[ciphershed] Re: Protectorion - low quality encryption for Windows
- From: "Alain Forget" <aforget@xxxxxxx>
- To: <ciphershed@xxxxxxxxxxxxx>
- Date: Thu, 26 Jun 2014 22:14:55 -0400
>-----Original Message-----
>From: ciphershed-bounce@xxxxxxxxxxxxx [mailto:ciphershed-
>bounce@xxxxxxxxxxxxx] On Behalf Of Jason Pyeron
>Sent: Thursday, June 26, 2014 21:15
>To: ciphershed@xxxxxxxxxxxxx
>Subject: [ciphershed] Re: Protectorion - low quality encryption for Windows
>
>> -----Original Message-----
>> From: Bill Cox
>> Sent: Thursday, June 26, 2014 21:11
>>
>> Jos skyped me this morning that Protectorion used
>> @TrueCryptNext in a tweet apparently as an advertisement to
>> switch to using their closed-source Windows encryption tool.
>> I told him I'd check it out, and here is what I found.
>>
>>
>> Protectorion is a very poor security tool which puts making
>> money over security. When you start it, it phones home, with
>> a lengthy HTTP exchange with their servers in Germany. This
>> is likely for auto-update, but it also tells them and any ISP
>> listening exactly who is using this encryption. There is no
>> easy way to verify that it is not sending all sorts of
>> personal data to their servers.
>>
>>
>> Being closed source, I cannot review any of their algorithms.
>> However, the install process requests a "master password"
>> and gives a nice "strength" meter. I used 123456789123456
>> and got the maximum strength score! It didn't even check to
>> see if I had used any non-digits. Also, the worlds most
>> common password, 123456, rated a "medium" score. There is no
>> delay in opening the safe, so there's no decent memory-hard
>> key stretching or VeraCrypt style high-count PBKDF2.
>
>But it is more secure than the Air Shield in SpaceBalls.
>
>>
>>
>> They automate putting the encrypted volume in Dropbox. Well,
>> kudos for providing better privacy for DropBox, but anyone
>> using a weak master password puts both their data and their
>> password at risk using this feature. Their marketing
>> material claims their password meter insures high security,
>> but it's a joke.
>>
>
>Nice review.
>
>
Very good to know about and be aware of, but we need to keep in mind that, from
the user's perspective, they usually can't tell the difference between what's
actually secure, and what's crap. All they know is what's the easiest to use
and what they trust the most. There's no easy solution to this, but it's worth
keeping in mind that relatively insecure solutions like that could win the
hearts of users if we don't consider the end-users carefully enough.
Alain
Other related posts:
