Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Open source app development platform aims to ensure privacy in the cloud

Paul Rubens | Oct. 18, 2013
Data privacy is top of mind for users everywhere. Cloud storage and backup vendor SpiderOak plans to address privacy concerns with Crypton, an open-source Web app dev platform that crunches data in a browser-based client instead of the cloud.

The server-side software running in the cloud is built on PostgreSQL and node.js, Oberman explains. "Typically, you would have the indexing and searching done in the cloud. With Crypton, this is all happening on the client. The data structures we use make this happen fast," he says. "The cloud is just used as a dumb storage medium, storing and retrieving data it can't read."

This works by dividing information into data and metadata and taking advantage of the fact that metadata in data-intensive applications such as photo storage is typically less than 1 percent of the underlying data. "Our browser-based client can retrieve metadata very quickly. Then, when you want the real file, it can download it," Oberman says.

Using this approach, a hacker or government agency can't do a mass compromise of user data. Accessing a given user's data would involve compromising that individual's client device. Even if that's possible, it's not an approach that can be easily scaled to compromise a large numbers of users.

Is Browser Secure Enough for Running Apps?
Ramon Krikken, a security researcher at Gartner, says that, done properly, a privacy-oriented Web application platform such as Crypton will be highly attractive to developers. They want an easy-to-use framework with standardized, validated code.

This is what has been missing until now, and this is what Crypton appears to be offering," Krikken says. "If you're a developer, you won't have to do all the work to find out how to do encryption properly in JavaScript. You can just download Crypton."

The key question, then, is whether Crypton is really as secure as Oberman hopes. As an open-source project, the code base is open to scrutiny from any eyeballs that care to look at it - including the NSA's, of course. That, in itself, doesn't guarantee that the code is not flawed. For this reason, Oberman says SpiderOak plans to pay an as-yet-unnamed security outfit to review the code.

To that extent, Krikken says Crypton's prospects are promising. "SpiderOak seem to be doing all the things that you would hope [it] would do: making the code open source, getting it validated and using standardized components," he says.

That said, there are other considerations, Krikken says. If an application written using Crypton runs in JavaScript, then the runtime environment may not as secure as it should be, he warns. "A cross site scripting vulnerability could make it possible to mess around with the execution flow of JavaScript," he says. "A browser is not the ideal environment for running secure applications."

It's too early to say if Crypton will succeed, as the platform is still at version 0.0.1. The security audit is due to take place this October, though, and more stable code may be available as early as the end of the year, Oberman says.


Previous Page  1  2  3  Next Page 

Sign up for MIS Asia eNewsletters.