End-to-end encrypted data in the cloud is not threatened by Meltdown and Spectre
Here’s an update regarding the recent breaking news stories about Meltdown and Spectre, critical security flaws found in Intel, ARM and AMD chips. These vulnerabilities might possibly be exploited to steal secrets (such as passwords) by either breaking into data center machines using the affected hardware or into end-users’ own devices based on these chips.
Breaching servers via exploiting Meltdown or Spectre
In the first case, the content of our users’ files stored with Tresorit is not threatened by the discovered vulnerabilities, as even though attackers might break into servers, they could only access the encrypted files and not their contents. As the encryption keys are not stored in the cloud in a readable format, hackers cannot decrypt the files.
As opposed to only channel and at-rest encryption used by the majority of cloud services, end-to-end encryption used by Tresorit ensures protection specifically in cases like this.
“All data stored in the cloud is threatened by breaching servers via exploiting Meltdown or Spectre, except for data stored with end-to-end encryption. The recent discovery of these flaws should further remind people and companies to use end-to-end encrypted services to secure their data and communications in the cloud”, says our co-founder and CEO Istvan Lam.
Despite this, it is crucial that cloud providers, such as Microsoft Azure, our data center, apply the security fixes. Microsoft has assured in a blog post and email that the majority of Azure infrastructure has already been updated to address this vulnerability and they provide accelerated maintenance to ensure all systems are updated.
Client-side attacks
However, these vulnerabilities might possibly be exploited on some of the end-users’ own devices to steal secrets such as passwords. In order to protect your data against this, we suggest you update all of your software including operating systems and browsers as soon as security patches are available. You can keep track of updates on the providers’ websites and social media channels.
Here are some useful links to vendors’ security update sites:
- Chrome: https://www.chromium.org/Home/chromium-security/ssca
- Firefox: https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
- Windows: https://support.microsoft.com/en-us/help/4073119/windows-client-guidance-for-it-pros-to-protect-against-speculative-exe
- Apple: https://support.apple.com/en-us/HT201222