Main Area and Open Discussion > General Software Discussion

Deduplication, encryption, security and... Dropbox

<< < (5/16) > >>

wraith808:
I don't find that their answers explains much... unfortunately.
-Armando (April 15, 2011, 04:04 PM)
--- End quote ---

And I don't find it in the least comforting.
-phitsc (April 15, 2011, 04:06 PM)
--- End quote ---

And I found it actually made me more concerned, rather than less.  Because it shows (1) PR backpedaling and (2) a basic lack of awareness about the competition.  I *know* that Jungle Disk does offer encryption (though I don't use it, because it slows down the sync, and I don't really store anything that I care about using the sync service) and I'm pretty sure that others do also.

Encryption (Bucket Password)

Jungle Disk makes it easy to protect your remotely stored data with encryption. Encryption ensures that no one can access your data as it is transmitted over the Internet or stored on remote servers.
Note that regardless of whether you enable encryption using a custom key, your data is always encrypted while transmitted over the Internet by using SSL (like your bank web site). Choosing a custom encryption key means that your files will be encrypted while stored on Amazon's servers as well.
Be careful when enabling encryption. If you forget the encryption key you select you will not be able to retrieve your files in the future. You should write down a copy of your key and keep it in a safe place. If you lose your key neither Jungle Disk nor Amazon can help you retrieve it.
To enable Encryption, select the “Encrypt files using a custom key” option and type an encryption key (password) into the Custom Encryption Key box.
There is also a box where you can enter a list of "Decryption Keys". This is only required if you want to change your custom encryption key from time to time. When you change your encryption key, existing files stored on Amazon.com servers are still encrypted with the original key. In order to be able to access them in the future, you need to keep your previous keys in the decryption keys list. If you want to re-encrypt your files with a new key you will need to re-upload them. If you attempt to download a file that was encrypted with a key that is not on your decryption keys list, Jungle Disk will display an error message.

--- End quote ---

Here are a few details on how Jungle Disk encrypts your files:
Jungle Disk encrypts files that are stored prior to uploading them using 256-bit AES. AES is an industry (and government) standard and is one of the most well studied and most secure encryption algorithms available. Jungle Disk uses a unique key for each file, and constructs the key using a HMAC that helps protect against certain attacks. Code that demonstrates how data is encrypted/decrypted is available for download on the software download page under the GPL license.

The Jungle Disk Desktop Edition adds a special metadata header to each file when it is uploaded. The header identifies the type of encryption used and contains a salt value and a one-way hash of the salted key. This allows Jungle Disk to determine the correct key to use to decrypt the file. Note that without the decryption keys the header is of no use, and you cannot even tell which files are encrypted with which keys unless you possess the keys.

--- End quote ---

phitsc:
And I found it actually made me more concerned, rather than less.  Because it shows (1) PR backpedaling and (2) a basic lack of awareness about the competition.  I *know* that Jungle Disk does offer encryption (though I don't use it, because it slows down the sync, and I don't really store anything that I care about using the sync service) and I'm pretty sure that others do also.
-wraith808 (April 15, 2011, 04:22 PM)
--- End quote ---

Yep, I agree. Same for SpiderOak (which I'm not personally using (yet)). At least their FAQ about their "zero knowledge" indicates as much.

f0dder:
For SpiderOak, they can't even intercept your data at server-side before encryption, because it's done client-side... and encryption really shouldn't slow anything down unless you've got an insane-speed internet connection :)

Also, if you expect the files themselves to be encrypted using your actual password as the key then we'd have to re-encrypt all of your files every time you change your password.
--- End quote ---
Doesn't really need to be "encrypted using your actual password" - generate a random encryption key, encrypt that encryption key using the password. Lets you change the passphrase without re-encrypting all the content...

After that reply of theirs, and the recent exploits against it, I don't think I'd touch dropbox with a 42 foot pole.

wraith808:
... and encryption really shouldn't slow anything down unless you've got an insane-speed internet connection :)
-f0dder (April 15, 2011, 05:25 PM)
--- End quote ---

Wouldn't the act of encryption slow things down?  i.e. step 1 encrypt, step 2 upload instead of just step 1 upload?

phitsc:
I've asked Dropbox support if their FAQ statement that says that "Dropbox employees aren't able to access user files" were really true. Their response:

Yes. Dropbox employees can't access the file's contents. They can see the file names, move, delete or even restore files, but can't view them. The only exceptions are the executive staff who have a vested interest the company.
--- End quote ---

I have to admit that I am shocked about their slack interpretation of the word "employee". To be honest, I feel cheated by that FAQ statement. Already the fact that any employee could actually delete my files is unbelievable.

Anyone who's already a SpiderOak user wants to send me an invitation? I think they have a referral program.

Navigation

[0] Message Index

[#] Next page

[*] Previous page