What is Audio Encryption?

What are the security risks to client side encryption?

• I would like to use 2 services to privately store data in the cloud.  The first is an online backup service (in this case Crashplan) and the second is an online password service (in this case Lastpass, which Steve Gibson has praised). I like these services because they use client side encryption so that no discernible data is sent or stored with the host company (essentially a zero knowledge backup and password storage). This all sounds great, but, what are the security risks to client side (running presumably in Javascript, but it could be C) encryption? Can Crashplan or Lastpass insert code to send my key without me knowing? Can a third party put malware on my computer that will force the key to be sent? I know a key logger is another way, but at least for Lastpass there is a GUI keyboard.  Not sure about Crashplan. I suppose I could even ask this question of TrueCrypt.  Can a piece of code be written (by Truecrypt or a third party) to send the key through the internet? I am looking for possible holes in the client-side encryption scheme and also recommendations on how to plug those holes. Thanks!

• Answer:

  You've correctly established two major risks I'll add one more: 1) Malware. You're still responsible for keeping your computer safe and free from malware.  This is the exact same risk you'd run with any locally running program, so it's a general risk with any data you ever have on your computer.  LastPass takes steps to make this harder to exploit: if you're not logged in, there's no way to attack you, using ProtectedStorage on Windows as another layer of protection and more but keeping your computer malware free is important.   Keylogging falls under the same category, but is likely easier to exploit than directly going after the local data store -- with the password they can potentially simply login as you on another computer. Utilize one of LastPass' multifactor authentication options to avoid this class of threats: http://helpdesk.lastpass.com/security-options/ 2) The application or website could change to become malicious and grab the key. LastPass tells you that you should use the extensions rather than the website itself when given the choice -- it is safer because it can't be upgraded without your knowledge / consent.  There are quite a number of controls to prevent this on LastPass' side, as you might imagine, but the extensions are a better experience and a tougher target so you should prefer them. 3) Your email account. LastPass stores a password hint for you, which we'll email you if you forget your password.   Make that hint too easy and you may reduce your security. LastPass by default also stores a disabled OTP on your computer, and your email is used to activate it and utilize it to regain access to your account if you forget your password.   You can disable this if you want and trust your memory. If LastPass believes your account to be compromised or if you have your account details leaked online we're going to lock down your account to your email, and an IP you've used in the past to login ( this happened recently see: http://blog.lastpass.com/2012/07/stop-using-same-key-for-every-lock.html  )  Finally if you need to disable your multi-factor authentication LastPass is going to use your email to do it. The best solution to protect all three of these cases is to setup your Security Email in Settings->Security.  This is a secondary email account which you treat more securely and don't leave yourself logged into.   That is what I do (along with Google Authenticator as a second factor), and what we'd recommend.