Mega responds to security concerns, implements password changes
Since Mega launched, there have been many concerns over how it handles security, from the encryption used, to the lack of account recovery options. But now that researchers and the media have discussed the issues, Mega has responded. Mega was "not too impressed," but it has taken the time to acknowledge the arguments that were correct and reveal what it plans to do about them.
Mega confirmed that users currently have no means to change their password, quoting Ars Technica, which previously said that "Losing [your password] means you don't just lose the ability to log on to the service — you lose the ability to decrypt your files, period."
To address this, Mega stated that it would implement a password change feature that will "re-encrypt the master key with your new password," as well as implement a password reset mechanism.
The reset mechanism is purely to allow the user to log back into their account, but it will not allow users to read their existing files, as those would have been encrypted using their previous key. That isn't a problem if the files were encrypted using pre-exported keys, or if the files were shared with others with a specific shared key, but other than that, files will not be accessible without the original key.
An additional enhancement that will be rolled out at a later date is the ability to add even more randomness, or entropy, to how RSA keys are generated upon sign up. At the moment, keys are generated using the Math.random() function, and while alone, this function only produces pseudo-random numbers that can be guessed, additional entropy is already provided by asking using the input of the user's mouse movement and keyboard strokes. The future enhancement will allow the user to add additional entropy manually, if they so desire, rather than during the relatively brief period currently available.
Another question raised several times by researchers was how Mega manages de-duplication. Its terms of service essentially state that if more than one user uploads duplicate data, it has the right to simply link to the same data, rather than write it twice, or more, to storage. One of the key benefits of doing so is to ensure that storage space isn't wasted.
Since the data is encrypted, users have questioned how Mega would know that the data is duplicated, leading to accusations that Mega either doesn't encrypt the data, or it holds decryption keys itself for the purpose of comparing data.
What Mega does, however, is compare the encrypted data, regardless of what its unencrypted form is. The real intent of the clause is actually for cases where a single user stores multiple copies of the same file, or when a file, encrypted with a shared key, is copied across multiple accounts.
While Mega conceded on these two points and has plans to address them, there were also a number of incorrect accusations that the site faced, including that it verified its own Javascript code — generating trust from an untrusted source — and that its SSL server used outdated 1024-bit encryption.
Mega has two sites; the front facing mega.co.nz, and static.co.nz. The former uses 2048-bit encryption and is trusted, while the latter used 1024-bit encryption and could be arguably seen as untrusted. However, as static.co.nz serves code to mega.co.nz — the trusted, secure server — it is verified to ensure that it hasn't been modified during a man-in-the-middle attack.
There was also an argument that if an attacker could circumvent SSL encryption, Mega's security would be broken. Mega acknowledged this fact, but also put the capabilities of such an attacker into perspective, stating at "if you can break SSL, you can break a lot of things that are even more interesting than Mega."
Lastly, Mega briefly acknowledged the existence of the MegaCracker tool, designed by security researcher Steve Thomas. In a little under 24 hours, Thomas, also known as Sc00bz, developed a small application to extract users' passwords from the account confirmation email sent by Mega at the time of sign up.
This email contains a confirmation code that has a hashed version of the user's password embedded in it. MegaCracker takes this confirmation code, strips out the hash, and attempts to crack it against a list of passwords supplied by the attacker.
Mega's implementation of account confirmation can be considered marginally better than the poor practice of sending plaintext passwords back to the user at sign-in, as the hash must be cracked to recover the password. It also relies on an attacker obtaining the email, although many older email providers still do not use a secure connection, making it easy for emails to be sniffed on shared wireless connections.
The probability of successfully cracking a user's password hash is significantly lower for passwords that follow good practices, such as not picking dictionary words, and Mega has simply said that MegaCracker serves as "an excellent reminder not to use guessable/dictionary passwords."