Reminders that data entrusted to online services can easily be leaked or stolen aren’t hard to find. Major companies commonly have passwords and other data taken by attackers, while governments have their own ways to get hold of user data.
Researcher Raluca Popa of MIT thinks many online services should and could be redesigned to guard against that. “Really, there’s no trusting a server,” she says. Popa has led the development of a system called Mylar for building Web services that puts that philosophy into practice. Services built using it keep data on their servers encrypted at all times and only ever decrypt it on a person’s computer.
They claim: First, Mylar allows the server to perform keyword search over encrypted documents, even if the documents are encrypted with different keys. Second, Mylar allows users to share keys and data securely in the presence of an active adversary. Finally, Mylar ensures that client-side application code is authentic, even if the server is malicious.
Other platforms, such as the Woogloo V3 platform (released in 2011) using a natively encrypted H2 database, also claim the same things. So why is this a breakthrough?
However, it is good to see MIT taking data security seriously and building an open source platform that others can use to bring their web application up-to-speed with modern data protection standards - especially given that MIT is an American instiution and the main threat to data security is the NSA.
Read More >>