Source URL: https://it.slashdot.org/story/24/10/26/1833203/researchers-discover-flaws-in-five-end-to-end-encrypted-cloud-services?utm_source=rss1.0mainlinkanon&utm_medium=feed
Source: Slashdot
Title: Researchers Discover Flaws In Five End-to-End Encrypted Cloud Services
Feedly Summary:
AI Summary and Description: Yes
Summary: Researchers from ETH Zurich have identified significant cryptographic flaws in several major end-to-end encrypted cloud storage services, highlighting vulnerabilities that could compromise file confidentiality and integrity. Despite the intention of end-to-end encryption to protect user data, flaws in these systems could allow unauthorized access and tampering, raising critical concerns for security professionals.
Detailed Description: The findings presented by researchers Jonas Hofmann and Kien Tuong Truong at the ACM Conference on Computer and Communications Security (CCS) reveal severe vulnerabilities in end-to-end encrypted (E2EE) cloud storage solutions used by approximately 22 million users. Here are the key points of their research:
– **Services Analyzed**: The study focused on five E2EE cloud storage services: Sync, pCloud, Seafile, Icedrive, and Tresorit.
– **Vulnerabilities Found**:
– Four out of the five services exhibited significant flaws that could enable attackers to:
– Bypass the security protocols of E2EE,
– Access confidential files,
– Tamper with the content,
– Inject unauthorized files into the user’s storage.
– **Specific Findings**:
– Tresorit had fewer vulnerabilities, primarily related to metadata tampering and sharing issues with non-authentic keys.
– The other four services posed a higher risk of compromising file confidentiality and integrity.
– **Realistic Threat Model**:
– The researchers emphasized that the exploits they tested would require an attacker to already compromise a server.
– They contend that this scenario reflects a practical threat model, as E2EE services are designed to safeguard data even under such conditions.
– **Industry Response**:
– Services like Sync and Seafile have acknowledged the vulnerabilities and are working on fixes to enhance their security.
Highlights for professionals in the security field include:
– The importance of continuous security audits, even for services providing E2EE,
– The necessity of a robust threat model that considers potential vulnerabilities in scenario planning,
– The need for users to stay informed about the security measures of the cloud services they employ.
This research underscores ongoing challenges in cloud computing security and the critical importance of rigorous scrutiny of encryption methods to ensure true data protection.