Dropbox authentication: insecure by design

Discussion in 'other security issues & news' started by CloneRanger, Apr 9, 2011.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    http://dereknewton.com/2011/04/dropbox-authentication-static-host-ids/
     
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Good thing I don't use it for important files.
     
  3. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Yeah, would never put any personal stuff there (or any other in-the-cloud stuff for that matter.) I use Dropbox for my favourite utilites/installers collection, so if someone wants to steal it, well, enjoy...

    However, the total lack of understand of completely broken security design by the dropbox folks seems to be really appalling. :thumbd:
     
  4. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
  5. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,092
  6. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,092
  7. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    At least they're trying.
     
  8. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
  9. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,721
    Location:
    Texas
    http://www.wired.com/threatlevel/2011/05/dropbox-ftc/
     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Glad I don't store anything too personal... thanks for these articles, they're really shedding a negative light on dropbox.
     
  11. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,721
    Location:
    Texas
    http://www.wired.com/threatlevel/2011/05/dropbox-response/
     
  12. ncage1974

    ncage1974 Registered Member

    Joined:
    Dec 6, 2009
    Posts:
    45
    Actually i don't disagree with anything they did. They are creating hashes of files and if the hash they don't store it again (kind of like data deduplication). If you think about it most files that are duplicates isn't going to be personal data. I'm sure a lot of there users are free users and they need to do this to manage storage requirements. You should NEVER trust anything in the cloud unless you have control of the key. If you don't they can always decrypt if they want and if they get a court order to look at your data there is nothing they can do. For example i use Crashplan as a cloud backup service but i have control of the key. Course the downfall to this if you loose your key then they have no way to recover your data. They allow their users to use their username + password as the key rather than your own user defined key but this then means the can decrypt your data.

    There is only one way around this of course. The data you send is pre-encrypted before its sent. Don't send encrypted data that has been decrypted already or you will be in the same senario (EFS after you logged into windows for example).

    They probably encrypt the data but probably use something like your username/password + Salt. So if someone would break in and download their entire database they wouldn't only be able to decrypt your data if they knew your username/password + salt value.

    They act like this security researcher came up with a unique discovery. He didn't. Anyone who really knows anything about encryption would have known this. The same could be said live mesh. It works exactly the same if microsoft wants to decrypt your data they can (if you sync to the cloud).

    Again to reiterate never trust your personal data in the cloud unless you preencrypt or have control of the key.

    That being said i love dropbox and plan to continue to use it. I'm not going to be to upset if someone steals my recipes or my ebooks i like to have available to any computer :p
     
  13. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,910
    Location:
    U.S.A.
  14. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,824
    Me thinks its time for something new.
     
  15. poison

    poison Registered Member

    Joined:
    Aug 20, 2007
    Posts:
    150
    Me thinks you could be right. That's shocking.
     
Loading...
Thread Status:
Not open for further replies.