ProtonDrive’s End-to-End Encryption Security Revealed

· Andrew Orr · Link

ProtonDrive (from the makers of ProtonMail and ProtonVPN) is in the final stages of development before it gets a beta launch later in 2020. The team revealed its end-to-end encryption security in a blog post.

Files and folders are arranged in a tree structure. Therefore, there is a recurring pattern where a file or folder’s asymmetric key is locked with a passphrase, which in turn is encrypted with the asymmetric key of their parent folder. All passphrases are signed with the address key of the user, without which a malicious server could forge the contents of the tree.

pCloud Update Lets Users Decide Where Files are Stored

· Andrew Orr · Link

pCloud is an encrypted cloud storage service, and a recent update gave users the ability to decide in which server their files are stored.

All pCloud users will be able to choose the server location where their files are stored. This will give users greater control over the security of their files. Once the choice of where to store the data is made during registration – in the US or Europe – it is practically impossible to transfer them without the user’s knowledge or permission. Currently, the option to select the server location is available only to newly registered users.

Kingston Now Sells 128GB Encrypted Flash Drives

· Andrew Orr · Cool Stuff Found

Kingston has added 128GB capacities to its line of encrypted flash drives. The announcement lists several drives, like the DataTraveler Locker+ G3, DataTraveler Vault Privacy 3.0, and DataTraveler 4000G2 (Available July 27). Richard Kanadjian, encrypted USB drive business manager, Kingston: “Within our full line of encrypted drives, we offer high levels of encryption, fast USB 3.0 performance and after 10 intrusion attempts, the drives lock down so users can rest assured their data is safe.”

Kingston Now Sells 128GB Encrypted Flash Drives

‘Lawful Access to Encrypted Data Act’ is Latest Encryption Attack

· Andrew Orr · Link

Senators Lindsey Graham (R-South Carolina), Tom Cotton (R-Arkansas) and Marsha Blackburn (R-Tennessee) introduced the Lawful Access to Encrypted Data Act yesterday. It seeks to bring back the Crypto Wars of the 1990s by crippling encryption with the introduction of backdoors.

Yet increasingly, technology providers are deliberately designing their products and services so that only the user, and not law enforcement, has access to content – even when criminal activity is clearly taking place.  This type of “warrant-proof” encryption adds little to the security of the communications of the ordinary user, but it is a serious benefit for those who use the internet for illicit purposes.

”Adds little to the security of the communications of the ordinary user.” That’s the level of contempt these people have for the rest of us.

Zoom Backtracks, Will Give Free Users Encryption Protection

· Andrew Orr · Link

Zoom logo

After a lot of negative attention from press and privacy advocates, Zoom has backtracked on its stance. It will provide free users with end-to-end encryption, a feature previously limited to paying customers.

The company said that free users will have to verify themselves with a phone number in a one-time process. It claimed that this will stop bad actors from creating multiple abusive accounts.

Zoom is also releasing an updated design of its end-to-end encryption solution on GitHub that intends to achieve a balance between “the legitimate right of all users to privacy and the safety of users.”

Good to see Zoom do this.

IBM Releases Homomorphic Encryption Toolkit for iOS, macOS

· Andrew Orr · Link

Generic image of data

IBM has released a toolkit for iOS and macOS to help developers to easily add homomorphic encryption into their programs.

While the technology holds great potential, it does require a significant shift in the security paradigm. Typically, inside the business logic of an application, data remains decrypted, Bergamaschi explained. But with the implementation of FHE, that’s no longer the case — meaning some functions and operations will change.

In other words, “There will be a need to rewrite parts of the business logic,” Bergamaschi said. “But the security that you gain with that, where the data is encrypted all the time, is very high.”

If you haven’t added homomorphic encryption to your technology watch list, be sure to do so. As I wrote in the past, this type of encryption lets a company perform computations on data while still keeping that data encrypted.

HideMyAss VPN 2-Yr Subscription: $79.99

· Bryan Chaffin · TMO Deals

HideMyAss VPN

We have a deal on a 2-year subscription to HideMyAss, a VPN featuring 256-bit AES encryption and a strict no logging policy. The subscription is good for unlimited installs with up to 5 connections at once, and 2-years is $79.99 through our deal.

Zoom’s Encryption is Linked to Chinese Servers

· Andrew Orr · Link

Chinese flag

Researchers found that Zoom uses its own encryption scheme, sometimes using keys issued by China.

Some of the key management systems — 5 out of 73, in a Citizen Lab scan — seem to be located in China, with the rest in the United States. Interestingly, the Chinese servers are at least sometimes used for Zoom chats that have no nexus in China. The two Citizen Lab researchers, Bill Marczak and John Scott-Railton, live in the United States and Canada. During a test call between the two, the shared meeting encryption key “was sent to one of the participants over TLS from a Zoom server apparently located in Beijing,” according to the report.

I don’t have further commentary on Zoom, other than asking, “How will this end?”

Zoom Meetings Aren’t Encrypted End-to-End, Despite Marketing

· Andrew Orr · Link

Zoom logo

Along with recent news that Zoom sent your data to Facebook (although it stopped) now we learn that its video calls don’t use end-to-end encryption, despite the company marketing it as such.

…But despite this misleading marketing, the service actually does not support end-to-end encryption for video and audio content, at least as the term is commonly understood. Instead it offers what is usually called transport encryption, explained further below.

It just keeps getting worse for Zoom. It’s unfortunate the company has chosen such tactics, because it really is one of the better video calling apps out there.

How the EARN IT Act is an Attack on Encryption

· Andrew Orr · Link

Image of U.S. senate

Introduced by Senators Lindsey Graham and Richard Blumenthal, the EARN It act would force companies to “earn” protection from Section 230 to fight online child exploitation.

Though it seems wholly focused on reducing child exploitation, the EARN IT Act has definite implications for encryption. If it became law, companies might not be able to earn their liability exemption while offering end-to-end encrypted services. This would put them in the position of either having to accept liability or remove encryption protections altogether.

My linked teaser from yesterday was separate from the EARN It act, but now it shows that companies are being coerced on two fronts.

New App ‘MyPrivacy’ Gives You a VPN, Photo Vault, Password Manager, More

· Andrew Orr · Cool Stuff Found

MyPrivacy is a new app from the makers of MyPermissions. It’s an all-in-one tool that gives you a VPN, password manager, private browser, photo vault, social permissions manager, and app lock. It requires a subscription of up to US$99/year. The privacy policy also looks decent. It mentions both “military-grade” and “NSA-grade” encryption, which likely refers to AES-256. There are certainly cheaper solutions out there but having everything in one app is convenient.

New App ‘MyPrivacy’ Gives You a VPN, Photo Vault, Password Manager, More

MI5 Chief Wants ‘Exceptional Access’ to Encrypted Messages

· Andrew Orr · Link

Sir Andrew Parker is the head of MI5, the UK’s domestic security service. He wants tech firms to provide “exceptional access” to encrypted messages.

In an ITV interview to be broadcast on Thursday, Sir Andrew Parker says he has found it “increasingly mystifying” that intelligence agencies like his are not able to easily read secret messages of terror suspects they are monitoring.

Bah, this is smoke and mirrors. As the head of a security agency he knows that restricting backdoors to the good guys is impossible.

Firefox Enables Encrypted DNS by Default

· Andrew Orr · Link

Firefox logo

Starting today, Firefox will begin rolling out support for encrypted DNS over HTTPS for U.S.-based users.

We’re enabling DoH by default only in the US. If you’re outside of the US and would like to enable DoH, you’re welcome to do so by going to Settings, then General, then scroll down to Networking Settings and click the Settings button on the right. Here you can enable DNS over HTTPS by clicking, and a checkbox will appear.

You can choose between Cloudflare and NextDNS. As I mentioned in my roundup of DNS services, I’ve been using NextDNS for the past couple weeks and I love it.