duplicity-talk
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Duplicity-talk] Is s3+http encrypted during transmission?

From: edgar . soldin
Subject: Re: [Duplicity-talk] Is s3+http encrypted during transmission?
Date: Tue, 07 Feb 2012 16:24:49 +0100
User-agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0) Gecko/20120129 Thunderbird/10.0 
On 07.02.2012 16:13, Ryan Chan wrote:
> I agree but not all use cases need hard encryption.
> 
> One of the key strength of duplicity is its build in s3 support. (most people 
> find it very useful).
> 
> 
> On Tue, Feb 7, 2012 at 10:58 PM, Scott Hannahs <address@hidden 
> <mailto:address@hidden>> wrote:
> 
> 
>     On Feb 7, 2012, at 09:38, Ryan Chan wrote:
> 
>     > This is a good point and I hope that need to be promoted.
>     >
>     > The reason is now S3 support server side encryption, and if the 
> connection is encrypted by default, we actually can skip our local encryption 
> process. (I know not for all the use cases, but sometimes this level of 
> security is already enough..)
> 
>     Actually the premise of duplicity is that the storage itself is unsafe.  
> If you protect the communication channel but not the end storage then there 
> isn't much point in encrypting at all.  Encryption is an all or nothing type 
> system.  You can argue that it is more likely that the communication to the 
> S3 storage is more likely to be intercepted than someone getting access to 
> the S3 system itself but the difference in probability is less than an order 
> of magnitude not many orders of magnitude.
> 
>     Just use tar and rsync and forget duplicity.
> 

if someone really want's to trust a third party's security this sound feasible 
to me. he could use duplicity without encryption. of course in terms of 
usability there might be better options out there then.

but scott is right as well. the world isn't perfect and neither are third 
parties nor their security, hence i wouldn't advise to go that route.

btw. encryption that is not hard usually means "security by obscurity" which in 
turn can be translated to "gives a good feel". i only know of two types of 
encryption:
known broken encryption 
and 
currently considered safe encryption (because with current technology the time 
to crack it is too long).

you probably meant hard security, based on the idea that security is always 
relative and measures should match the value or proposed risk for asset to 
secure. i agree with that.


regards ede/duply.net
reply via email to
[Prev in Thread] Current Thread [Next in Thread]