
> > Again, they seem to be talking about client-side encryption here. A
> > zero-knowledge proof around a password looks a bit more like this:
> >
> > https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol#Protocol
> >
> > Short of implementing something like SRP they don't have a true "zero
> > knowledge" system IMO
>
> Curious, they used to actually include some notes on how they use a zero
> knowledge proof for authentication, but it has been taken down.
> Waybackmachine has the old text:
>
>
> http://web.archive.org/web/20130430135938/https://spideroak.com/engineering_matters
>
> Perhaps they changed how they do authentication.
>
> -elijah
> --
> Liberationtech is a public list whose archives are searchable on Google.
> Violations of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> Unsubscribe, change to digest, or change password by emailing moderator at
> companys at stanford.edu.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130813/319ba748/attachment.html>