Wuala's improved security
Last year I wrote about the poor security of the Wuala online storage and file-sharing startup. Over the following eight months, the people at Wuala made significant improvements, and four months ago Dominik Grolimund asked me to update my blog concerning their now-improved security. Unfortunately bronchitis and and wrist pain delayed this substantially; but here's my belated reassessment of Wuala's security: Much better, but still lacking in some respects.The big improvements first:
- Wuala no longer uses ECB (Electronic Codebook) mode for encrypting files. They're now using CBC (Cipher Block Chaining) mode instead; this wouldn't have been my first choice (I'm a big fan of CTR mode due to its seekability and trivial application to partial blocks), but there's nothing wrong with CBC from a security perspective.
- Now that Wuala is using CBC mode, the proper use of initialization vectors is important; based on what Dominik has told me, it sounds like IVs are being generated in a manner which will ensure that they are unique as long as no collisions are found in SHA256. Wuala even went further than necessary here, ensuring that IVs will be unique even when used with different AES keys -- but I approve of the paranoia here, since it makes Wuala more likely to resist any as-yet-undiscovered attacks.
- Wuala is now using a slower key generation algorithm. This is critical for guarding against offline dictionary attacks, since anyone who obtains a Wuala user's password can download all of his "private" files. Given that people tend to leak passwords very easily -- either by reusing them, handing them over in exchange for chocolate, or typing them where other people can watch or listen -- the notion of having one's data protected only by a single password scares me (in tarsnap, an attacker must obtain a secret key file in order to access a user's data), but obviously different people have different levels of paranoia.
A few points remain major concerns to me, however:
- Wuala relies upon a central server for verification that files have not been tampered with. Now, Wuala's central server doesn't hold the keys needed to decrypt "private" files, and as such it cannot create "fake" versions of private files which decrypt to anything non-random-looking; but if a file stored on Wuala is made "public", Wuala can replace the file with anything it wants. Among other things, this means that Wuala should NEVER be used to publicly distribute executable code unless a strong hash is sent out-of-band and verified after the download is complete.
- The source code to the Wuala client is not available. While I have no reason to think that Dominik or anyone working at Wuala has inserted any evil code into the Wuala client, at present there is no way to know. Somehow "hey, download and run this program! It will back up all of your data over the internet, and it's perfectly safe because it encrypts everything first. Really it does! Trust me!" isn't a sales pitch which inspires a lot of confidence in me. Of course, Mozy and Carbonite seem to be successful with precisely this pitch, so clearly I'm more paranoid than most people -- but I would never ask someone to blindly trust a binary which they downloaded (especially if it could start uploading gigabytes of data without drawing attention) and for tarsnap I make all of the client source code available.
- Because of the design of the Cryptree key management system used by Wuala, it is possible for Wuala (and possibly other attackers, but I'm not sure about that) to identify which files you have modified. This sounds like a minor point, but it is a potential problem: For example, when people decide to update their CVs / resumes, they would often prefer that their current employer not find out.
Finally, I have one non-security-related concern about Wuala. Due to the design of Wuala's key management system, there isn't any way to update part of a file: If you modify a file and back up the new version, Wuala generates a new key and re-encrypts the entire file. No security problem here; but if you have a large file which changes frequently -- for instance, a mailbox file for those people who are old enough to stil use an offline mail user agent -- you will end up wasting a very large amount of bandwidth.
Make sure that your password is strong; that you don't reuse it anywhere; and that you never type it into an untrusted system or where people could watch you or listen to your typing. Realize that you can't trust the authenticity of any public files. Don't modify and re-upload files if you don't want people to know what files you've changed. And recognize that ultimately you're completely trusting Dominik Grolimund and the Wuala staff with your computer and your data.
But aside from that, Wuala's security now looks fine.