As a secure online storage provider, Wuala employs an elaborate encryption scheme to ensure the privacy of our user's data. Since this encryption process is quite complex, I'd like to give you my recommendations on which texts you should read in order to understand the technology behind Wuala.
For Beginners
For starters our security page gives you a good overview. If you want to know more, be sure to read 'Wuala's Security in a Nutshell' or our our latest posting 'Wuala's Encryption For Dummies', which is a great introductory post aimed at giving an easy, but in-depth overview about how Wuala handles uploaded and shared files. Further, be sure to look at this article and this article, both highlightning Wuala's security.
For Intermediate Users
In 'Why Encryption Matters' our CTO explains why Wuala uses client-side encryption and why this is important. In his lunch talk 'Cloud Storage Security' Luzius talks about data security (in Germany only).
For Advanced Users
For advanced users, I highly recommend the publication 'Cryptree'. Cryptree is a cryptographic tree structure which facilitates access control in file systems operating on untrusted storage. In addition, you could also watch the Google Tech Talk explaining the technology behind Wuala.
The Official Wuala Blog. News. Updates. Tips & Tricks.
There is one thing that I don't undestand (I tried to read the Cryptree pdf but is far beyond my knowledge).
ReplyDeleteIf I upload a file, and then make the folder public (completely public, not shared), I presume that my client send the key to your servers, so the files in the folder can be decrypted and anyone can download it with a browser.
Later, if I make the folder private again, what happen? Forget for a while that you have the file in clear, so we must assume that the security of that file is compromised definitely. I think that the most secure thing to do would be delete the file on the server, and upload again, so it is encrypted on the client with a new key. But I noted that the process is istantaneous even for big files, so clearly the file are not uploaded again. I thought at 3 possible scenarios:
1) the client create a new key, send it to the servers and the servers re-encrypt the file. Not secure, as you know the key.
2) the server create a new key, re-encrypt the file and send the key to the client. Not secure, as you know the key.
3) the server maintain the original encrypted file, and simply delete the copy in clear. Not secure, as you know the key (my client sent it when making the file public).
So I must assume that if a file become public at a certain point, that file security is compromised forever.
My assumptions are correct or I'm wrong? Can you clarify this point?
In every case, Wuala is great!
@Fabio: I'll answer your questions in the comment section of: http://wualablog.blogspot.com/2011/04/wualas-encryption-for-dummies.html
ReplyDeleteI like these blog posts about security. They also come at the right time with all the controversy surrounding Dropbox... Wuala is often suggested as an alternative ;)
ReplyDeletehttp://www.theregister.co.uk/2011/05/16/dropbox_ftc_not_good_enough/
Very interesting reading, especially in the light of:
ReplyDeleteDropbox caught with its finger in the cloud cookie jar
Online file storage and sharing site Dropbox admits that it can see the data you've stored. Oops...
http://www.infoworld.com/t/data-security/dropbox-caught-its-finger-in-the-cloud-cookie-jar-179
plz delete the video which still speak about trading
ReplyDeleteThere's a lot of documentation about security and encryption but it would be good to have independent audit and certification of both the methods employed and the client software code. An opensource approach would provide the best assurance for the community to be sure Wuala does what you say it does, and there are no hidden security defects or traps.
ReplyDelete