Mega launched on Saturday, giving away 50GB of free space to users and claiming tougher security over its predecessor, Megaupload. Since then, there have been reports that Mega’s security isn’t exactly as safe as it claims to be. Mega touts something called User Controlled Encryption (UCE), which is a fancy way of saying that all files stored on Mega’s services are automatically encrypted with 2048-bit RSA encryption.
The problem with this encryption is that it encrypts and decrypts files using the same encryption key. If someone can gain access to that key, they can decrypt all of your files. Another problem with Mega’s encryption implementation is that user specific encryption keys are generated and tied to your account.
This means you can’t change your password and if you ever forget your password, you’ll lose the ability to decrypt your files. A hash of the password used to sign up for the account is included with the confirmation code sent from Mega when a user registers for the service, giving hackers a method of obtaining his or her encryption keys.
While these are legitimate security concerns, the level of security that Mega offers is good. The biggest issue that Mega needs to address is the inability to change your password and encryption keys. Mega’s encryption is open source, which the company hopes will allow the security community to help develop further.