GEARS New features [ Security and data protection - Client side data encryption ]
3 views
Skip to first unread message
Paulo.Calcada
Jul 1, 2008, 11:53:23 AM7/1/08
to Gears Users
Hello,
One of the major concerns that I've found in "Cloud computing"
utilization is the security problem. The majority of users always asks
me about their data and about the protection that a service provider,
in cloud computing, can provide.
This is a complex problem but maybe the solution will be simple.
To solve this question I think that, first, we must focus our energy
on the legal issues. Without a proper legal protection no technology
that will help us.
On the technology side, I think that we must focus our strength on
the development of techniques that will allow the encryption of
information, before it is sent to the service provider, on the client
side.
We could try to accomplish this by implementing a JavaScript library
(engine), but JavaScript doesn't have sufficient power. I think that
the correct place to provide this client Side encryption, is Gears.
What do you think about this? Will gears, some time in the future,
provide this kind of feature?
Paulo Calçada
One of the major concerns that I've found in "Cloud computing"
utilization is the security problem. The majority of users always asks
me about their data and about the protection that a service provider,
in cloud computing, can provide.
This is a complex problem but maybe the solution will be simple.
To solve this question I think that, first, we must focus our energy
on the legal issues. Without a proper legal protection no technology
that will help us.
On the technology side, I think that we must focus our strength on
the development of techniques that will allow the encryption of
information, before it is sent to the service provider, on the client
side.
We could try to accomplish this by implementing a JavaScript library
(engine), but JavaScript doesn't have sufficient power. I think that
the correct place to provide this client Side encryption, is Gears.
What do you think about this? Will gears, some time in the future,
provide this kind of feature?
Paulo Calçada
Aaron Boodman
Jul 1, 2008, 12:38:36 PM7/1/08
to gears...@googlegroups.com
We've looked at implementing client-side encryption in Gears before,
and I think this is something we will eventually do. However, it is
not scheduled right now, and nobody is working on it.
and I think this is something we will eventually do. However, it is
not scheduled right now, and nobody is working on it.
- a
sobolanul
Jul 2, 2008, 3:59:05 PM7/2/08
to Gears Users
There is a long thread about this with many suggestions. Please check
it at:
http://groups.google.com/group/gears-users/browse_thread/thread/24b953308afb6e2a/b9685f2b835c670c
On Jul 1, 7:38 pm, "Aaron Boodman" <a...@google.com> wrote:
> We've looked at implementing client-side encryption in Gears before,
> and I think this is something we will eventually do. However, it is
> not scheduled right now, and nobody is working on it.
>
> - a
>
it at:
http://groups.google.com/group/gears-users/browse_thread/thread/24b953308afb6e2a/b9685f2b835c670c
On Jul 1, 7:38 pm, "Aaron Boodman" <a...@google.com> wrote:
> We've looked at implementing client-side encryption in Gears before,
> and I think this is something we will eventually do. However, it is
> not scheduled right now, and nobody is working on it.
>
> - a
>
Paulo.Calcada
Jul 4, 2008, 11:57:55 AM7/4/08
to Gears Users
Hello Sobolanul,
Thanks, the post that you suggest is very interesting, but my point
here was not about securing the data locally, but , about the data
that is stored on the service provider. As example, the documents that
are store on google servers. Ok, we have the google privacy and
security policy, but for the majority of users that is not enough.
http://www.google.co.uk/privacypolicy.html
http://www.google.com/a/help/intl/en-GB/admins/security.html
thanks..
Paulo
On Jul 2, 8:59 pm, sobolanul <eduard.mart...@gmail.com> wrote:
> There is a long thread about this with many suggestions. Please check
> it at:http://groups.google.com/group/gears-users/browse_thread/thread/24b95...
Thanks, the post that you suggest is very interesting, but my point
here was not about securing the data locally, but , about the data
that is stored on the service provider. As example, the documents that
are store on google servers. Ok, we have the google privacy and
security policy, but for the majority of users that is not enough.
http://www.google.co.uk/privacypolicy.html
http://www.google.com/a/help/intl/en-GB/admins/security.html
thanks..
Paulo
On Jul 2, 8:59 pm, sobolanul <eduard.mart...@gmail.com> wrote:
> There is a long thread about this with many suggestions. Please check
Tara Kelly
Jul 5, 2008, 12:28:34 PM7/5/08
to Gears Users
Hello Paulo,
What you are looking for is called Host-Proof Hosting. It's an Ajax
pattern that uses javascript client-side encryption. Data is fully
encrypted in the browser by the javascript, then sent to the server.
The ecryption key is *not* sent to the server, therefore protecting
the data from the hosting providers.
Host-Proof Hosting Open Source Library here:
http://code.google.com/p/passpack/
We've also just released a Host-Proof Hosting application on Gears.
It's a bit of an oddball usage of Gears in that we have folks download
a zip file and use it as a stand-alone application -- but it works:
http://www.passpack.com/info/extras/offline_version.pp
Naturally, there is a size limitation on the quantity of data that can
be handled, but we're thinking through some options for that as well
-- would love some input.
You have amazing timing. We *just* uploaded that library.
We'll upload a small example application and tutorial soon as well.
- Tara
On Jul 4, 5:57 pm, "Paulo.Calcada" <pcalc...@gmail.com> wrote:
> Hello Sobolanul,
> Thanks, the post that you suggest is very interesting, but my point
> here was not about securing the data locally, but , about the data
> that is stored on the service provider. As example, the documents that
> are store on google servers. Ok, we have the google privacy and
> security policy, but for the majority of users that is not enough.
>
> http://www.google.co.uk/privacypolicy.htmlhttp://www.google.com/a/help/intl/en-GB/admins/security.html
What you are looking for is called Host-Proof Hosting. It's an Ajax
pattern that uses javascript client-side encryption. Data is fully
encrypted in the browser by the javascript, then sent to the server.
The ecryption key is *not* sent to the server, therefore protecting
the data from the hosting providers.
Host-Proof Hosting Open Source Library here:
http://code.google.com/p/passpack/
We've also just released a Host-Proof Hosting application on Gears.
It's a bit of an oddball usage of Gears in that we have folks download
a zip file and use it as a stand-alone application -- but it works:
http://www.passpack.com/info/extras/offline_version.pp
Naturally, there is a size limitation on the quantity of data that can
be handled, but we're thinking through some options for that as well
-- would love some input.
You have amazing timing. We *just* uploaded that library.
We'll upload a small example application and tutorial soon as well.
- Tara
On Jul 4, 5:57 pm, "Paulo.Calcada" <pcalc...@gmail.com> wrote:
> Hello Sobolanul,
> Thanks, the post that you suggest is very interesting, but my point
> here was not about securing the data locally, but , about the data
> that is stored on the service provider. As example, the documents that
> are store on google servers. Ok, we have the google privacy and
> security policy, but for the majority of users that is not enough.
>
Paulo.Calcada
Jul 7, 2008, 4:59:59 AM7/7/08
to Gears Users
Hello Tara,
those are great, great news...
Thanks..
Paulo
On Jul 5, 5:28 pm, Tara Kelly <t...@passpack.com> wrote:
> Hello Paulo,
> What you are looking for is called Host-Proof Hosting. It's an Ajax
> pattern that uses javascript client-side encryption. Data is fully
> encrypted in the browser by the javascript, then sent to the server.
> The ecryption key is *not* sent to the server, therefore protecting
> the data from the hosting providers.
>
> Host-Proof Hosting Open Source Library here:http://code.google.com/p/passpack/
>
> We've also just released a Host-Proof Hosting application on Gears.
> It's a bit of an oddball usage of Gears in that we have folks download
> a zip file and use it as a stand-alone application -- but it works:http://www.passpack.com/info/extras/offline_version.pp
>
> Naturally, there is a size limitation on the quantity of data that can
> be handled, but we're thinking through some options for that as well
> -- would love some input.
>
> You have amazing timing. We *just* uploaded that library.
> We'll upload a small example application and tutorial soon as well.
>
> - Tara
>
> On Jul 4, 5:57 pm, "Paulo.Calcada" <pcalc...@gmail.com> wrote:
>
> > Hello Sobolanul,
> > Thanks, the post that you suggest is very interesting, but my point
> > here was not about securing the data locally, but , about the data
> > that is stored on the service provider. As example, the documents that
> > are store on google servers. Ok, we have the google privacy and
> > security policy, but for the majority of users that is not enough.
>
> >http://www.google.co.uk/privacypolicy.htmlhttp://www.google.com/a/hel...
those are great, great news...
Thanks..
Paulo
On Jul 5, 5:28 pm, Tara Kelly <t...@passpack.com> wrote:
> Hello Paulo,
> What you are looking for is called Host-Proof Hosting. It's an Ajax
> pattern that uses javascript client-side encryption. Data is fully
> encrypted in the browser by the javascript, then sent to the server.
> The ecryption key is *not* sent to the server, therefore protecting
> the data from the hosting providers.
>
> Host-Proof Hosting Open Source Library here:http://code.google.com/p/passpack/
>
> We've also just released a Host-Proof Hosting application on Gears.
> It's a bit of an oddball usage of Gears in that we have folks download
> a zip file and use it as a stand-alone application -- but it works:http://www.passpack.com/info/extras/offline_version.pp
>
> Naturally, there is a size limitation on the quantity of data that can
> be handled, but we're thinking through some options for that as well
> -- would love some input.
>
> You have amazing timing. We *just* uploaded that library.
> We'll upload a small example application and tutorial soon as well.
>
> - Tara
>
> On Jul 4, 5:57 pm, "Paulo.Calcada" <pcalc...@gmail.com> wrote:
>
> > Hello Sobolanul,
> > Thanks, the post that you suggest is very interesting, but my point
> > here was not about securing the data locally, but , about the data
> > that is stored on the service provider. As example, the documents that
> > are store on google servers. Ok, we have the google privacy and
> > security policy, but for the majority of users that is not enough.
>
Brad Neuberg
Jul 7, 2008, 9:07:24 PM7/7/08
to gears...@googlegroups.com
Hi Tara, why did you make it a download file rather than plug the data into the Gears LocalServer and use the Gears Desktop API to drop a shortcut on the desktop? BTW, host-proof hosting is something I'm very interested in myself as well. You really should put your crypto onto a Gears worker -- it can make the browser so much more responsive and allow you to handle more data.
Tara Kelly
Jul 8, 2008, 5:52:37 AM7/8/08
to Gears Users
Hi Brad, yes, the simple answer is because it was the fastest way to
get up and running on Linux too. We were looking to build a stand-
alone app, which is why we had released the AIR app. But that left out
Linux users so Francesco took about 2 hours to modify the code
slightly and get it running on Gears as well. Now we've got Linux
covered.
That said, we actually had been working on a proper (non-standalone)
Gears integration - but it'll take a while longer still. No idea on
the ETA.
- Tara
> >http://www.google.co.uk/privacypolicy.htmlhttp://www.google.com/a/hel...
> bradneub...@google.com
get up and running on Linux too. We were looking to build a stand-
alone app, which is why we had released the AIR app. But that left out
Linux users so Francesco took about 2 hours to modify the code
slightly and get it running on Gears as well. Now we've got Linux
covered.
That said, we actually had been working on a proper (non-standalone)
Gears integration - but it'll take a while longer still. No idea on
the ETA.
- Tara
Paulo.Calcada
Jul 21, 2008, 5:38:12 AM7/21/08
to Gears Users
Hello
I've found this really good example of client side encryption. In this
example the subject of encryption are the calendar items, but I think,
that this is a good proof of concept.
As I already told, and this example also prove it, it would be more
efficient if this kind of API was provide by a unique infrastructure,
like GEARS, and not by a group of different APIS and technologies.
http://www.ibm.com/developerworks/linux/library/wa-googlecal/index.html?ca=dgr-lnxw97wa-googlecal&S_TACT=105AGX59&S_CMP=GRsitelnxw97
Paulo
I've found this really good example of client side encryption. In this
example the subject of encryption are the calendar items, but I think,
that this is a good proof of concept.
As I already told, and this example also prove it, it would be more
efficient if this kind of API was provide by a unique infrastructure,
like GEARS, and not by a group of different APIS and technologies.
http://www.ibm.com/developerworks/linux/library/wa-googlecal/index.html?ca=dgr-lnxw97wa-googlecal&S_TACT=105AGX59&S_CMP=GRsitelnxw97
Paulo
Andy9
Jul 22, 2008, 8:32:00 AM7/22/08
to Gears Users
Two aspects to be considered if encryption is to be used in
international public health are:
1) European and American perspectives on how much encryption is
adequate to satisfy legal and imaginary privacy concerns. At one
time, some US states, for example, did not allow official state data
to be stored outside the state, and 3000+ counties can also have their
own data policies. So, the stronger the encryption the better,
although it cannot satisfy geographic requirements.
2) On the other hand, "exporting" encryption software to some
countries (e.g., Cuba and Iran) may be illegal by US Federal law.
How much is too little; how much is too much; the definition of
"exporting"; and other legal concerns are very important, as pointed
out in the first email in this thread. This is on top of the usual yin
and yang of security vs. usability.
On Jul 21, 2:38 am, "Paulo.Calcada" <pcalc...@gmail.com> wrote:
> Hello
>
> I've found this really good example of client side encryption. In this
> example the subject of encryption are the calendar items, but I think,
> that this is a good proof of concept.
>
> As I already told, and this example also prove it, it would be more
> efficient if this kind of API was provide by a unique infrastructure,
> like GEARS, and not by a group of different APIS and technologies.
>
> http://www.ibm.com/developerworks/linux/library/wa-googlecal/index.ht...
> > > bradneub...@google.com- Hide quoted text -
>
> - Show quoted text -
international public health are:
1) European and American perspectives on how much encryption is
adequate to satisfy legal and imaginary privacy concerns. At one
time, some US states, for example, did not allow official state data
to be stored outside the state, and 3000+ counties can also have their
own data policies. So, the stronger the encryption the better,
although it cannot satisfy geographic requirements.
2) On the other hand, "exporting" encryption software to some
countries (e.g., Cuba and Iran) may be illegal by US Federal law.
How much is too little; how much is too much; the definition of
"exporting"; and other legal concerns are very important, as pointed
out in the first email in this thread. This is on top of the usual yin
and yang of security vs. usability.
On Jul 21, 2:38 am, "Paulo.Calcada" <pcalc...@gmail.com> wrote:
> Hello
>
> I've found this really good example of client side encryption. In this
> example the subject of encryption are the calendar items, but I think,
> that this is a good proof of concept.
>
> As I already told, and this example also prove it, it would be more
> efficient if this kind of API was provide by a unique infrastructure,
> like GEARS, and not by a group of different APIS and technologies.
>
>
> - Show quoted text -
Reply all
Reply to author
Forward
0 new messages