January 26th 2013
It's been seven busy days for us since MEGA went live. As millions of users were hitting 50,000 freshly written and barely tested lines of code and dozens of newly installed servers, teething troubles were inevitable - it took us almost 72 hours to resolve the major bottlenecks, and we would like to apologize to all users who were affected.
As expected, the public debate about MEGA revolves primarily around our cryptographic security model and can be classified into five categories:
- Design flaws exacerbating the potential impact of weak user passwords. We acknowledge that our current approach is based on the assumption that all of our users choose strong passwords, which is probably a bit naive. We are going to improve the sign-up interface (better user education and rejection of overly weak passwords). We'll also reduce the offline password cracking risk for users who do use weak passwords and fall victim to someone intercepting their e-mail or obtaining their user record from our central database.
- Weak random number generation: We have added WebKit's crypto.getRandomValues() into the mix and will collect mouse/keyboard timing entropy explicitly before generating the RSA key pair rather than informing the user that we are doing so only after the generation has already started.
- Deduplication - clause 8 of our Terms of Service has caused some confusion and concern. The reality is quite harmless: We deduplicate based on the full encrypted file. That's it.
- Polemic in the "if you can break SSL, you can break MEGA" category. No comment.