Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Security / reliability of cryptoheaven ?

Nick Daly nick.m.daly at gmail.com
Tue Oct 9 17:55:14 PDT 2012


On Tue, Oct 9, 2012 at 4:18 PM, Brian Conley wrote:
> Thanks for the interesting discussion, but its gone far afield from the
> original question.
>
> Does cryptoheaven seem like a reasonable tool to depend on for journalists
> or businesses requiring security for their communications?

The answer to this always depends on your threat model.  In this case,
cryptoheaven holds your secret keys.  That's a very important point:

On Tue, Oct 2, 2012 at 8:41 PM, Maxim Kammerer wrote:
> From Security FAQ [3]:
>
> “CryptoHeaven manages public keys automatically and securely. User
> simply allows others to communicate with him through the use of
> "Contacts" within the CryptoHeaven system. The system takes care of
> the exchange of the public keys automatically.”
>
> [3] http://www.cryptoheaven.com/Security/SecurityFAQ.htm

This means that anybody who can bring legal or technical pressure
(security holes) to bear on cryptoheaven can expose your secret keys:
your data's private to everybody but cryptoheaven and the folks they
decide to/are forced to share your data with.  If you're writing nasty
things about the country in which cryptoheaven's incorporated (or
where their SSL CA is incorporated), I'd advise finding a different
service provider.  For journalists who don't have a particular
geographic focus, the issue becomes even broader: they might have
different service providers (different identities) for different
places.

This issue is why the Certificate Patrol Firefox extension exists (to
address this at a few different levels) and why this paper was
produced:

http://files.cloudprivacy.net/ssl-mitm.pdf

Nick



More information about the liberationtech mailing list