Does uploading without encryption still work?

[qgustavor]

Uploading without encryption is documented here and is a way to upload files that don't need encryption and that can be downloaded using a bare-bones MEGA client implementing only API calls without any crypto code. Direct MEGA supported it but I don't support Direct MEGA anymore.

Does anyone use this feature? Is it still working? If it's not I think it's better to remove this from the documentation or at least add a note about this.

[qgustavor]

As @Karmel0x noticed here looks like MEGA does not support uploading without encryption anymore. I think they probably are doing some check server-side to detect clients with buggy encryption implementations.

I commented in the documentation that I know a famous MEGA client that had a buggy implementation because I lot a lot of MEGA shared files with encryption keys set to Buffer.alloc(24). I already reported this issue to MEGA and they confirmed the issues happens in just that client and not official clients. They are probably trying to avoid something similar to happen again because those kind of bugs affect official clients too reducing their security.

(Well, in fact I would partially blame MEGA for insisting on not using HTTPS - which would provide file transfers unique encryption keys for transfer - instead of relying on a static encryption key generated by the client - which can be weak when bugs happen. HTTPS should be enabled by default on official clients on file transfers, not just on API calls, as it would reduce a lot the risk caused by bugs on third party clients. Come on, MEGA! https://istlsfastyet.com/)

If someone is using non-encrypted uploading for the above use-case - public content that don't need to be encrypted because it would be a waste of CPU encrypting something which encryption key is meant to be published and that would be downloaded on a bare-bones client - from my tests using some weak encryption algorithm is sufficient to workaround server-side checks. I tested Speck because I have some experience with it but I think the below code would work:

function obfuscate (data, key = 'mega does not allow non encrypted uploading anymore') {
  if (typeof key === 'string') key = Buffer.from(key)
  for (let i = 0; i < data.length; i++) data[i] ^= key[i % key.length]
}

Run once to obfuscate, run again to de-obfuscate. It's fast, but I warn you, that's horribly weak! Here's a video I found that shows four ways to crack it. In the other hand I think that's quite unlikely to MEGA servers to detect and block it.

[Karmel0x]

For me, the purpose of using it was to be able to display static content, such as images, directly on the page and allow direct access. I don't need them to be encrypted, the storage price on MEGA is the reason I use it. I don't have possibility to use it like that with any encryption.

Would be great if there was a parameter that would allow to ignore that server-side check but MEGA probably don't care as their slogan is strong encryption.

Anyway, thanks for checking it.

[qgustavor]

I remember experimenting doing it a long time ago, but I preferred not using it because then images are not cached. I wonder if you prefix your images with something random is sufficient to throw this check off. Then just ignore this prefix using ${downloadURL}/${startByte}. Maybe trying modern image formats such as AVIF may help in case this check tries to use something like the file command and it's still not updated to handle those formats. I don't think it's relying on an entropy check since it detected header-less compressed data.