As both the general public and CEOs of Internet companies seethe in the wake of NSA
spying allegations, some researchers at MIT
are working on a tool called Mylar that they claim would essentially spy-proof web applications.
The pain point, according to the team, is the server. Every web application relies on servers for processing and storing data, but there are people with (legitimate) keys to that data as well as hackers and government snoopers. “Mylar protects data confidentiality even when an attacker gets full access to servers,” reads the researchers’ website. “Mylar stores only encrypted data on the server, and decrypts data only in users' browsers.”
Mylar does allow servers to search for keywords in encrypted documents, but it “allows users to share keys and data securely in the presence of an active adversary” and also checks that client-side application code is legit regardless of whether or not server-side code is.
The team says that in its tests, porting applications requires changing less than three dozen lines of code, with a 17% throughput loss and a latency increase of 50ms (in a chat app).
So far the team has secured a medical application, a chat app, a class assignment submission site, a calendar, a forum, and a photo sharing app. You can play with Mylar on your own by grabbing it from here.