Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How is it possible to on-the-fly client-side de/encrypt file transfers in a webbrowser?

Easy Privacy In the past, securely storing and transferring confidential information required the installation of dedicated software. The new Mega encrypts and decrypts your data transparently in your browser, on the fly. You hold the keys to what you store in the cloud, not us.

This quote is taken from the website of the new MegaUpload filehosting service, which is sheduled to be launched on jan 19th this month.

Naturally as a web-developer I am interested and curious about the technology behind.

All I could find were screenshots and claims, that make it seem authentic, that the data is really never leaving the client unencrypted!

Files and transfers are secured using AES.

Every client gets an asymmetric key-pair, I can only guess why, but I think it will be used to encrypt the AES initialisation vector and key for other clients of which you want to share the file with.

However my question is this:

How is it technically possible to intercept the file upload/download?

I know there are encrpytion algorithms for both RSA and AES that run in javascript and are very efficient.

But the only browser which seems to have support for operating within the file system is chrome.

How does the data get from the harddrive to the clients browser to be encrypted? And how does it get from there to a file on the hard drive?

I do not know about such a thing as a filesystem API. Even html5 supports only some sort of object storage.

I guess its pretty trivial with some sorts of browser plugins or maby a java or adobe air applet, but they claim that there will be no such things as 3rd party software that needs to be installed.

Is there another way?

like image 993
The Surrican Avatar asked Jan 11 '13 13:01

The Surrican


People also ask

How does client-side encryption work?

Client-side encryption seeks to eliminate the potential for data to be viewed by service providers (or third parties that compel service providers to deliver access to data), client-side encryption ensures that data and files that are stored in the cloud can only be viewed on the client-side of the exchange.

Is client-side encryption safe?

If you're looking for the most secure, private way to send email or transmit data, client-side encryption is your best bet. Using client-side email encryption makes it less likely for your information to be intercepted by hostile third parties on the Internet.

What is client-side and server side encryption?

Server-side encryption manages your encryption key along with your data, encoding the information once it is uploaded to the provider. In comparison to client-side encryption, this method limits the complexity of the network environment whilst maintaining the isolation of your data.


1 Answers

How is it technically possible to intercept the file upload/download?

You don't intercept it. The user picks a file (or files) using an <input type="file"> element, then JavaScript reads the value of the file input and encrypts it. The upload will probably be done via Ajax.

But the only browser which seems to have support for operating within the file system is chrome.

Chrome is the first to implement the filesystem API, which is different from the file API. The filesystem API manages a sandboxed filesystem (not the user's true OS filesystem); the file API reads files from <input type="file"> elements. The file API has much broader support (but not perfect support) in most modern browsers.

For encryption and upload, JavaScript can read files which the users specifically selects using a file input and send the encrypted value to the server via Ajax. For download, the browser can perform an Ajax fetch of the resource, decrypt it, and prompt the user to save the file (e.g., by redirecting to a data: URI). No programmatic access to the filesystem is necessary.

like image 80
apsillers Avatar answered Oct 14 '22 11:10

apsillers