Wuala's improved security

Last year I wrote about the poor security of the Wuala online storage and file-sharing startup. Over the following eight months, the people at Wuala made significant improvements, and four months ago Dominik Grolimund asked me to update my blog concerning their now-improved security. Unfortunately bronchitis and and wrist pain delayed this substantially; but here's my belated reassessment of Wuala's security: Much better, but still lacking in some respects.

The big improvements first:

A few points remain major concerns to me, however:

Finally, I have one non-security-related concern about Wuala. Due to the design of Wuala's key management system, there isn't any way to update part of a file: If you modify a file and back up the new version, Wuala generates a new key and re-encrypts the entire file. No security problem here; but if you have a large file which changes frequently -- for instance, a mailbox file for those people who are old enough to stil use an offline mail user agent -- you will end up wasting a very large amount of bandwidth.

Make sure that your password is strong; that you don't reuse it anywhere; and that you never type it into an untrusted system or where people could watch you or listen to your typing. Realize that you can't trust the authenticity of any public files. Don't modify and re-upload files if you don't want people to know what files you've changed. And recognize that ultimately you're completely trusting Dominik Grolimund and the Wuala staff with your computer and your data.

But aside from that, Wuala's security now looks fine.

Posted at 2008-11-07 14:45 | Permanent link | Comments
blog comments powered by Disqus

Recent posts

Monthly Archives

Yearly Archives