Dropbox authentication: insecure by design

http://dereknewton.com/2011/04/dropbox-authentication-static-host-ids/

 

Good thing I don't use it for important files.

 

Yeah, would never put any personal stuff there (or any other in-the-cloud stuff for that matter.) I use Dropbox for my favourite utilites/installers collection, so if someone wants to steal it, well, enjoy...

However, the total lack of understand of completely broken security design by the dropbox folks seems to be really appalling.

 

How Dropbox sacrifices user privacy for cost savings

 

Dropbox the encrypted online data storage with FBI access.

-- Tom

 

Dropbox experiment with update to solve security vulnerability.

-- Tom

 

At least they're trying.

 

Thanks. At least something, after the obnoxious time they pretended no issue exists.

 

Glad I don't store anything too personal... thanks for these articles, they're really shedding a negative light on dropbox.

 

Actually i don't disagree with anything they did. They are creating hashes of files and if the hash they don't store it again (kind of like data deduplication). If you think about it most files that are duplicates isn't going to be personal data. I'm sure a lot of there users are free users and they need to do this to manage storage requirements. You should NEVER trust anything in the cloud unless you have control of the key. If you don't they can always decrypt if they want and if they get a court order to look at your data there is nothing they can do. For example i use Crashplan as a cloud backup service but i have control of the key. Course the downfall to this if you loose your key then they have no way to recover your data. They allow their users to use their username + password as the key rather than your own user defined key but this then means the can decrypt your data.

There is only one way around this of course. The data you send is pre-encrypted before its sent. Don't send encrypted data that has been decrypted already or you will be in the same senario (EFS after you logged into windows for example).

They probably encrypt the data but probably use something like your username/password + Salt. So if someone would break in and download their entire database they wouldn't only be able to decrypt your data if they knew your username/password + salt value.

They act like this security researcher came up with a unique discovery. He didn't. Anyone who really knows anything about encryption would have known this. The same could be said live mesh. It works exactly the same if microsoft wants to decrypt your data they can (if you sync to the cloud).

Again to reiterate never trust your personal data in the cloud unless you preencrypt or have control of the key.

That being said i love dropbox and plan to continue to use it. I'm not going to be to upset if someone steals my recipes or my ebooks i like to have available to any computer

 

Me thinks its time for something new.

 

Me thinks you could be right. That's shocking.