Loading Profile...
Bad privacy due to hashing unencrypted files before upload
Wuala privacy has a giant hole.
It seems that Wuala creates checksums/hashes of unencrypted files before it uploads them. You can try it yourself. Just take some popular Blender Video and upload it. It will be up right away without long uploads.
This leads to a big privacy hole. If someone were to get access to Caleidos servers he could search the database of hashes to find people with certain files.
Why isn't Wuala just encrypting files with my own unique key and then uploading them? I get that you save a lot of space this way, but this isn't good privacy anymore.
It seems that Wuala creates checksums/hashes of unencrypted files before it uploads them. You can try it yourself. Just take some popular Blender Video and upload it. It will be up right away without long uploads.
This leads to a big privacy hole. If someone were to get access to Caleidos servers he could search the database of hashes to find people with certain files.
Why isn't Wuala just encrypting files with my own unique key and then uploading them? I get that you save a lot of space this way, but this isn't good privacy anymore.
I’m sad
1
person has this problem
I have this problem, too!
Tell me when someone solves it.
The more people who report this problem, the more it gets noticed.
The more people who report this problem, the more it gets noticed.
Create a customer community for your own organization
Plans starting at $19/month
-
Inappropriate?Hi Kragil,
pls use https://forum.wuala.com/ for your next question. Not alot of people are reading here anymore. ;)
The crypttreepaper descripe, that the files itself do not contain any link to users who have access zu them, except a counter that at least one user have access to it (to delete the file from the servers when no user have access anymore, eg. have deleted the file from its account).
The (encrypted stored) metadatas of your Wuala-user enable you to access your (also encrypted) personal Filename of a givven files along with the hash of that file and the key of that file. So, when you access a file, Wuala find it with the hash name und encrypt it.
On the other hand this says, that if someone cracks the Wuala Filebase, he can see that a file with a givven hash is online and that x-users have access to it, but he can ́t see the usersname or any code who can be used to find out which users that are. In this way, your privacy is not endangered.
This system also allows to find a already exitend file in Wuala when you upload it from your system, so that you do not need to upload it again and get immendiately access to it. Tha password is build out of the file content during encryption. All you have to do to get acces to a files is to have a unencrypted file which creates the same hash/archiv (e.g. a bit-identically copy). The file-password will be the same and you can get access to it without anyone can know which users have acces to it or the need of some privacy-problematic key transfer.
This is how I have read the cryptree paper at http://www.wuala.com/de/learn/technology .
-
Inappropriate?tldr;
The hash is of the encrypted data.
The same data is always encrypted the same way.
You cannot know how to decrypt the file unless you knew the contents at some point (you uploaded it) or were given the key (groups,friends).
The decryption key is stored inside your encrypted account data that is only decrypted on the client (Caleido cannot decrypt this) (This is also why you cannot "reset" your password).
The security rick becomes this: Someone who ALREADY has an EXACT BIT-FOR-BIT copy of the file could in theory locate someone else who has the file. I'm not sure how the maintenance procedure works, but this would require them to poison the network and place themselves as a storage node for a piece of the file. Then wait for the file to be downloaded. But if I'm remembering correctly, this could also result in false positives do to some autonomous activity of the network.
EMPLOYEE
EMPLOYEE
