Researchers at ETH Zurich have analyzed security properties of popular cloud-based password managers. The linked page gives an overview of the work and links to the related research paper. Full title (had to shorten it for HN): "Zero Knowledge (About) Encryption:
A Comparative Security Analysis of Three Cloud-based Password Managers"
Overview from the linked page:
"Cloud-based password managers help users store and manage their credentials by encrypting them into a vault protected by a single master password. Leading vendors market this as Zero Knowledge Encryption, conveying the idea that the server storing the vault cannot learn anything about its contents – even if the server is compromised.
We put this to the test. Analysing the three leading password managers that make the Zero Knowledge Encryption claim – Bitwarden, LastPass, and Dashlane, collectively serving over 60 million users and holding approximately 23% market share – plus an additional analysis of 1Password, we find 27 distinct attacks that a malicious server can mount against their users. The attacks range in severity from integrity violations to the complete compromise of all vaults in an organisation. The majority of the attacks allow the recovery of passwords."
The basic idea makes sense to me and it's great to see efforts to improve DNS privacy. However, I'm not really convinced by Cloudflare's analysis of the processing overhead:
The blog post only discusses how the proxying and encryption affect latency but not the processing at the server. In contrast to plain DoH (or DoT), where only symmetric cryptography is used after the first set-up, ODoH requires asymmetric cryptography (which is several orders of magnitude slower) for each individual request. The "less than 1ms" that they claim for the 99th percentile is no problem for the client but it is a problem for the resolver.
Asymmetric cryptography is also used for verifying DNSSEC responses, but this is only necessary for records that are not cached.
On the other hand, an ODoH resolver may require to set up and keep track of a lower number of TLS connections as the number of proxies is likely smaller than the number of clients.
He everyone! I'm Markus, the author of this blog post and the related USENIX paper. It's great to see the interest in this line of research. I would like to address some of the points brought up in the comments and provide additional information:
- Path-aware Internet architectures and SCION in particular are not source-routing architectures. End hosts neither have/need a full view of the network topology, nor can they unilaterally choose paths. Instead, network operators explore and distribute candidate paths. End hosts get a set of such pre-selected paths from which they can then choose the one they want to use. This is one of the main points of the paper: How can autonomous systems in the Internet efficiently restrict the choices of end hosts.
- SCION does not help with censorship. On the contrary: compared to the BGP/IP Internet, some power is shifted from network operators to end hosts. It is these end hosts, who can implement "geo-fencing" not the network operators. While these still retain a significant amount of control over paths (see above) it is easier for end hosts to circumvent networks that employ censorship.
- One important point about SCION and other path-aware architectures is that the path control of end hosts is at an autonomous-system level. Thus, most problems with LSRR/SSRR are not present in SCION. For example:
- End hosts cannot choose paths at a router level and thus not evade firewalls (unless they are very poorly deployed).
- End hosts do not learn any information about the intra-domain topology, only about the inter-domain topology. This information can already be inferred today and is available in public datasets such as the CAIDA AS-relationship dataset [1]
- There is a Tor-like anonymous-communication network designed to use with SCION: HORNET [2].
Of course, path control by itself cannot solve all problems. This is why SCION includes several additional innovations such as a public-key infrastructure (PKI) that does not depend on global trust anchors and single points of failure, a secure routing mechanism, highly efficient mechanisms for packet authentication, etc.