By Drew Wilson
Mega was able to open with a bang as an untold number of users rushed to create accounts on opening day – so much so that the traffic ultimately brought down the website for about 48 hours for some users. Now that the website is up and running, some are criticizing the websites security. With these criticisms circulating on some outlets, Mega has opted to post some clarifications.
It seems that the opening few weeks for Mega hasn’t been entirely smooth. Of course, with just about any start-up, that isn’t really much of a surprise especially when the start-up deals with something complex like modern security measures. Still, with so much attention directed to the new site, it might not be a surprise that it would be under such heavy scrutiny in the first place. Let’s dig into some of the latest on this front of the website.
From the beginning, Kim Dotcom marketed Mega as a “privacy” company. It boasted of security measures that could become the new standard for cloud storage companies. In fact, Mega allowed others to go through the source code for public feedback so as to improve security. For many, this could be considered very positive first steps for any start-ups – implementing new security measure ideas and allowing for third party feedback. For some, that is where the accolades ends.
One posting is from Ars Technica where the author commented that the code used to secure the website needs to be overhauled “post-haste”. Forbes, meanwhile, documented a security researcher who said that Mega can’t keep it’s security promises. TechweekEurope, meanwhile, said that Mega was “riddled” with security holes. Slashdot even joined in, pointing to an application called “MegaCracker” that was touted as something that could crack Mega passwords.
Mega, no doubt seeing these criticisms, decided to act to “clarify” some points being made. In a blog posting posted just today, Mega commented directly to some of the criticisms that were made against the company. One of the criticisms is that Mega doesn’t allow users to change their passwords. So if something were to go wrong and a user, say, forgets the password, all their data couldn’t be retrieved. Mega responded saying that this will change in the near future as security protocols will no doubt be developed. Another second response that was made was this:
“Without adding entropy, the “random” primes generated by math.random for use as RSA keys are really only pseudo-random and can be guessed.”
This is correct – and quite a strange statement to make after conceding that mouse and keyboard entropy are indeed used to enhance Math.random(). We will, however, add a feature that allows the user to add as much entropy manually as he sees fit before proceeding to the key generation.
A third criticism was that Mega uses SSL encryption and that if the SSL encryption could be broken, someone could break into Mega. Mega responded saying that if you could break SSL, you could break into things much more interesting than Mega itself. For us, this was a somewhat puzzling criticism. After we took a brief look at Wikipedia, we learned that HTTPS also uses SSL encryption. So, when you go to many banks and see HTTPS in the URL, there’s a pretty good possibility that SSL encryption was also being used. In fact, the Electronic Frontier Foundation (EFF) had a campaign called HTTPS everywhere that encouraged the use of SSL encryption. In their FAQ, they mention that HTTPS uses SSL encryption. When this campaign was in full swing, we weren’t aware of very many criticisms of the security implications, yet now that Mega uses SSL, red flags are being raised that maybe Mega isn’t very secure at all. One question might be, “How is SSL positive for something like HTTPS Everywhere, yet negative for Mega?”
A fourth exchange had the following:
One thing to point out in all of this is that Mega marketed itself as a privacy company from the beginning. As a result of this, some people’s expectations may have been raised and when they saw that their expectations weren’t met, criticism ensued. A good argument could be made that what we are seeing here may be, in part, self inflicted. If Mega marketed itself as a cloud storage company with some extra security features, it’s entirely possible that the criticisms wouldn’t have been so harsh. Secondly, security can be a very frustrating aspect for any website. How does one make a website highly secure while making it as user friendly as possible? Obviously, there needs to be some balancing that needs to take place because it’s entirely possible to make the worlds securest website that is very user unfriendly. Also, security is also always evolving and a standard pearl of wisdom that seems to have held true all this time is that nothing is ever 100% secure. It’s possible to make something secure that it’s extremely unlikely that someone would be able to break in, but making something forever impervious is not very realistic.
At this point, trying to make Mega secure is going to be a major undertaking. How Mega handles security from this point going forward will very likely play a role in the future of the company itself.
Drew Wilson on Twitter: @icecube85