The bad news:
- conversation contents are encrypted. Good.
- the encryption key for conversations is derived from an encrypted user key
- this is protected by the enclave secret, which is a fixed secret.
- this key is encrypted by a key in by AWS KMS 🤦
Anyone with the encrypted secret and a single second of access to AWS KMS can get the raw secret. This includes employees with IAM management access to push new builds
From there, you can decrypt any user’s conversations that were encrypted with this key, back to the last key rotation and until the next key rotation happens.
(Which seems that there is no implementation of)
A supply chain attack on a dependency of the backend or a malicious build pushed out by a privileged employee can also extract this secret.
The enclave also calls out to a lot of remote services, which could indicate that there is little-to-no firewalling to prevent exfiltration. Even then, many used APIs like the GitHub API can be used to exfiltrate data.
quotingMaple AI is a funny product. They claim it’s private and protected by TEE but the code running inside the TEE is closed source so you don’t know what it actually does.
nevent1q…54xy
And they can push updates whenever, including one that exfiltrates your data.
I asked them 2 times and got answers 0 times how it was verifiable.
Anyway it looks like they outsourced all their inference anyway to https://tinfoil.sh