

Dropbox Lack of Security - zdw
http://tirania.org/blog/archive/2011/Apr-19.html

======
patio11
This is the first time I've heard someone on HN actually ask for _more_
security theatre. Sure, Dropbox could spend seven figures to get a ISOxxxx
whatever consultancy to draw up a 125 page document describing their internal
checks, do the obligatory all-hands yearly mandatory training where you have
to get 10/10 questions right and question 1 is "A user has uploaded naked
pictures of themselves to their account. True or false: it is permissible to
download these and take them home with you.", etc etc.

And they'd be exactly where we are today:

1) Yes, we could look at your data any time we want to. This is an inevitable
consequence of letting _you_ look at your data any time you want to.

2) We promise not to abuse our power #1.

3) If you don't trust us on #2, you should not do business with us.

Except they'd be out seven figures.

~~~
thaumaturgy
That's a severe oversimplification, IMO. Just recently there was news that
duplicating the host_id from the Dropbox config onto another system will
immediately gain access to all of the Dropbox files associated with that
host_id, without further authentication.

It's not security theatre to acknowledge that the security in such a system
could be improved, especially as an option for those that require it.

#3 could easily be paralyzing for many businesses. There are already services
(like Tarsnap) which are engineered to not require you to trust them; why
should we ignore such services and limit ourselves to doing business only with
those companies that we can trust implicitly?

As a specific example, I've had a client for a few years which is government
funded and quite paranoid about security. However, they also need to
communicate with outside contractors. I don't advise them to "trust" their
ISP, the outside contractors' network, and all the other businesses in-
between. I tell them that nothing sensitive leaves the building unless it's
been encrypted, and that once someone else opens that file, it can no longer
be considered secure in any sense.

"Trust us" is not a compelling requirement for doing business, nor can
businesses limit themselves only to relying on service providers that they
trust. Fortunately, the technology exists now to eliminate that requirement.

Dropbox is currently off-limits to all employees at my client.

~~~
16s
Great points. Trust and hope are not IT Security Controls.

Take the matter into your own hands and GPG encrypt everything that you place
into the cloud. That way, only you hold the decryption key. I'm sure this may
violate their ToS and it is inconvenient for end-users, but in order to have a
firm technical control, you have to remove "trust and hope" from the equation.

~~~
korny
It's hardly against their TOS - they _recommend_ using FreeOTFE or TrueCrypt
to do just this:
[http://wiki.dropbox.com/TipsAndTricks/IncreasePrivacyAndSafe...](http://wiki.dropbox.com/TipsAndTricks/IncreasePrivacyAndSafety)

------
arashf
hi there, arash from dropbox here. all data is (as we state in the referenced
help article) encrypted before it's stored on the backend.

all data on dropbox can be made shareable and is web viewable. as a
consequence, we do need the ability to decrypt in the cloud.

re. employee access to files - there are controls to prevent this. for
example, even drew (founder/CEO), doesn't have physical access to our storage
servers anymore.

for very sensitive data, there's always the option to use truecrypt (we even
offer this as a recommendation in our security documentation:
<https://www.dropbox.com/terms#security>)

~~~
bradgessler
Technically speaking, whats the point of encrypting data on the backend if you
can decrypt it? This strikes me as a waste of computations for no real gain.

~~~
jackowayed
Someone in an Amazon datacenter that gets ahold of a random backup tape/hard
drive can't read it. I'm not sure if Dropbox is hosted on EC2, but if not, it
means that Amazon couldn't read the data at all. (If it's hosted on EC2,
Amazon could probably get ahold of the key if they really wanted to)

~~~
bradgessler
Going off of that assumption, what if the decryption keys were also stored in
an Amazon data center? It is then possible for Amazon read the contents of
these files.

I'd like to hear from Dropbox how this works instead of speculation.

------
tlrobinson
It always seemed obvious to me that Dropbox has access to your unencrypted
files because _they make them available to you through the web interface_.

~~~
bdhe
> because they make them available to you through the web interface.

You could have client side javascript that decrypts the files.
<http://crypto.stanford.edu/sjcl/>

~~~
thaumaturgy
You're getting (maybe unfairly) downvoted because the popular opinion in
security is that client-side JavaScript anything is worthless in terms of
security. Since it's not authenticated in any way by the browser, any
successful MITM attack on a connection can feed malicious JavaScript which
would request the user's key. Or, a malicious add-on in the browser could do
the same. Or, possibly, an XSRF.

I'm somewhat skeptical of this because I think that such attacks can be
successfully mounted against most other web-related activities. DNS poisoning
and self-signed SSL would be enough to phish many people's bank login
credentials, and a lot of attacks don't even go to that much trouble.

But, anyway, client-side JavaScript for security purposes is supposed to be
verboten.

~~~
JoachimSchipper
The number of people who will find an attack in the middle of a ton of
Javascript is _much_ smaller than the number of people who properly handle a
certificate warning.

------
gergles
I don't care. I use Dropbox because of the unparalleled feature set and ease
of integration. I have my taxes stored on Dropbox, along with a lot of other
sensitive information. They're in an encrypted RAR file with a line-noise
passphrase, just like they would be if I were storing them _anywhere_
(including locally -- after all, what if Mallory steals your hard drive? Or,
to parrot the most common movie plot threat, what if the NSA secretly breaks
into your house when you're out at the movies and images all your disks then
slips them back in without your knowledge?)

The features DB offers for sharing, web access, etc. are well worth the
tradeoff, and I am ashamed to see the security pedants constantly pillorying
Dropbox because it's not some imaginary "verified secure" system. They don't
advertise to be that. A claim of "we encrypt your files with RSA" should be
utterly meaningless to you without knowledge of how the key is controlled, and
a few seconds' thought and examination of the feature set should inform you
that yes, Dropbox has to have the key to decrypt the files. That doesn't make
the claim of "your files are encrypted" any less true.

~~~
lean
>

paying Dropbox customer here, I wouldn't call the features "unparalleled".
SugarSync offers more, and for slightly less:
<https://www.sugarsync.com/sync_comparison.html>

...or so I'm assuming. I never tried it because last time I checked they
require a credit card for a free trial.

~~~
heyitsnick
Seems like you can get a free 5g account without CC here:

<https://www.sugarsync.com/signup?startsub=5>

------
thought_alarm
Do a lot of people think that Dropbox is some sort of super-private service?

I'm no security expert, but do I hope it's obvious to most people that Dropbox
wouldn't be able to do stuff like reset your password if they didn't have
access to the contents of your files at some level. A truly secure and private
service would look a lot different, and be much more complicated to set up.
That's the tradeoff.

~~~
bxr
>I hope it's obvious to most people that Dropbox wouldn't be able to do stuff
like reset your password if they didn't have access to the contents of your
files at some level

Those are pretty damn high hopes even for the average user from the generation
that grew up with computers.

------
donpark
Three points:

1\. Sensationalism aside, Dropbox should review questionable security claims
to reduce false sense of security if any. With millions of users, careless
words formed out of marketing needs are no longer needed. What Dropbox users
need now is more clear picture of what they are giving up to gain Dropbox's
services.

2\. The weakest security link is the user and their computer, not Dropbox
which has enough financial incentives at stake to be diligent security wise.
In the end, no computer open to external data or code is safe. What protect
most users today is actually not security technologies but cost/benefit ratio
to potential attackers, tempered by goal and scale. 99.9999% of Dropbox user
data is useless to attackers and cost of mining questionable nuggets out
continually expanding sea of data from 20 million users is not a trivial task.

3\. While it's true that user must trust Dropbox in the end, some of its
security measures could use strengthening even if it's just intended to raise
the level of sophistication necessary to steal Dropbox data.

~~~
latch
Agreed. Except a lot of companies have _a lot_ of " financial incentives at
stake to be diligent security wise" but aren't.

Something I very recently heard: "World of Warcraft has had RSA-style two-
factor token authentication for years, and my bank still doesn't"

~~~
donpark
Some thoughts re WoW vs banks:

WoW Authenticator is optional, costs $30~40, and intended for serious WoW
players in a community with very strong peer support. Banks can do first two
but don't have a community of tech savvy users to reduce cost of support
manageable.

So Blizzard could but banks couldn't. Will this change? I think so but it'll
have to be opt-in and paid for by customers, likely through third-party
services first.

~~~
Pahalial
$6.50, not 30-40: <http://us.blizzard.com/store/search.xml?q=authenticator> \-
this omits the free apps for most smartphones.

As far as peer support, honestly, there's almost no peer support. There is a
strong first-line of FAQs and automated systems (regularly ensuring secondary
contact information is accurate, well-defined systems for lost authentication
devices,etc) and well-trained second-tier tech support.

There are enough third-party auth providers now that would be well able to
provide the entire support chain for the banks. In fact, Gemalto has built for
this: <http://www.gemalto.com/financial/ebanking/>

------
icedpulleys
Regardless of how you want to parse a company's public statements and written
policies, it's the height of naivete to think that a data host (ANY host)
wouldn't share your data with law enforcement or has encrypted data in such a
way that they guarantee that no one can access it.

If you have sensitive data, encrypt it yourself. Encrypt it on your local
drive, back up encrypted data, encrypt it before uploading it to Dropbox.
Doing otherwise is akin to not having a proper backup process: it's either
because of laziness or ignorance.

------
csallen
Dropbox didn't lie. This is simply a misinterpretation (or misunderstanding)
of what's meant by the phrase "Dropbox employees aren't able to access user
files". It's not the same as saying "It's impossible." The fact is, if you
send a company your unencrypted data, it's obviously _possible_ for them to
view it at some point. Otherwise they could never encrypt it in the first
place. So when they say that employees aren't able to access it, they mean
that they, as a company, _choose_ not to access it.

A good analogy is the post office. Anyone who works there and handles your
mail could, if they so desired, tear open your package and steal the cookies
your mother sent you. We trust them anyway, because we know they take
precautions to ensure it doesn't happen. Dropbox is the same, but even tougher
(I doubt the average Dropbox employee has access to their decryption
mechanisms, but plenty of people at the post office can unseal your
envelopes).

That said, to not acknowledge it as even _possible_ for the company you send
your data to you be able to access that data seems, to me, a bit naive. That's
not the promise they made, and so the claim that they lied is false.

~~~
loumf
The plain English meaning of the words "aren't able to access user files" is
not the same as "choose not to access user files".

Dropbox could just keep keys in a store where only automated user accounts can
get to them -- ones where only the founders have passwords, or they are in
escrow. I think there are ways to restrict the access to founders and a fail-
safe, without opening them up to anyone who works at Dropbox.

~~~
acdha
If you run their client you've already made the decision to trust them to
behave responsibly. The rest of this discussion is simply about obfuscation.

------
runjake
All this press about Dropbox is getting ridiculous. I'm almost suspecting it's
a hit job, but I'm wondering why people like De Caza are getting involved.

Pay attention to the two following rules. They are, and always have been true.
Write them down if need be:

1.) The government can demand files from any US (and many non-US) companies.
The company is then legally-obligated to turn them over.

In the past, the government has even successfully demanded data without the
proper warrants (read about the VZW/AT&T/Qwest/NSA fiascos).

2.) Your cloud data is always subject to security breaches and provider
employee abuse. Encrypt accordingly (I prefer DMG and TrueCrypt).

Why is this news? Did people not understand this?

------
tzs
It is possible to design a Dropbox-like system with the following properties:

1\. Files are stored encrypted.

2\. The service provider does not have the ability to arbitrarily decrypt the
files. By "arbitrarily decrypt" I mean decrypt at any time they wish. They
will be able to decrypt if the owner's client is actively connected.

3\. When someone uploads a file that is identical to an existing file, it
initially is stored separately, but in most cases can be eventually de-
duplicated, without compromising #1 or #2.

I'll leave the details as a fun exercise.

~~~
tzs
Scratch that. I've got an even better design than what I was thinking of
above. It makes it so the service provider never has access to the unencrypted
data, and they can fully de-dup immediately, and it supports all Dropbox
features.

    
    
       Let F be an arbitrary file.
       Let N(F) be the name your client knows the file by.
       Let H(F) be a hash of the file that produces a 256 bit hash.
       Let AES(X,K) be X encrypted using AES with key K.
    

When you upload to the cloud, you upload AES(F,H(F)). In a local database, you
store (N(F), H(F)). When you later retrieve the file from the cloud, you
receive the encrypted data, and you can lookup the key, H(F), in your local
database.

Note that if two different upload files with the same content, they pick the
same encryption key (since the key comes from a hash of the content), and so
the same data gets uploaded. The service can thus do de-duplication, even
though it has no access to unencrypted data.

So far, all this provides is secure storage. What makes Dropbox useful is that
a file uploaded on one computer can be downloaded on another, and that only
works if the downloader knows H(F).

This is solved by also uploading a copy of that local database I mentioned,
the one that stores the (N(F), H(F)) pairs. This can be encrypted with the
account password.

Syncing between different devices on the same account is then a two step
process. First, the name/key database is synced, and then both devices have
access to the keys and then the files can be synced.

I believe web access can be handled via this system. Dropbox's web interface
requires Javascript, so it could have the browser retrieve the name/key
database and decrypt it using the account password, which gives it the access
to the key to decrypt a given file.

For shared folders, you can use a public key system, where the keys for the
shared files are encrypted with the public keys of each person you are sharing
the folder with, and the encrypted key files are stored in the cloud. Anyone
accessing the shared folder grabs the key file for the folder and uses their
private key (which is protected by the account password) to get K(F) for the
file.

I believe this covers everything Dropbox does, with the properties that:

1\. They can't decrypt your files.

2\. They can de-duplicate completely.

3\. Your account password is the key for everything for you.

4\. It satisfies all of their advertising claims for security.

~~~
pieter
There's still a big problem with de-duplication: Dropbox can still figure out
which users have the same file, thus leaking information. That, combined with
the fact that they'll know the size of the file already gives them a lot of
info.

For example, if the FBI seizes a computer and finds some illegal files, they
can still request Dropbox to give a list of users that have the same file.

~~~
whatusername
As has been mentioned elsewhere in the thread -- de-dupe isn't responsible. If
Dropbox is storing your files -- then the TLA can always request Dropbox to
give a list of users that have the same file. (Unless you have some form of
independant crypto/hashing)

~~~
pieter
yes, thank you for rewording my comment.

------
zdw
Couple this with the unencrypted metadata on mobile problem:
[https://grepular.com/Dropbox_Mobile_Less_Secure_Than_Dropbox...](https://grepular.com/Dropbox_Mobile_Less_Secure_Than_Dropbox_Desktop)

And how their "encryption" on the server side is basically a lie, as they do
dedupe on data: [http://paranoia.dubfire.net/2011/04/how-dropbox-
sacrifices-u...](http://paranoia.dubfire.net/2011/04/how-dropbox-sacrifices-
user-privacy-for.html)

I'm stunned that anyone would use them for anything for ephemeral data you
wouldn't mind posting in public.

~~~
arashf
hi there, arash from dropbox here. all data is (as we state in the referenced
help article) encrypted before it's stored on the backend. I'm not sure why
you're concluding that de-duplication implies lack of encryption. the de-
duplication occurs prior to encryption.

all data on dropbox can be made shareable and is web viewable. as a
consequence, we do need the ability to decrypt in the cloud.

re. employee access to files - there are controls to prevent this. for
example, even drew (founder/CEO), doesn't have physical access to our storage
servers anymore.

for very sensitive data, there's always the option to use truecrypt (we even
offer this as a recommendation in our security documentation:
<https://www.dropbox.com/terms#security>)

~~~
zdw
Dedupe and cleartext metadata as stated in the article I referenced, would
allow for the following possibilities:

If an attacker could figure out the hash method used by dropbox on the files
and intercept a few hashes from a victim, it's plausible that an attacker
could trick the service into thinking that he had uploaded the files on his
own account, allowing access to the victim's files.

Could you explain what would need to be done to protect against this attack
method?

Security is hard - I hope yours improves.

~~~
arashf
cryptographic signatures of files are never transmitted over plaintext. yes,
the current incarnation of the mobile apps don't encrypt the _names_ of the
files but we are working on a fix for this as soon as we can adequately
improve the SSL performance of our mobile apps.

------
chrishenn
Relying on others to safeguard/encrypt your personal data just doesn't make
sense to me, in the same way that closed-source cryptography doesn't make
sense.

If dropbox is claiming a false sense of security then that is an issue, but
users that truly care about their data should resort to truecrypt or something
where they are the _only_ ones who control access. You can sync your files
with dropbox and keep them safe with a truecrypt volume. Or if that is to much
of a pain, only do so for sensitive files. Have your cake and eat it too!

------
MetallicCloud
Wouldn't they have to keep the keys on their servers? Otherwise when my
computer dies, I wouldn't be able to access my files from a different
computer.

------
kevinpet
This is the second completely unreasonable press attack on Dropbox. They are
so unreasonable that I have trouble believing a reasonable person would think
they are valid complaints unless they were trying to sell me a competing
product.

Everyone with any security sense knows: 1\. If someone gains access to your
computer, and they can read your hard drive, and your computer can
automatically log in to some service, then they can log in to that service.
2\. If you can access the data without decrypting it locally, then your
service provider can too. In a fantastically secure system, they will have
decide to do and then wait for you to log in, but that's pretty unusual.

I predict next week we will get an article pointing out that I can get your
files by breaking into your email account and then using the reset password
feature.

------
jeffreyg
There was a really good thread in /r/netsec a few days ago about encrypting
your dropbox:

[http://www.reddit.com/r/netsec/comments/gowvu/doityourself_e...](http://www.reddit.com/r/netsec/comments/gowvu/doityourself_encrypted_dropbox_any_ideas/)

------
joanou
Dropbox is a good service, and I am sure file access is limited to a few
employees, but I wouldn't use it for sensitive data or for a business. Any
service where you do not control the encryption keys, e.g. Box.net, and myriad
others will have the same issue. It's all about tradeoffs. Ultimately they can
access your data. The truecrypt option may solve it for some but that means
the whole archive has to be shared.

AltDrive unlimited online backup versions your files and allows you to control
your encryption key. It runs on *nix, OSX, Windows, and other OSs.
<http://altdrive.com>

------
perlgeek
I don't know if that's how dropbox does it, but I could imagine that they have
a master key to which normal employees don't have access, you need the founder
and a trusted second person to retrieve it.

Thus their statement "Dropbox employees aren't able to access user files, and
when troubleshooting an account" wouldn't be too far off the mark, and they
can still make the data available to the government, on request and with
higher effort.

------
kennywinker
forgive me if I'm naive, but can file hashes be spoofed in any way? I'm
thinking upload a bunch of files that hash to random numbers, then download
the de-duplicated original files.

could someone more knowledgable in this area tell me if this is a credible
threat?

~~~
kennywinker
and is the hashing done by the client, or server-side? because client-side
would make spoofing even easier.

~~~
steve19
Client side. If you upload a very popular 500+mb file, maybe try a popular
linux distribution iso, it will sync instantly.

~~~
taken11
so has someone written a client where you just enter hashes of popular files
you are interested in and get them snyced to your dropbox?

~~~
wladimir
As far as I know, not yet. It's not even publicly known how exactly the
deduplication API works.

For example: is the hash enough to "prove" you have a file? Or do you need the
file size (and potentially other properties, such as the first block) as well?

The only way to find this out would be to look at the protocol that the
proprietary client uses.

------
grandalf
All US companies will comply with government requests for data, even Google,
when a warrant is presented.

If you don't want anyone looking at your data, use your own strong encryption
layer and hope that there's not a back door.

------
davidmduarte
I don't use Dropbox because their app on my computer have access to my
computer. The data I could send to Dropbox are as secure as the data i send to
a host or email server. ... or may I wrong. :)

~~~
drdaeman
You can sandbox it.

------
jbverschoor
If I steal your ssh private key, I can do anything I want

------
earl
truecrypt ftw

If you're uncomfortable with dropbox, put a truecrypt partition right inside
your dropbox folder.

~~~
bdhe
In theory, if multiple snapshots of truecrypt are maintained, I believe it
must be secure, but did the designers of truecrypt keep that in mind? Does
dropbox maintain periodic snapshots of uploaded files?

~~~
Maxious
Unlimited versions within last 30 days for all free and paid users (including
changesets where files are deleted), paid users can also pay extra to keep
every version since file creation.

So if you were suspected of getting a secret file and placing it in a dropbox
hosted truecrypt volume, there would be a record of the time/date of altering
the truecrypt volume and the possibility to compare the differences between
two versions.

