Originally Posted By: haertig
Originally Posted By: ireckon
If your service uses 128-bit or 256-bit encryption BEFORE your data is sent to them over the Internet, then your data can't be decrypted by using a backdoor key.

And there's the catch. You may indeed be using your KEY, but you are using THEIR ALGORITHM. Good encryption requires both a strong key and a rock solid algorithm. And the algorithm should be open source so anybody and everybody can review it. A strong algorithm does NOT depend on secrecy for being strong. For all you know, the service providers algorithm may be nothing more than "take the first character of the users key and prepend that to their data stream". Of course that's a silly contrived example, but it illustrates my point.

Also, if they use a proprietary algorithm, and then they go out of business, how are you going to unencrypt your own data (unless you stored a second copy elsewhere for your self)?


If you can provide a case where somebody's data was hacked on a major service without it being user error, then please share. Otherwise, I'm not going to stress. If a service says their using 256-bit encryption, it's a matter of reading up and developing trust with a company I guess. You could also be paranoid to the point of not wanting to put your money in a bank.

On my service, I lost my encryption key one time. I talked to a tech supervisor and was willing to pay good money for them to recover my data. Nope, it was impossible. They don't store the keys, and the data is useless to them without the encryption key.

Regarding the part about a company going out of business, note that you have this risk even if you're using TrueCript, unless you're running your own external database over the Internet. Anyway, how likely is it that they'll go out of business right before a disaster? One way to hedge against that unlikely risk is to use two services.

Also, if you can figure out how to use TrueCrypt with my service's syncing function, then let me know. I backup all my files at least once per day. If I can't sync with TrueCrypt, then it's not practical for me to use it.
_________________________
If you're reading this, it's too late.