A year to the day after the Megaupload takedown, Kim Dotcom launched his brand new Mega cloud file storage service, on January 19. However, mere days after launch, the new service is already coming under fire over security concerns regarding user’s data and privacy.
The other problem is the SSL standard itself is vulnerable to various attacks, including fake SSL certificates from an untrusted or duped certificate authority and an attack from a tool called SSLstrip which allows an attacker to intercept and stop an SSL connection. That attacker can then spy on whatever data the user sends to the attacker’s fake website.
However, in answer to the above criticisms and others, Mathias Ortmann, Mega’s CTO said that these vulnerabilities are also present in other sites which have even higher security requirements, such as online banking.
“If they had bothered to read that they would have seen that we basically state exactly what they are accusing us of as possible attack vectors plus some others they are not accusing us of. All of these SSL-related attacks do no apply specifically to us. They apply to companies with equally high security requirements or even higher requirements.”
It looks like it might pay to wait a little while before using this service, or if you do, not putting any sensitive data on it, at least for now.
“Every time you open the website, the encryption code is sent from scratch,” Kobeissi said “So if one day I decide I want to disable all encryption for you, I can just serve your username different code that doesn’t encrypt anything and instead steals your encryption keys.”