Re: [liberationtech] Is spideroak really zero-knowledge?
@Tony, The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form. https://spideroak.com/engineering_matters -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Is spideroak really zero-knowledge?
On Mon, Aug 12, 2013 at 11:02 PM, Percy Alpha percyal...@gmail.com wrote: @Tony, The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form. https://spideroak.com/engineering_matters Again, they seem to be talking about client-side encryption here. A zero-knowledge proof around a password looks a bit more like this: https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol#Protocol Short of implementing something like SRP they don't have a true zero knowledge system IMO -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Is spideroak really zero-knowledge?
On 08/13/2013 12:32 AM, Tony Arcieri wrote: On Mon, Aug 12, 2013 at 11:02 PM, Percy Alpha percyal...@gmail.com mailto:percyal...@gmail.com wrote: @Tony, The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form. https://spideroak.com/engineering_matters Again, they seem to be talking about client-side encryption here. A zero-knowledge proof around a password looks a bit more like this: https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol#Protocol Short of implementing something like SRP they don't have a true zero knowledge system IMO Curious, they used to actually include some notes on how they use a zero knowledge proof for authentication, but it has been taken down. Waybackmachine has the old text: http://web.archive.org/web/20130430135938/https://spideroak.com/engineering_matters Perhaps they changed how they do authentication. -elijah -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Is spideroak really zero-knowledge?
They've also been working on an open source version of their client and server software called crypton (https://crypton.io/) It implements the protocol originally listed on their site as Elijah pointed out with the wayback machine. On Tue, Aug 13, 2013 at 2:52 AM, elijah eli...@riseup.net wrote: On 08/13/2013 12:32 AM, Tony Arcieri wrote: On Mon, Aug 12, 2013 at 11:02 PM, Percy Alpha percyal...@gmail.com mailto:percyal...@gmail.com wrote: @Tony, The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form. https://spideroak.com/engineering_matters Again, they seem to be talking about client-side encryption here. A zero-knowledge proof around a password looks a bit more like this: https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol#Protocol Short of implementing something like SRP they don't have a true zero knowledge system IMO Curious, they used to actually include some notes on how they use a zero knowledge proof for authentication, but it has been taken down. Waybackmachine has the old text: http://web.archive.org/web/20130430135938/https://spideroak.com/engineering_matters Perhaps they changed how they do authentication. -elijah -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Is spideroak really zero-knowledge?
Oh. Yes. I definitely remember reading User Authentication Process a few weeks ago. That's why I feel like they implement the zero-knowledge psw proof. Why did they take it down? NSA on the move already? Percy Alpha(PGP https://en.greatfire.org/contact#alt) GreatFire.org Team On Tue, Aug 13, 2013 at 2:52 AM, elijah eli...@riseup.net wrote: On 08/13/2013 12:32 AM, Tony Arcieri wrote: On Mon, Aug 12, 2013 at 11:02 PM, Percy Alpha percyal...@gmail.com mailto:percyal...@gmail.com wrote: @Tony, The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form. https://spideroak.com/engineering_matters Again, they seem to be talking about client-side encryption here. A zero-knowledge proof around a password looks a bit more like this: https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol#Protocol Short of implementing something like SRP they don't have a true zero knowledge system IMO Curious, they used to actually include some notes on how they use a zero knowledge proof for authentication, but it has been taken down. Waybackmachine has the old text: http://web.archive.org/web/20130430135938/https://spideroak.com/engineering_matters Perhaps they changed how they do authentication. -elijah -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Is spideroak really zero-knowledge?
Spideroak claims to use client-side encryption for desktop client but doesn't not use zero-knowledge password proof for mobile Apps or website portal. In light of Lavabit, spideroak could also forced to intercept password if users ever use mobile Apps or website login while being gagged . Then all encrypted data will be retroactively compromised. Percy Alpha(PGP https://en.greatfire.org/contact#alt) GreatFire.org Team -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Is spideroak really zero-knowledge?
Percy From https://spideroak.com/mobile How Mobile Works with SpiderOakās Zero Knowledge Policy Here's the deal: when accessing your data via the SpiderOak website or on a mobile device you must enter your password. The password will then exist in the SpiderOak server memory for the duration of your browsing session. For this amount of time your password is stored in encrypted memory and never written to an unencrypted disk. The moment your browsing session ends your password is destroyed and no further trace is left. The instance above represents the only situation where your data could potentially be readable to someone with access to the SpiderOak servers. That said, no one except a select number of SpiderOak employees will ever have access to the SpiderOak servers. To fully retain our 'zero-knowledge' privacy, we recommend you always access your data via the SpiderOak desktop application which downloads your data before decrypting it locally. On Tue, Aug 13, 2013 at 3:10 PM, Percy Alpha percyal...@gmail.com wrote: Spideroak claims to use client-side encryption for desktop client but doesn't not use zero-knowledge password proof for mobile Apps or website portal. In light of Lavabit, spideroak could also forced to intercept password if users ever use mobile Apps or website login while being gagged . Then all encrypted data will be retroactively compromised. Percy Alpha(PGP https://en.greatfire.org/contact#alt) GreatFire.org Team -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Is spideroak really zero-knowledge?
@Tom, For this amount of time your password is stored in encrypted memory but to actually use the key, the key has to be in plain-text form for sometime, during which it can be (forced to )intercepted. If they can force Lavabit to intercept users' emails, why can't they ask spideroak to secretly intercept users' moible app login? -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Is spideroak really zero-knowledge?
@Tony, they claim to use zero-knowledge password proof for desktop client, but not for mobile or website. I wonder why, not accepted by App Store? -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Is spideroak really zero-knowledge?
On Tue, Aug 13, 2013 at 1:35 AM, Percy Alpha percyal...@gmail.com wrote: @Tom, For this amount of time your password is stored in encrypted memory but to actually use the key, the key has to be in plain-text form for sometime, during which it can be (forced to )intercepted. If they can force Lavabit to intercept users' emails, why can't they ask spideroak to secretly intercept users' moible app login? They (or somebody else) can. So don't use mobile login. Curious why the regular client logic can't run on mobile. Too intensive to decrypt metadata maybe? -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Is spideroak really zero-knowledge?
On Mon, Aug 12, 2013 at 10:36 PM, Percy Alpha percyal...@gmail.com wrote: @Tony, they claim to use zero-knowledge password proof for desktop client, but not for mobile or website. I wonder why, not accepted by App Store? Can you please link specifically to what you're talking about? Their marketing material is littered with the words zero-knowledge but as far as I have ever seen the intended meaning is we encrypt stuff client-side before it hits the network -- Tony Arcieri -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Is spideroak really zero-knowledge?
I'm not saying they cant. I'm saying they acknowledge it, althought the way they do makes it seem as if its a non-issue. I don't think it is. I prefer tahoe-lafs On Tue, Aug 13, 2013 at 3:35 PM, Percy Alpha percyal...@gmail.com wrote: @Tom, For this amount of time your password is stored in encrypted memory but to actually use the key, the key has to be in plain-text form for sometime, during which it can be (forced to )intercepted. If they can force Lavabit to intercept users' emails, why can't they ask spideroak to secretly intercept users' moible app login? -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.