1

I would like to understand if this service is as safe and good as it claims to be: https://unseen.is

This is what they say:

... Many other services that offer encryption keep the key, but getting a copy of the key from the service is the easiet way to break in to your messages. With Unseen, you control the key, so it's not possible for us to read any of your messages.

Keep in mind, with enough time and advanced technology, anything can be broken. ... We only provide extremely strong encryption, even if you use the free version of our service. Our mission is to protect your communications with the best technology we have available and we felt strongly that we should give that to everyone.

Ever since a former security contractor told us "if it's publicly available, it's cracked" several years ago, we've assumed that backdoors and weakeners have been included in the public encryption libraries. We know you wanted more and set out a year ago to deliver the next generation in encryption technology.

We decided to completely replace the standard AES encryption we started with for all free AND premium users with something much stronger. This new encryption is running now on the site, providing all levels of service with a much upgraded and extremely strong but not widely available encryption. In the running for the AES standard, our encryption runs a healthy 4096 bits, much, much stronger than off the shelf AES.

We've use only super strong NTRU encryption for public key exchange that is believed to be resistant to even quantum computing attacks. Not only is it much stronger than RSA used by many of our competitors, but key generation is now fast enough that YOU GENERATE YOUR OWN KEYS. Other services generate keys in batches, then send you your key using SSL security, which can put your key's security in peril if it's intercepted.

We haven't added a "backdoor" like you will find in most public encryption libraries. These lesser known algorithms were never chosen as standards, so they should be more difficult to break into because they never had "contributions" from spies who intentionally weakened the code.

While no encryption or security is perfect, rest assured that Unseen provides some of the best available. ...

So, if I use this service am I secured and is my privacy unbreakable?

Xander
  • 35,616
  • 27
  • 114
  • 141
Harry Greenwald
  • 131
  • 5
  • 6
    ** Achieving "beyond [insert government agency] encryption" is pretty trivial. I use Truecrypt, and use a triple cascade of 256 bit ciphers to protect my data. To my knowledge, no government agency anywhere has an encryption standard that stringent, so anyone with access to a free encryption program can achieve "beyond [insert government agency] encryption" by clicking through a wizard. Doesn't actually mean that data's more secure than the army's, though. Just product marketing to make their service sound impressive and attract customers. – HopelessN00b Feb 21 '14 at 14:03
  • Hi. Thanks for this response. As the user jhoyla also had commented and how I am getting to see this service is that there is a good side and a bad side; the good side seems to be that it is atleast supposed to be something better in terms of security and encryption for communications that other popular comms apps in the same genre. I said it "seems" so. The bad being da "seems". I would like to see them coming out to public and explain openly how their stuff works and give enough data to gain trust and confidence. Like if someone says "there's no backdoor"+missing details of the symmetric key – Harry Greenwald Feb 21 '14 at 15:05
  • 2
    "We decided to completely replace the standard AES encryption..." and "a healthy 4096 bits... much stronger than off the shelf AES." are giant red flags to me, indicating the author understands truly little about cryptography (they appear to be fundamentally confusing symmetric and asymmetric ciphers). – Stephen Touset Feb 21 '14 at 18:31
  • 1
    http://www.budgetcamerareview.com/forum/discussion/723/100-confirmation-that-unseen-is-is-not-private-or-secure-/p1 Unseen has been corrupted and always was. Do not trust unseen. Run through the comments on the above link and find info related to Unseen and Chris Kitze. Don Ron –  Jun 04 '14 at 21:33

3 Answers3

11

In general there is no such thing as out-the-box security, so no, your privacy is not unbreakable if you use any service. I can still come sit outside your house with a microphone.

With respect to this service I doubt they are as secure as they claim. They don't use AES, but don't say what they do use. That's called security through obscurity and is basically bad practice. Furthermore they use NTRU, which despite their description is not 'super-strong'. Invented in '96 it's been broken and revised several times as the maths is not well understood. Basically I'd avoid these mavericks. They may be completely correct, but given that the stuff they do use is not well understood, and they don't give details of the symmetric key they use which makes me suspicious.

jhoyla
  • 439
  • 2
  • 6
  • 2
    The Iceland thing is a bit of a red herring. The company is registered in California, and thus can be subpoenaed. They would then have to turn over data held by the company potentially even from outside the country. They could potentially make a case using European data protection laws, but the US could ask any European country to request the data on its behalf. W.r.t. PRISM, PRISM only tracks metadata, i.e. who speaks to whom, they ignore content. Encryption doesn't try and hide this metadata. They may have other mechanisms in place to protect metadata, but they don't mention any. – jhoyla Feb 21 '14 at 13:15
  • Thank you for this. One more from the caveats of my mind: spying is also about prevention. After 911 and now that everybody knows all americans were surveilled, then it is a valid asset for the security of a nation to be able to get into sent data in order to pick anything suspicious, possible threat, terrorist comms; attack plans etc. Say Skype, Facebook, Google, Intel, all mobiles, basicaly all comms is spied also for counter-intelligence and military use; but say the Unseen would become more used than the others; would it survive as an ants nest or become poked really hard with a stick? – Harry Greenwald Feb 21 '14 at 13:23
  • From a moral perspective, it's not a valid asset to read all communications. Many countries use this information to discriminate against minorities. Even if the US was the perfect nation that never abused their minorities (har har) they lose any moral authority to tell China not to use it for political suppression (as the US uses it to 'repress' Islamic extremists). And yes, the US does put pressure on services that do not comply with their spying, for example Lavabit. – jhoyla Feb 21 '14 at 13:32
  • 2
    If a large block of people began using a system like this for political dissent it's unlikely China would block the service. Far more likely they would break into the servers and use the site as a list of people to watch. The only way to prevent this is to support libertarian government (just for the record I'm not a libertarian, whilst I think they are the only government type that would reliably avoid doing this kind of thing, they'd be pretty terrible at governance.) Underground political dissent is always dangerous, that we all could have the strength of Gandhi. – jhoyla Feb 21 '14 at 13:47
8

You might want to read this article from Bruce Schneier, one of the worlds most respected authorities on cryptography.

He mentions some warning signs about claims made;

Warning Sign #3: Proprietary cryptography.
They don't say what they've replaced AES with. Lets hope its not proprietary or else its pretty much guaranteed to be useless.

Warning Sign #5: Ridiculous key lengths.

In the running for the AES standard, our encryption runs a healthy 4096 bits, much, much stronger than off the shelf AES.

A longer key does not mean better security; it just has to be long enough. A 256 bit key is fine. Really you don't need any more than that; there isn't enough energy in the universe to brute force a 256 bit key.

Warning Sign #7: Unsubstantiated claims.

Ever since a former security contractor told us "if it's publicly available, it's cracked" several years ago

Who is this person? Are they a publicly recognized expert in the field of information security.

We haven't added a "backdoor" like you will find in most public encryption libraries. These lesser known algorithms were never chosen as standards, so they should be more difficult to break into because they never had "contributions" from spies who intentionally weakened the code.

Ha ha ha ha. This just makes me laugh. Tinfoil hat time. The algorithms that were chosen for standards were chosen because they were the best. How is is something more difficult to break into because it wasn't chosen? The standard algos are the ones that have the most scrutiny.

In conclusion
I'd stay away from these guys; I'd have no faith in their ability to maintain my privacy.

Qwerky
  • 731
  • 3
  • 10
0

Is my privacy unbreakable?

All encryption is breakable. Any statement to the contrary is a guarantee of snake oil. Read the last sentence of their ad copy.

Good algorithms are only one step in security - and as @Jhotya points out there are reasons to doubt that algorithm. Oh, so many reasons. Good security requires not just a good algorithm, but a good implementation, and excellent key management. Experts don't attack the algorithm, they attack the key management. If you're generating your own keys as the ad copy claims, then I'm rather dubious that the key management is going to be top grade.

Am I secured?

Are you secured? Security is not a binary state - there is nothing that flip the toggle from "insecure" to "secure". What are your security goals and does this product meet them (hint: the answer should involve more than review of ad copy.)

If you want to keep your porn stash out of the hands of your children, then you've got a different threat statement than if you're a dissident committing treason against your government.

Ulkoma
  • 8,793
  • 16
  • 66
  • 95
MCW
  • 2,572
  • 2
  • 16
  • 26