Mega on Tuesday responded to industry criticism that its security features are not up to snuff. The company largely dismissed most of the allegations, though it did concede in some areas and will make improvements, most notably by adding the ability to change and reset your password.
While Mega did not say when they will be added, it did promise the following features “in the near future”:
- A password change feature will re-encrypt the master key with your new password and update it on its servers.
- A password reset mechanism will allow you to log back into your account, with all files being unreadable. Now, if you have any pre-exported file keys, you can import them to regain access to those files. On top of that, you could ask your share peers to send you the share-specific keys, but that’s it – the remainder of your data appears as binary garbage until you remember your password.
- A feature that allows the user to add as much entropy manually as he or she sees fit before proceeding to the key generation.
These are both features that should have been included from the start. Currently, if you forget your password for Mega, you have no way to gain access to your files or folders, and if someone steals it, they can gain access to your files and folders while you are left helpless.
Ars criticized the lack of password options, using block deduplication, as well as the fact that the key used to encrypt files and folders on the service is stored on Mega’s servers. The first Mega will address, while the third Mega doesn’t seem to care. The second resulted in this explanation:
Fact #1: Once this feature is activated, chunk MACs will indeed be stored on the server side, but they will of course be encrypted (and we will not use ECB!). Fact #2: MEGA indeed uses deduplication, but it does so based on the entire file post-encryption rather than on blocks pre-encryption. If the same file is uploaded twice, encrypted with the same random 128-bit key, only one copy is stored on the server. Or, if (and this is much more likely!) a file is copied between folders or user accounts through the file manager or the API, all copies point to the same physical file.
Forbes meanwhile focused on Mega’s other weaknesses, and how an attacker could potentially break in and gain access to your data, usually by finding weaknesses and then turning off encryption. The company has countered with a more detailed explanation on how its site is structured, including which content is being encrypted, checked, and how.
In the end, every system has weaknesses and can eventually be broken into. If you want to keep your data 100 percent secure, don’t upload it to the Internet.
That being said, if you do want to use Kim Dotcom’s service, make sure to use a unique password (not the same one you do on other services), and change it on a regular basis. This goes for every site on the World Wide Web, not just Mega.
Image credit: doctor-a