Academic researchers from Johns Hopkins University have found vulnerabilities in a number of cloud storage providers that claim to have 100-percent user data confidentiality when users store and share files.
The report “‘To Share or Not to Share’ in Client-Side Encrypted Clouds” (PDF) examines Spider Oak, Wuala, and Tresorit as a sampling of cloud storage providers that use client-side encryption, a well-regarded practice that theoretically keeps data encrypted even to the cloud provider that’s hosting it.
What researchers found, however, was that each cloud provider was also operating as a Certiﬁcate Authority. So, they were both certiﬁcate issuer and certiﬁcate authorizer, which presents security risks that could allow a cloud provider to – in some circumstances – create a Public Key to stand in for a trusted third-party and authorize it to allow the service provider to see customer data.
For instance, you could decide to share a folder with a friend, and instead of examining and approving the friend’s key, the cloud provider approves its own key and is granted access to the folder.
This weakness, however, only seems to be apparent when sharing folders and groups in the cloud. It is still safe when a single person is accessing their personal data that is not shared with others.
Still this falls short for the typical boasts of these cloud storage providers, such as, “No one unauthorized not even the cloud storage provider can access the files,” as Wuala claims.
A potential solution to this implementation problem, according to the researchers, is to use best practices such as requiring certificates to be signed by a Trusted Third Party for verification purposes.
Still, researchers found no evidence of customer accounts being hacked, or any suspicious behaviour on the part of vendors. With the Heartbleed OpenSSL vulnerability in very recent memory and rallying any service providers to protect their users, it is perhaps a relief that this cloud storage vulnerability was found at the best time – before damage has been done.