MIT Researchers Create Platform To Build Secure Web Apps That Never Leak Data

DEAD7 · Mar 26, 2014

rjmarvin writes: "Researchers in the MIT Computer Science and Artificial Intelligence Laboratory have developed a platform for building secure web applications and services that never decrypt or leak data. MIT researcher Raluca Ada Popa, who previously worked on the Google and SAP-adopted CryptoDB, and her team, have put a longstanding philosophy into practice: to never store unencrypted data on servers. They've redesigned the entire approach to securing online data by creating Mylar, which builds and updates applications to keep data secure from server breaches with constant encryption during storage, only decrypting the data in the user's browser. Integrated with the open-source Meteor framework, a Mylar prototype has already secured six applications by changing only 35 lines of code."

Type Username Here · Mar 26, 2014

This is oversimplification but : Encryption/Decryption only works if you can keep the key/procedure secret. The problem is, most encryption methods and practices do a good job already. What people don't understand is that the US government:

1) Uses their (unconstitutional) laws to force entities to give them these keys under the threat of prison

OR

2) Pays the company to give them information or is willing to help the company with economic spying

OR

3) Cracks them using the best cryptographers/computer scientists and most powerful mainframes in the world

Believe it or not, it's almost usually the first and second cases. Here's a story about the NSA and RSA:
https://www.eff.org/deeplinks/2014/...y-experts-leave-rsa-conference-they-can-trust

LordTaskForce · Mar 26, 2014

Type Username Here said:
This is oversimplification but : Encryption/Decryption only works if you can keep the key/procedure secret. The problem is, most encryption methods and practices do a good job already. What people don't understand is that the US government:

1) Uses their (unconstitutional) laws to force entities to give them these keys under the threat of prison

OR

2) Pays the company to give them information or is willing to help the company with economic spying

OR

3) Cracks them using the best cryptographers/computer scientists and most powerful mainframes in the world

Believe it or not, it's almost usually the first and second cases. Here's a story about the NSA and RSA:
https://www.eff.org/deeplinks/2014/...y-experts-leave-rsa-conference-they-can-trust

you do realize private companies buy this information as well.

don't you have better things to do on a Wednesday morning than to complain about the US government?

Mr. Somebody · Mar 26, 2014

Basically, friend, this works by only decrypting the data in the browser. All data stored in the server is encrypted in the browser before it is sent. Pretty cool idea.

Type Username Here · Mar 26, 2014

LordTaskForce said:
you do realize private companies buy this information as well.

don't you have better things to do on a Wednesday morning than to complain about the US government?

Don't you have anything better to do than shamelessly defend the US Government's unconstitutional behavior?

LordTaskForce · Mar 26, 2014

Type Username Here said:
Don't you have anything better to do than shamelessly defend the US Government's unconstitutional behavior?

put your faith in a document that is 200+ years old that didn't even recognize blacks, brehs

Type Username Here · Mar 26, 2014

LordTaskForce said:
put your faith in a document that is 200+ years old that didn't even recognize blacks, brehs

The document is meaningless. The idea of a social contract is not. Nice attempt at a deflection.

Most civilized countries, even those without a mention of classifying black people, recognize the importance of privacy and procedures for search and seizure. This concept predates this country.

It's okay, I'm here to teach.

LordTaskForce · Mar 26, 2014

Type Username Here said:
The document is meaningless. The idea of a social contract is not. Nice attempt at a deflection.

Most civilized countries, even those without a mention of classifying black people, recognize the importance of privacy and procedures for search and seizure. This concept predates this country.

It's okay, I'm here to teach.

Deflection? You are derailing the thread. I seriously hope you don't think other countries around the world aren't doing this as well. If this bothers you so much you should run for president and put some justices in the court that see things the way you do, friend. :sitdown:

Type Username Here · Mar 26, 2014

LordTaskForce said:
Deflection? You are derailing the thread. I seriously hope you don't think other countries around the world aren't doing this as well. If this bothers you so much you should run for president and put some justices in the court that see things the way you do, friend.

How am I derailing the thread young man? I made a point directly referencing the article in question. Encryption/Decryption is only as good as keeping the keys and methods secret. This is common sense but a lot of people don't understand this.

Security experts have long suspected that iMessage is not as safe and impenetrable as Apple claims. But a group of researchers says it has proof that Apple can indeed eavesdrop on your iMessages — and the NSA can, too.

The researchers, through a careful and thorough study of the iMessage protocol, conclude that Apple has the ability to intercept and decrypt iMessages. Even though the messages are encrypted end-to-end, Apple manages the keys needed to encrypt and exchange the messages, the researchers found.

"Yes, there is end-to-end encryption as Apple claims, but the weakness is in the key infrastructure as it is controlled by Apple: They can change a key anytime they want, thus read the content of our iMessages," reads a blog post published on Thursday by Cyril Cattiaux, an iOS jailbreak hacker known as "pod2g," and "gg" (who doesn't want to reveal his full name), two security researchers who exclusively shared the post in advance with Mashable.

http://mashable.com/2013/10/17/apple-nsa-imessage/

Type Username Here · Mar 26, 2014

Here's the story of Lavabit:

Lavabit, an email service that boasted of its security features and claimed 350,000 customers, is no more, apparently after rejecting a court order for cooperation with the US government to participate in surveillance on its customers. It is the first such company known to have shuttered rather than comply with government surveillance.

http://www.theguardian.com/technology/2013/aug/08/lavabit-email-shut-down-edward-snowden

Encryption is the easy part. The hard part comes when someone threatens you with prison if you don't give up your keys and methods.

LordTaskForce · Mar 26, 2014

Type Username Here said:
How am I derailing the thread young man? I made a point directly referencing the article in question. Encryption/Decryption is only as good as keeping the keys and methods secret. This is common sense but a lot of people don't understand this.

http://mashable.com/2013/10/17/apple-nsa-imessage/

I agree with this. You should have stated that in your first post. You are being disingenuous by complaining about governments getting their hands on this data, when the real threat are insiders of the company leaking information to third parties outside of the US for money. Edit: or that companies actually consent into selling this information to third parties for profit.

Type Username Here · Mar 26, 2014

LordTaskForce said:
I agree with this. You should have stated that in your first post. You are being disingenuous by complaining about governments getting their hands on this data, when the real threat are insiders of the company leaking information to third parties outside of the US for money.

I'm against both. The governments are getting their hands on data using extortion and illegal behavior, and corporations/individual are selling them outright to the highest bidders. I don't know where in the hell you assumed that I am defender of corporations.

insiders of the company leaking information to third parties outside of the US for money.

They do that here too:
http://gizmodo.com/how-much-microsoft-charges-the-fbi-for-user-data-1548308627

LordTaskForce · Mar 26, 2014

Type Username Here said:
I'm against both. The governments are getting their hands on data using extortion and illegal behavior, and corporations/individual are selling them outright to the highest bidders. I don't know where in the hell you assumed that I am defender of corporations.

They do that here too:
http://gizmodo.com/how-much-microsoft-charges-the-fbi-for-user-data-1548308627

I assumed you were by not mentioning the full scope of how things really operate. I'm much less concerned by the government violating "privacy" in order for them to catch illegal activity. And more worried about markets in China and other countries using this data against against our best interest economically (or companies in the US using data to manipulate the market to their advantage).

MIT Researchers Create Platform To Build Secure Web Apps That Never Leak Data

More options

DEAD7

Veteran

Type Username Here

Not a new member

LordTaskForce

All Star

Mr. Somebody

Friend Of A Friend

Type Username Here

Not a new member

LordTaskForce

All Star

Type Username Here

Not a new member

LordTaskForce

All Star

Type Username Here

Not a new member

Type Username Here

Not a new member

LordTaskForce

All Star

Type Username Here

Not a new member

LordTaskForce

All Star

Similar threads