Brazil's weirdest infosec aspects: "your private key is officially theirs"

[M.B.Jr. <marcio.barbado () gmail com>]

Greetings,

Locaweb is the name of the most prominent web hosting organization in
Brazil. It was founded in 1998 and hosts more than 260 thousand
domains today, according to its main website:

http://www.locaweb.com.br/

Unfortunately, not big enough to respect its customers.
Locaweb seems to be confusing two concepts, the so called "cloud
computing" and "privacy".
This is about its e-mail outsourcing service, named Locamail, which
offers a web based access option, with lots of features. Some are
useful. One of them though, acts really strangely. It's this key
generation capable, weird PGP module. The target of this text.

The whole thing is simple to depict:
by the time one generates a key pair, surprise! One only receives a public key.
And as if not automatically providing its customers with their private
keys wasn't enough, if some of them happen to formally request their
account's private keys, Locaweb denies them, that is to say, one can
always use "its" web based private key for decrypting received
messages or signing his mail, but that key belongs to Locaweb. One
cannot read the private key he uses.

Such a horrifying situation clearly poses as a threat to Locaweb's
customers privacy. Thinking sensibly, there's no scenario in which a
"Private-Key-as-a-Service" model would be welcome.


Yours faithfully,



-- 
Marcio Barbado, Jr.

"In fact, companies that innovate on top of open standards are
advantaged because resources are freed up for higher-value work and
because market opportunities expand as the standards proliferate."
Scott Handy
Vice President Worldwide Linux and Open Source, IBM

Esta mensagem e qualquer arquivo nela contido é confidencial. "Pratica
crime de violação de telecomunicações quem, transgredindo lei ou
regulamento, exiba autógrafo ou qualquer documento ou arquivo,
divulgue ou comunique, informe ou capte, transmita a outrem ou utilize
o conteúdo, resumo, significado, interpretação, indicação ou efeito de
qualquer comunicação dirigida a terceiro." (Artigo 56 da Lei n.º 4.117
de 27 de agosto de 1962, aplicável aos crimes em telecomunicações, nos
termos do art. 215, I, da Lei 9.472/97).

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/