Easy Privacy In the past, securely storing and transferring confidential information required the installation of dedicated software. The new Mega encrypts and decrypts your data transparently in your browser, on the fly. You hold the keys to what you store in the cloud, not us.
This quote is taken from the website of the new MegaUpload filehosting service, which is sheduled to be launched on jan 19th this month.
Naturally as a web-developer I am interested and curious about the technology behind.
All I could find were screenshots and claims, that make it seem authentic, that the data is really never leaving the client unencrypted!
Files and transfers are secured using AES.
Every client gets an asymmetric key-pair, I can only guess why, but I think it will be used to encrypt the AES initialisation vector and key for other clients of which you want to share the file with.
However my question is this:
How is it technically possible to intercept the file upload/download?
I know there are encrpytion algorithms for both RSA and AES that run in javascript and are very efficient.
But the only browser which seems to have support for operating within the file system is chrome.
How does the data get from the harddrive to the clients browser to be encrypted? And how does it get from there to a file on the hard drive?
I do not know about such a thing as a filesystem API. Even html5 supports only some sort of object storage.
I guess its pretty trivial with some sorts of browser plugins or maby a java or adobe air applet, but they claim that there will be no such things as 3rd party software that needs to be installed.
Is there another way?
Easy Privacy In the past, securely storing and transferring confidential information required the installation of dedicated software. The new Mega encrypts and decrypts your data transparently in your browser, on the fly. You hold the keys to what you store in the cloud, not us.
This quote is taken from the website of the new MegaUpload filehosting service, which is sheduled to be launched on jan 19th this month.
Naturally as a web-developer I am interested and curious about the technology behind.
All I could find were screenshots and claims, that make it seem authentic, that the data is really never leaving the client unencrypted!
Files and transfers are secured using AES.
Every client gets an asymmetric key-pair, I can only guess why, but I think it will be used to encrypt the AES initialisation vector and key for other clients of which you want to share the file with.
However my question is this:
How is it technically possible to intercept the file upload/download?
I know there are encrpytion algorithms for both RSA and AES that run in javascript and are very efficient.
But the only browser which seems to have support for operating within the file system is chrome.
How does the data get from the harddrive to the clients browser to be encrypted? And how does it get from there to a file on the hard drive?
I do not know about such a thing as a filesystem API. Even html5 supports only some sort of object storage.
I guess its pretty trivial with some sorts of browser plugins or maby a java or adobe air applet, but they claim that there will be no such things as 3rd party software that needs to be installed.
Is there another way?
Share Improve this question asked Jan 11, 2013 at 13:28 The SurricanThe Surrican 29.9k24 gold badges126 silver badges168 bronze badges 3- "How is it technically possible to intercept the file upload/download?" do you mean by attacker or in general? If in general, than I imagine they make use of html5 file API to read chucks of file, encrypt them and send through internet using ajax or whatever. The same case with download. It's almost certain that it's not done by messing with regular file upload using POST or download, because that would be impossible AFAIK. BTW interesting question - it's first time I hear about new Megaupload. – WTK Commented Jan 11, 2013 at 13:57
- Probably encrypted files aren't uploaded using the browser but an OS application like Dropbox, Skydrive... – Matías Fidemraizer Commented Jan 11, 2013 at 14:02
-
I don't know the Mega API at all, but I don't see what this has to do with the filesystem. I'm guessing the upload process goes: 1. load a file into the browser using an
<input type="file">element, 2. read that file and encrypt it using a JS crypto library, 3. send the encrypted value for storage on a server. To get a file back from the server, fetch it with Ajax, decrypt it, and have the browser save it as a file (or possibly just show it to the user in the browser). – apsillers Commented Jan 11, 2013 at 14:06
1 Answer
Reset to default 7How is it technically possible to intercept the file upload/download?
You don't intercept it. The user picks a file (or files) using an <input type="file"> element, then JavaScript reads the value of the file input and encrypts it. The upload will probably be done via Ajax.
But the only browser which seems to have support for operating within the file system is chrome.
Chrome is the first to implement the filesystem API, which is different from the file API. The filesystem API manages a sandboxed filesystem (not the user's true OS filesystem); the file API reads files from <input type="file"> elements. The file API has much broader support (but not perfect support) in most modern browsers.
For encryption and upload, JavaScript can read files which the users specifically selects using a file input and send the encrypted value to the server via Ajax. For download, the browser can perform an Ajax fetch of the resource, decrypt it, and prompt the user to save the file (e.g., by redirecting to a data: URI). No programmatic access to the filesystem is necessary.