

How is CipherCloud doing homomorphic encryption? - rmk2
http://crypto.stackexchange.com/questions/3645/how-is-ciphercloud-doing-homomorphic-encryption

======
Lazare
For people just now tuning in:

CipherCloud claims to be doing some really fancy encryption where they
transparently encrypt data as it's pushed to the cloud. You're on a corporate
LAN, when you visit Trello you see perfectly normal cards, you can edit them,
search them, etc. But if a Trello admin snoops on the database, everything is
encrypted with a key Trello doesn't know. In other words, your browser sees
plaintext, the server sees client-side encrypted text, and all this works even
though neither your browser nor the server has any support for this, all
through the magic of one of CipherText's magic boxes sitting on your LAN.
Magic, right?

A little too _much_ magic. When you think about it logically, there's no good
way to have encryption like that, _and_ for the search feature (for example)
to work! And if you dig through CipherCloud's presentations, documentation,
marketing copy, and talk to them at tradeshows, the same thing becomes clear:
They've mangled the encryption algorithm so badly that it is literally no
better than XORing the data.

CipherCloud claims that every bit of documentation, every screenshot they've
posted on their website, _and_ the things they've said at tradeshows - all of
that - is wrong, and that the product they actually are selling somehow does
magic things in some method completely unrelated to the way they have claimed
the product works up until now. And in addition they used DMCA takedowns to
prevent people referencing those totally-not-accurate screenshots on their
website.

...sounds legit to me!

TL;DR: Run away. Screaming.

~~~
tlogan
I was aware of this (and I think majority of their customers are aware of it).
However, majority of companies which use CipherCloud just need to be compliant
- in other words that cloud provider (administrator, support etc.) cannot read
their data during normal course of operation (answering support questions,
etc.).

Lets take an example of HIPAA - the idea of HIPAA is that company managing
records needs to track who can see medical data and to detect when
unauthorized employees or employees without legitimate cause looks health
related records. So my understanding is that if a cloud provider starts
decrypting data encrypted via CipherCloud, then that is already criminal act.

~~~
pessimizer
ROT13 would provide the same function, though.

------
DanBC
Ciphercloud have an image of an email inbox here
([http://www.ciphercloud.com/DesktopModules/LiveContent/Handle...](http://www.ciphercloud.com/DesktopModules/LiveContent/Handlers/GetImage.ashx?mid=588&eid=1&Type=View&PortalId=0))
or maybe here (<http://www.ciphercloud.com/gmail-encryption-ciphercloud.aspx>)

Looking at that list I see 2 emails from Google Alerts, with "google alert" in
the subject header. I open the image in Gimp and cut n paste one header over
the other header. They're identical.

Further down the list we see 4 emails with the subject header starting 'fwd'.
We see that the start of the cipher text is identical for those three. Two of
those emails have the same subject header, and we see their ciphertext headers
are identical.

Ciphercloud claims that this is not the product they're selling.

------
cheald
"In fact, CipherCloud has patent pending mechanisms to defeat frequency-
analysis attacks."

There are two rules of crypto:

1) There are 6 people on the planet smart enough to invent new crypto schemes.

2) You're not one of them.

Anyone that claims "patent-pending mechanisms" for new crypto should be
treated with _extreme_ skepticism unless they have an exceptionally well-
established history of cryptographic research.

------
Steuard
Looks like CipherCloud's basis for trying to get this question taken down was
the screenshots. Looked like classic fair use to me, but I'd rather see the
answers up and public, even without the explicit illustrations.

(Context: <https://news.ycombinator.com/item?id=5579538> )

------
siliconc0w
Man, I had an idea to do something like but with more of a privacy angle as a
browser plugin (i.e all your social network data would be 'encrypted' and only
visible to people you designate ). Now I realize it could have worked if I
applied 'the formula': marginally useful product + corporate targeting + large
sales team.

~~~
eru
Since when do you need (even a marginally) useful product for enterprise grade
software?

------
wyck
Anyone in PR please take note the DMCA tactic drew way more negative public
perception of CipherCloud then if they had just been quite or god forbid
actually responded to the post.

~~~
rallison
It still amazes me that some companies have, apparently, never heard of the
Streisand Effect [1]. This was arguably forgivable in a pre-Internet time, but
now?

On the other hand, I suppose this might work as a signal - a company that does
not understand the Streisand Effect probably doesn't understand a lot of other
things. And if said company deals in cryptography? As another comment said,
run away.

[1] <https://en.wikipedia.org/wiki/Streisand_effect>

~~~
positr0n
There are comments like this every time a company does something dumb, tries
to hide it, then it blows up in a big way. I absolutely agree with the
sentiment, but I actually do wonder what the true probability of the Streisand
Effect actually happening is.

Surely their are plenty of shady happenings like this that never get up voted
enough on reddit, HN, etc, so the Streisand Effect never happens?

