Slashdot Mirror

← Back to Stories (view on slashdot.org)

MIT Researchers Create Platform To Build Secure Web Apps That Never Leak Data

Posted by Soulskill on from the what-about-when-leak-exists-between-keyboard-and-chair dept.

rjmarvin writes: "Researchers in the MIT Computer Science and Artificial Intelligence Laboratory have developed a platform for building secure web applications and services that never decrypt or leak data. MIT researcher Raluca Ada Popa, who previously worked on the Google and SAP-adopted CryptoDB, and her team, have put a longstanding philosophy into practice: to never store unencrypted data on servers. They've redesigned the entire approach to securing online data by creating Mylar, which builds and updates applications to keep data secure from server breaches with constant encryption during storage, only decrypting the data in the user's browser. Integrated with the open-source Meteor framework, a Mylar prototype has already secured six applications by changing only 35 lines of code."

5 of 90 comments (clear)

  1. I've implemented something similar by xombo · · Score: 4, Interesting

    I've implemented a similar solution for one of my web apps.
    It encrypts the data in the client with a password that they provide before it gets sent to the server. The client also decrypts the value when it receives it from the server.
    The password is kept in LocalStorage (a feature of HTML5) so that it is never transmitted to the server.
    Assuming the client application is not compromised, this is a great way to keep data secret even from the service operator.

    Unfortunately, you won't see this scheme implemented in many apps because almost everyone's business model these days is all about scraping your data for use by advertisers.

    1. Re: I've implemented something similar by ModernGeek · · Score: 4, Insightful

      I agree in that this won't be implemented because of the business implications but would also go on to say that this solution is unoriginal and undeserving of all the pomp and circumstance that the media and the educational institutions are giving it, before we know it they're going to give out Ph.D's and there patents for a high school paper on using electrolysis to make hydrogen and oxygen. Call the press!

      --
      Sig: I stole this sig.
    2. Re:I've implemented something similar by thegarbz · · Score: 3, Interesting

      There's another side to this too. You won't see this scheme implemented because encrypted data can not be de-duplicated, and can not be compressed. Effectively your solution increases the cost of doing business, both in terms of bandwidth and in infrastructure.

  2. Re: How can you search data by Anonymous Coward · · Score: 3, Insightful

    Why do you need to search or sort credit card info?

  3. Re:How can you search data by L-One-L-One · · Score: 5, Informative

    It's called "searchable" encryption. It already exists in a few commercial products.

    See for example:
    http://www.ciphercloud.com/tec...