Search Mailing List Archives
[liberationtech] "Secure" (but Hackable) Cloud Computing:
griffin at cryptolab.net
Tue Apr 22 11:03:12 PDT 2014
-----BEGIN PGP SIGNED MESSAGE-----
Computing on a device you have full control over is not necessarily
secure, and offloading everything onto a machine (or set of machines)
that you have no real control over probably won't improve your security.
There's a lot of money to be made by people who want to convince you
otherwise. Caveat lector.
Incidentally, a new set of attacks (and related vulnerabilities) was
"Here we show that AES in a number popular cryptographic libraries
including OpenSSL, PolarSSL and Libgcrypt are vulnerable to Bernstein’s
correlation attack when run in Xen and VMware (bare metal version) VMs,
the most popular VMs used by cloud service providers (CSP) such as
Amazon and Rackspace. We also show that the vulnerability persists even
if the VMs are placed on different cores in the same machine. The
results of this study shows that there is a great security risk to AES
and (data encrypted under AES) on popular cloud services."
A quick search for [xen vps hosting] leads to 364,000 results. And of
course most of these are pages from service providers, not the websites
they host. Think of all the sites that are hosted on these thousands of
service providers (or even just Amazon/Rackspace/Linode/Gandi) and you
start to scratch the surface of why cloud security is still so tricky.
PGP: 879B DA5B F6B2 7B61 2745 0A25 03CF 4A0A B3C7 9A63
On 2014-04-22 07:47, Caspar Bowden (lists) wrote:
> On 17/04/14 20:29, David Solomonoff wrote:
>>> No longer confined behind a locked down private data center or
>>> hidden under the end user's bed, a virtual FreedomBox can finally
>>> escape to the clouds.
> Apropos the blog, Mylar is cool, but doesn't use FHE. It sends the
> Cloud conventionally encrypted blobs to and fro - and the Client does
> all the work (thus neutralizing main vaunted benefit of Cloud, elastic
> and parallel CPU power). It also uses an encrypted search technique
> for indexing (which is also cool)
-----BEGIN PGP SIGNATURE-----
Version: OpenPGP.js v0.5.1
-----END PGP SIGNATURE-----
More information about the liberationtech