-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Computing on a device you have full control over is not necessarily
secure, and offloading everything onto a machine (or set of machines)
that you have no real control over probably won't improve your security.
There's a lot of money to be made by people who want to convince you
otherwise. Caveat lector.
Incidentally, a new set of attacks (and related vulnerabilities) was
released today:
Abstract: http://eprint.iacr.org/2014/248
Paper: http://eprint.iacr.org/2014/248.pdf
"Here we show that AES in a number popular cryptographic libraries
including OpenSSL, PolarSSL and Libgcrypt are vulnerable to Bernstein’s
correlation attack when run in Xen and VMware (bare metal version) VMs,
the most popular VMs used by cloud service providers (CSP) such as
Amazon and Rackspace. We also show that the vulnerability persists even
if the VMs are placed on different cores in the same machine. The
results of this study shows that there is a great security risk to AES
and (data encrypted under AES) on popular cloud services."
A quick search for [xen vps hosting] leads to 364,000 results. And of
course most of these are pages from service providers, not the websites
they host. Think of all the sites that are hosted on these thousands of
service providers (or even just Amazon/Rackspace/Linode/Gandi) and you
start to scratch the surface of why cloud security is still so tricky.
best,
Griffin
PGP: 879B DA5B F6B2 7B61 2745 0A25 03CF 4A0A B3C7 9A63
emoji: ᕕ(ᐛ)ᕗ
On 2014-04-22 07:47, Caspar Bowden (lists) wrote:
On 17/04/14 20:29, David Solomonoff wrote:
No longer confined behind a locked down private data center or
hidden under the end user's bed, a virtual FreedomBox can finally
escape to the clouds.
Apropos the blog, Mylar is cool, but doesn't use FHE. It sends the
Cloud conventionally encrypted blobs to and fro - and the Client does
all the work (thus neutralizing main vaunted benefit of Cloud, elastic
and parallel CPU power). It also uses an encrypted search technique
for indexing (which is also cool)
-----BEGIN PGP SIGNATURE-----
Version: OpenPGP.js v0.5.1
Comment: http://openpgpjs.org
wsBcBAEBCAAQBQJTVq69CRADz0oKs8eaYwAAbnkH/0HbKOWo5yo/j/ViHTV4
Q0k4cs0I6qIXBmIP3KNXkE9BdEjpXQg05hfvgQYbmw2P4YIbphB2YMrEH43l
fVth5HMdfDiRll1TzPoQrnGcREZVch0oITwiUwaKpg/j3wyFndZg+FvMI2Wm
651BF5xKQQaD2sBlAq4foYLCyEsJ33P3Vl84hs4UyutJVLRkId5iMFANrey6
qIpCrbT15ImG1/YQXSerzsD/bWC38HJrOZqvOCvJxmSEJidDWeqdZQvd8Dfp
+VSs2Y+XxedlVFzPjla2IssgdFtcSfFvX09O0GJJn22ruYKV+quoraqwjaaU
rAaqh4b5nVUTe/JCkesJgec=
=rwxf
-----END PGP SIGNATURE-----
--
Liberationtech is public & archives are searchable on Google. Violations of
list guidelines will get you moderated:
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change
to digest, or change password by emailing moderator at [email protected].
