There has been a lot of recent discussion in the blogosphere on Dropbox security and cloud security in general. GF has a good overview, Susan Orlean has a post on some of the scarier implications. I can sympathize with people who feel they have been received, but I personally don’t think their original wording constitutes a lie. I never read it before all the current brouhaha, but as someone who is a little familiar with practical security, I always suspected from Dropbox’s features that, in principle, they had access to my files. Indicia:
- All your files are available on different platforms (desktop, web, iPhone) without much hassle or delay.
- While the various clients (desktop, iPhone, etc) could probably do per-user encryption, the web interface doesn’t spend a lot of time decrypting files in JavaScript (or Java or Flash or some other way of doing it).
- Even large files can be instantly moved to “Public”.
- The fact that it’s possible to instantly share an entire folder with someone else.
There’s probably some way to do each of these with proper encryption. For the last point, they could perhaps have a separate key for each folder, then give others access to that key when a folder is shared. And with some creativity there are probably ways to implement every Dropbox feature in a fully secure way. But my guess was always that it would be a huge hassle to have that level of security with a service like Dropbox.
All in all, Dropbox just “feels” like a service where they have access to everything (with proper access controls of course). Kind of like I always knew that authorized Google employees could read my email even though I never read the terms of use.
Different kinds of cloud services will always have different security tradeoffs. I won’t encrypt everything in my Dropbox because I want easy web and phone access to the kinds of documents I use Dropbox for. My 1Password files are in Dropbox, but they have their own iPhone app that can decrypt them, and I can live without web access to my passwords.
I encourage everyone to be careful about their Dropbox use and there are certainly things I wouldn’t include in my Dropbox, but that I would include in my Backblaze backups. And I don’t even trust Backblaze fully.
GF describes a different kind of balance:
SpiderOak, by contrast, cannot disclose its customers’ files, even if it wanted to. That is because it lacks tools to tap any of the data it stores on behalf of users. However, this “zero knowledge” means that if a user loses his key, he can never again access those data.
This is more secure and somewhat less practical than CrashPlan’s tradeoff, also described in GF’s post, but you are still reliant on SpiderOak’s application. They could easily be compelled by a court to introduce a back door that sends your encryption keys back to the bad guys. What, I’m paranoid? It happened.
I believe there are ways to use the cloud in a fully secure way, but you can’t rely on the cloud vendor’s software. If you use open source software to encrypt your files and then upload them to Amazon S3, it would be very difficult for baddies to read your files. Duplicity is an open source backup program that can use this security model.
(This is based on some of my comments on Hacker News.)