Opens a huge door for attackers, negating any advantage. Also, as with most cloud services, from their privacy policy:
"Impartio may apply security technologies and procedures to help protect against unauthorized access or use of the Services. Impartio does not guarantee the success of such technologies and procedures.Customer is solely responsible for the security, protection and backup of its Customer Data, and any other data, software or services it uses in connection with the Services."
Discussion on:
View:
Show:
I wouldn't shoot the idea down just because it's a hosted service (buzword; "cloud") without first knowing how they implement it. Lastpass and Spideroak both manage synchronization between multiple user end points through hosted storage but in a way that cryptographically limits access to only the relevant user end points.
In terms of privacy policy, the quoted section seems pretty standard. "we'll do our best to keep servers secure but sh,t happens; customer is responsible for having other backups if our servers eat your data"
I'd have more problem with it including things like; "we will hand your data to authorities upon request and without notifying you; we are able to decrypt your data should you be unable to; we are able to recover your password if you loose it".. all things that point toward an implementation insecure by design and intent.
Now, this is a program to encrypt your Google Docs and there are a few things to like about it:
- it sounds like like side encryption; if the encryption happens on the user's own machine with only encrypted data touching the network and service provider's servers then well done. If client sends data to Impartio's servers which encrypt and forward on to google's servers then boo.. broken by design.
- it potentially encrypts user files without breaking a lot of the google document sharing and such (though obviously breaks any "search for text in your document" type functions.
Ultimately, I'm not the target customer though either. This product is like using Truecrypt volumes to make Dropbox secure instead of just using a properly implemented secure system. Great that it's available if one has to use Google Drive but there are other options to consider first.
In terms of privacy policy, the quoted section seems pretty standard. "we'll do our best to keep servers secure but sh,t happens; customer is responsible for having other backups if our servers eat your data"
I'd have more problem with it including things like; "we will hand your data to authorities upon request and without notifying you; we are able to decrypt your data should you be unable to; we are able to recover your password if you loose it".. all things that point toward an implementation insecure by design and intent.
Now, this is a program to encrypt your Google Docs and there are a few things to like about it:
- it sounds like like side encryption; if the encryption happens on the user's own machine with only encrypted data touching the network and service provider's servers then well done. If client sends data to Impartio's servers which encrypt and forward on to google's servers then boo.. broken by design.
- it potentially encrypts user files without breaking a lot of the google document sharing and such (though obviously breaks any "search for text in your document" type functions.
Ultimately, I'm not the target customer though either. This product is like using Truecrypt volumes to make Dropbox secure instead of just using a properly implemented secure system. Great that it's available if one has to use Google Drive but there are other options to consider first.
It is a weak link for a myriad of reasons.
And, just because a privacy policy mimics others doesn't make it acceptable, IMO.
And, just because a privacy policy mimics others doesn't make it acceptable, IMO.
There are probably two different things I was trying to comment on also.
First, the policy content. My point was not that mimicking another privacy policy makes this one OK. It was more that these are common policies now found across most services; "we promise to try not getting broken into but if it happens we take no responsibility for your losses".. Microsoft has been software with that one for ever. You pretty much have to damn the entire industry if your going to damn this one company for it.
Second, the "Weak Link" question. This is very much a matter of implementation details. I'm not saying this service is or is not implemented securely; it's really more of a question. It is possible to implement a hosted service in a way that blocks even the service host from accessing user data; is this sharing service implemented in such a way or is it broken by intent/accident?
Lastpass and Spideroak where offered as examples of hosted services implemented properly to keep even the service provider out of the user's data. Services that would be discounted as "cloud" even though they do not share the design flaws that other hosted services choose to include. If you have found weak links in them though, that would be huge news.
First, the policy content. My point was not that mimicking another privacy policy makes this one OK. It was more that these are common policies now found across most services; "we promise to try not getting broken into but if it happens we take no responsibility for your losses".. Microsoft has been software with that one for ever. You pretty much have to damn the entire industry if your going to damn this one company for it.
Second, the "Weak Link" question. This is very much a matter of implementation details. I'm not saying this service is or is not implemented securely; it's really more of a question. It is possible to implement a hosted service in a way that blocks even the service host from accessing user data; is this sharing service implemented in such a way or is it broken by intent/accident?
Lastpass and Spideroak where offered as examples of hosted services implemented properly to keep even the service provider out of the user's data. Services that would be discounted as "cloud" even though they do not share the design flaws that other hosted services choose to include. If you have found weak links in them though, that would be huge news.
Or, you could just use eFileCabinet. They are FINRA, SEC and SOX compliant cloud storage as well as a document imaging solution. I don't work for them but I've been evaluating them and thought they were cool.
Hello, this is Hitesh Tewari from the CipherDocs team. Just to clarify a few aspects of the technology. Traditional bulk encryption can be applied to files which can then be subsequently stored on services such as Dropbox. Google Apps on the other hand does not have a save button, so as the user is typing into the document, revisions are being sent up to the Google servers, and thus bulk encryption techniques are not applicable. See the following video for an overview of the CipherDocs technology in action:
http://www.youtube.com/watch?v=CVIthlM7P3Q&feature=plcp
Secondly, Google Apps has a collaborative feature which allows multiple invited users to view and edit a document. Again if one were to apply bulk encryption then one would loose this unique feature. CipherDocs on the other hand preserves this by piggybacking on Google's sharing mechanism to seamlessly share document encryption keys with other users. However all data on Google's servers remains encrypted, see video below:
http://www.youtube.com/watch?v=FTHCQfUHyfc&feature=plcp
We also have an alpha version of the plugin for Google Spreadsheets:
http://www.youtube.com/watch?v=q1MkaOkpj5Y&feature=plcp
Finally, we also have a mobile keychain service called KeyHub that allows a user to seamlessly reconstitute their keychain on any machine they decide to use. For example, one could create a document at work and then wish to view the same at home or another location. We store an encrypted version of the keychain on our KeyHub service and only the user has the master password to decrypt the same. In an enterprise environment we envisage that the KeyHub service would be under the control of the organization using the service.
Feel free to send us an email if you need further info or clarification.
http://www.youtube.com/watch?v=CVIthlM7P3Q&feature=plcp
Secondly, Google Apps has a collaborative feature which allows multiple invited users to view and edit a document. Again if one were to apply bulk encryption then one would loose this unique feature. CipherDocs on the other hand preserves this by piggybacking on Google's sharing mechanism to seamlessly share document encryption keys with other users. However all data on Google's servers remains encrypted, see video below:
http://www.youtube.com/watch?v=FTHCQfUHyfc&feature=plcp
We also have an alpha version of the plugin for Google Spreadsheets:
http://www.youtube.com/watch?v=q1MkaOkpj5Y&feature=plcp
Finally, we also have a mobile keychain service called KeyHub that allows a user to seamlessly reconstitute their keychain on any machine they decide to use. For example, one could create a document at work and then wish to view the same at home or another location. We store an encrypted version of the keychain on our KeyHub service and only the user has the master password to decrypt the same. In an enterprise environment we envisage that the KeyHub service would be under the control of the organization using the service.
Feel free to send us an email if you need further info or clarification.
Thanks for the info this is pretty good encryption solution.
I've been playing around with a service called penango. They offer a 14-day free trial so i decided to do it. So far I've only sent a few test emails and it seems to be working great. It's end-to-end encryptions, FIPS 140-2 certified, S/MIME and works on a bunch of platforms like gmail, google apps, vmware email, outlook...check it out penango.com
I've been playing around with a service called penango. They offer a 14-day free trial so i decided to do it. So far I've only sent a few test emails and it seems to be working great. It's end-to-end encryptions, FIPS 140-2 certified, S/MIME and works on a bunch of platforms like gmail, google apps, vmware email, outlook...check it out penango.com
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
