CipherCloud claims to be doing some really fancy encryption where they transparently encrypt data as it's pushed to the cloud. You're on a corporate LAN, when you visit Trello you see perfectly normal cards, you can edit them, search them, etc. But if a Trello admin snoops on the database, everything is encrypted with a key Trello doesn't know. In other words, your browser sees plaintext, the server sees client-side encrypted text, and all this works even though neither your browser nor the server has any support for this, all through the magic of one of CipherText's magic boxes sitting on your LAN. Magic, right?
A little too much magic. When you think about it logically, there's no good way to have encryption like that, and for the search feature (for example) to work! And if you dig through CipherCloud's presentations, documentation, marketing copy, and talk to them at tradeshows, the same thing becomes clear: They've mangled the encryption algorithm so badly that it is literally no better than XORing the data.
CipherCloud claims that every bit of documentation, every screenshot they've posted on their website, and the things they've said at tradeshows - all of that - is wrong, and that the product they actually are selling somehow does magic things in some method completely unrelated to the way they have claimed the product works up until now. And in addition they used DMCA takedowns to prevent people referencing those totally-not-accurate screenshots on their website.
I was aware of this (and I think majority of their customers are aware of it). However, majority of companies which use CipherCloud just need to be compliant - in other words that cloud provider (administrator, support etc.) cannot read their data during normal course of operation (answering support questions, etc.).
Lets take an example of HIPAA - the idea of HIPAA is that company managing records needs to track who can see medical data and to detect when unauthorized employees or employees without legitimate cause looks health related records. So my understanding is that if a cloud provider starts decrypting data encrypted via CipherCloud, then that is already criminal act.
Looking at that list I see 2 emails from Google Alerts, with "google alert" in the subject header. I open the image in Gimp and cut n paste one header over the other header. They're identical.
Further down the list we see 4 emails with the subject header starting 'fwd'. We see that the start of the cipher text is identical for those three. Two of those emails have the same subject header, and we see their ciphertext headers are identical.
Ciphercloud claims that this is not the product they're selling.
"In fact, CipherCloud has patent pending mechanisms to defeat frequency-analysis attacks."
There are two rules of crypto:
1) There are 6 people on the planet smart enough to invent new crypto schemes.
2) You're not one of them.
Anyone that claims "patent-pending mechanisms" for new crypto should be treated with extreme skepticism unless they have an exceptionally well-established history of cryptographic research.
Looks like CipherCloud's basis for trying to get this question taken down was the screenshots. Looked like classic fair use to me, but I'd rather see the answers up and public, even without the explicit illustrations.
Man, I had an idea to do something like but with more of a privacy angle as a browser plugin (i.e all your social network data would be 'encrypted' and only visible to people you designate ). Now I realize it could have worked if I applied 'the formula': marginally useful product + corporate targeting + large sales team.
Anyone in PR please take note the DMCA tactic drew way more negative public perception of CipherCloud then if they had just been quite or god forbid actually responded to the post.
It still amazes me that some companies have, apparently, never heard of the Streisand Effect [1]. This was arguably forgivable in a pre-Internet time, but now?
On the other hand, I suppose this might work as a signal - a company that does not understand the Streisand Effect probably doesn't understand a lot of other things. And if said company deals in cryptography? As another comment said, run away.
There are comments like this every time a company does something dumb, tries to hide it, then it blows up in a big way. I absolutely agree with the sentiment, but I actually do wonder what the true probability of the Streisand Effect actually happening is.
Surely their are plenty of shady happenings like this that never get up voted enough on reddit, HN, etc, so the Streisand Effect never happens?
CipherCloud claims to be doing some really fancy encryption where they transparently encrypt data as it's pushed to the cloud. You're on a corporate LAN, when you visit Trello you see perfectly normal cards, you can edit them, search them, etc. But if a Trello admin snoops on the database, everything is encrypted with a key Trello doesn't know. In other words, your browser sees plaintext, the server sees client-side encrypted text, and all this works even though neither your browser nor the server has any support for this, all through the magic of one of CipherText's magic boxes sitting on your LAN. Magic, right?
A little too much magic. When you think about it logically, there's no good way to have encryption like that, and for the search feature (for example) to work! And if you dig through CipherCloud's presentations, documentation, marketing copy, and talk to them at tradeshows, the same thing becomes clear: They've mangled the encryption algorithm so badly that it is literally no better than XORing the data.
CipherCloud claims that every bit of documentation, every screenshot they've posted on their website, and the things they've said at tradeshows - all of that - is wrong, and that the product they actually are selling somehow does magic things in some method completely unrelated to the way they have claimed the product works up until now. And in addition they used DMCA takedowns to prevent people referencing those totally-not-accurate screenshots on their website.
...sounds legit to me!
TL;DR: Run away. Screaming.