I tried to warn MEGA about insecure TLS practices after the chrome extension fiasco

in privacy •  6 years ago 

I was balked at for suggesting that following basic TLS practices, including on the subdomains where they deliver user content from, was a good idea.

It's appearing majority of the internet, including sites teensy and massive, now support 256-bit AES and perfect forward secrecy, but MEGA, which claims to be private and secure, can't be bothered?

It's true that user content is claimed to be end-to-end encrypted, but that really doesn't seem any excuse to skimp on TLS security.

After testing about a thousand disparate sites manually, in-browser, only 4 failed for normal usage, testing the ability to deal with only 256-bit (or ChaCha) with Perfect Forward Security ciphers, as well as safe TLS renegotiation,

*.static.mega.co.nz and *.userstorage.mega.co.nz fail ciphers in both ways, and mega.co.nz as a domain fails safe TLS renegotiation.

In all of the years I've been trying to report sites not following industry standard TLS practices to different companies, MEGA is the only one to find the idea amusing. Most sites reported to fixed the issues pretty quickly.

I think between this and the chrome extension compromise two days ago (which I'll note they have not yet directly notified customers of a serious breach), it's really enlightening as to how MEGA operates as a company.

I don't really trust "the cloud" in general for anything important or sensitive, but has MEGA ever had an independent verified security audit showing that their encryption and security do what they should/claim?

Screenshot_2018-09-06 SSL Server Test na static mega co nz (Powered by Qualys SSL Labs).pngScreenshot_2018-09-06 SSL Server Test gfs270n890 userstorage mega co nz (Powered by Qualys SSL Labs).pngmega.co.nz screenshot 09-06-2018.png

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

@thegoddessinari, I gave you a vote!
If you follow me, I will also follow you in return!
Enjoy some !popcorn courtesy of @nextgencrypto!

Congratulations @thegoddessinari! You received a personal award!

1 Year on Steemit

Click here to view your Board

Support SteemitBoard's project! Vote for its witness and get one more award!

Congratulations @thegoddessinari! You received a personal award!

Happy Birthday! - You are on the Steem blockchain for 2 years!

You can view your badges on your Steem Board and compare to others on the Steem Ranking

Vote for @Steemitboard as a witness to get one more award and increased upvotes!