Security

Dropbox: Convenient? Absolutely, but is it secure?

A potential security lapse and possibly misleading statements are plaguing Dropbox, a hugely popular file-syncing app. What are the issues and is concern justified?

Some statistics:

  • Currently 25 million people use Dropbox.
  • Dropbox members are spread over 175 countries.
  • On any given day, over 200 million files are saved in Dropbox.

Not bad for a service four years old. Drew Houston, co-founder and CEO points out:

"Dropbox transforms the way people create and share their life's work. Whether that's designing buildings, writing music, or raising a family, we're focused on making it effortless to have your files wherever you need them, on any computer or phone."

So, what is Dropbox?

From Dropbox:

"Dropbox is a service that lets you bring all your photos, docs, and videos anywhere, and share them easily. Any file you save to your Dropbox will automatically save to all your computers, your phone or iPad, and the Dropbox website."

Dropbox offers:

  • 2 GB of Dropbox space for free, with subscriptions up to 100 GB available.
  • Work offline. Your files are available, whether you have a connection or not.
  • Files are also available from the Dropbox website.
  • Dropbox works with Windows, Mac, Linux, iPhone, iPad, Android, and Blackberry.
  • To save time and bandwidth, Dropbox only transfers the parts of a file that change.

Dropbox also has the ability to share files with others. And, if your computer melts down, you can restore all your files from the Dropbox website.

Is there a problem?

Any one that knows me understands something. I ask questions, lots of questions. It's my grandfather's fault. I still can hear him: "How in hell can you make a good decision if you don't know the facts." Thanks to Grandpa, I pay attention if something is "up close and personal".

Warning: This is one of those times.

Two highly-skilled researchers Derek Newton and Christopher Soghoian have issues with Dropbox. Newton stumbled onto a viable attack vector and Soghoian found serious inconsistencies in the Dropbox privacy policy.

I use Dropbox. And, when security researchers I'm familiar with publically post warnings, a bomb goes off in my head. Besides, I know many people who use Dropbox.

So, like all good journalists--particularly those with grandfathers like mine--I feel obligated to gather the facts as presented by all parties. To that end, I contacted Dropbox. The following questions were answered by ChenLi Wang, Business Operations at Dropbox.

Kassner: The "How secure is Dropbox?" web page states:

"Your files are actually safer while stored in your Dropbox than on your computer in some cases. We use the same secure methods as banks and the military."

What does that mean?

Dropbox: We all have stories from our family and friends about the file that was accidentally deleted or replaced, the inadvertent coffee spill, the dropped laptop, the USB stick gone missing.

We believe that storing data in Dropbox is far safer than how many of them store data currently, and we've designed Dropbox to help users avoid the most common threats to their data.

Kassner: Derek Newton posted the following on his blog:

"If you gain access to a person's Dropbox config.db file (or just the host_id), you gain complete access to the person's Dropbox. Taking the config.db file, copying it onto another system then starting the Dropbox client immediately joins that system into the synchronization group."

I understand this requires contact (physical or remote access) with the computer. Still, if successful, a third party would have access to all the files in the Dropbox account. Do you consider this to be a problem?

Dropbox: Unfortunately, when a computer is compromised physically or by a trojan/virus, all applications and data on the computer are at risk. That said, there were things we could do to make Dropbox more resistant to attacks from someone with access to your computer, and we immediately began working on a solution.

First, we released an update to the Dropbox client software that set more restrictive permissions on the folder that stores the authentication file.

Next, about a month ago, we released to our user forums a build of the client that encrypts the entire config.db file, making user credentials much harder to steal. We will be auto-upgrading all users to this build soon; the encrypted config.db file breaks several third-party apps, so we want to give them a chance to design workarounds first.

Also, it is possible to see what computers have access to the Dropbox files by logging into the web interface and going to this link.

If a computer is not recognized, unlink it.

Kassner: Christopher Soghoian filed a complaint with the FTC. He alleged Dropbox mis-informed the public about the protection of user data. Prior to April 2011, Dropbox stated on this webpage:

"All files stored on Dropbox servers are encrypted (AES256) and are inaccessible without your account password."

After April, it changed to:

"All files stored on Dropbox servers are encrypted (AES 256)."

Would you explain why you changed this?

Dropbox: We were explaining that there are multiple safeguards on your data: that the files are stored encrypted and in addition, protected by your access credentials. However, a security professional could incorrectly infer that the encryption key comes from the user's password, so we've separated the two points for clarity.

Kassner: Soghoian also pointed out that the following quote from the same Dropbox webpage:

"Dropbox employees aren't able to access user files, and when troubleshooting an account, they only have access to file metadata (filenames, file sizes, etc. not the file contents)."

Became:

"Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata (e.g., file names and locations)."

Why did the statement change?

Dropbox: "Dropbox employees aren't able to access user files." That means that we prevent such access via access controls on our backend as well as strict policy prohibitions. That statement didn't say anything about who holds encryption keys or what mechanisms prevent access to the data. We updated our help article and security overview to be explicit about this:

"Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata (e.g., file names and locations). Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that's the rare exception, not the rule.

We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access."

Kassner: Thank you for providing your position with regards to the allegations. I have a few security questions as well.

In the iPhone Dropbox app, a four-digit passcode is required to open the application. Do you have any plans for an option that would allow more-complex pass codes?

Dropbox: Users have not requested this feature to date. The iPhone passcode is intended to protect the user's files in case the phone is lost or stolen. Users can enable a setting that will delete the Dropbox data on the phone should the wrong passcode be entered over ten times. It is not a replacement for the password on the account, which is required to link the Dropbox to the iPhone for the first time.

Kassner: There is a third party application called SecretSync that encrypts files before they are transferred to Dropbox. Would you recommend it for people that would like additional security? Would TrueCrypt be another option?

Dropbox: Yes, we have always recommended third-party encryption solutions for advanced users who are comfortable managing their own encryption keys. TrueCrypt has been the most popular option to date, but other solutions include EncFS, SecretSync, and BoxCryptor.

It's important to understand that user-managed encryption has tradeoffs. First, many people publicly share photos and documents through Dropbox, and this will not possible if those files are encrypted before being placed in Dropbox. Second, if they lose the password or encryption key to the files they encrypted themselves, those files are lost forever.”

Final thoughts

Convenience versus security, the problem with all SaaS applications, has landed at Dropbox. How much do you trust the service provider?

Hopefully, I have provided enough information to make an informed decision about how to use Dropbox. Thanks, Grandpa.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

66 comments
passdropit
passdropit

A little self-promo here... I had some issues with this, so I rolled my own password protection onto Dropbox links. Now I'm making a product out of it... check it out at http://passdropit.com 

kprivigyi
kprivigyi

Our company hired a guy, and the first thing he did was install dropbox, copy our customer lists, files, etc.. and then quit. Even discovering it the next day is too late. Of course I blacklisted it. Who cares how secure it is, when it's primary functionality is a direct threat to a company?

FinancialPlanner
FinancialPlanner

Our company recently switched over from Dropbox to Google Drive due to one very important security issue with Dropbox. We discovered that sharing a file that is already shared will give the recipient top level access. For example, I share my client files with my administrative assistant. If I try to share a specific client file with a client, then that client would be able to see all of our clients folders. I talked to somebody at Dropbox about this, but they didn't seem too concerned. This is a lawsuit waiting to happen.

nxb3942
nxb3942

I think everyone would prefer more security to less, but it's about who wants to pay for it and how much it is worth to them. Most individuals would never get something like www.thruinc.com/solutions/secure-dropbox/ but lots of businesses do because they need the extra security and functionality for many reasons that help them to make more money or keep from losing money.

Doug Vitale
Doug Vitale

If you upload files to a third party like Dropbox that are of a sensitive or private nature (tax returns, internal use business documents, photos with the potential to cause embarrassment, etc) you are making the hefty assumption that the third party will effectively safeguard your files (i.e., absolutely maintain their confidentiality and integrity). This being the case, you should only ever store such files on drives or media that you personally can oversee and administer. Dropbox and MediaFire are fine for MP3s, eBooks, harmless photos, and the like. If you decide to upload sensitive files to a third party, you assume the risk and should not act surprised or annoyed when breaches occur.

emartin
emartin

The URL you provide for SecretSync is broken up into two different links. The "front half" link takes you to their website, the "back half" takes you nowhere.

chriscos
chriscos

It is true that although you may be risking the security of your data by sharing it and using Dropbox but it is a price that is paid through various synchronization services like that of Dropbox. Does there exist a file sharing and storing service that can guarantee you security along with easy usability and functionality??

dnletoile
dnletoile

Keep in mind the issue of allowing the use of Dropbox at your company by employees. Dropbox would make it much easier to copy restricted company files by a disgrunted employee than copying them to a flash drive. Granted, you can set your servers to log that activity, but thats a heck of a lot of data to keep/store...and by the time you notice (if at all) "Elvis has already left the building". We block Dropbox access at my job site.

seanferd
seanferd

And I don't see anywhere that it is suggested that users use their own encryption for sensitive data in the main marketing pages. Possibly under the support links, but no one reads those until there is a problem. A quick mention could be easily used as a positive selling point. (But that may get in the way of the hip new web page style that uses loads of whitespace.)

santeewelding
santeewelding

All them multiple posts, or has your encryption gone haywire, too?

tbmay
tbmay

People either care about security or they don't. Most don't.

hankgringer
hankgringer

There are always risks. Dropox is a rather good service. But I faced I faced the same problem with filesize limit. and not only me obviously. I can't even uploade one single movie. That's why i prefer to stick to 4Sync with 2Gb file size option and 15Gb of fre storage.

Neon Samurai
Neon Samurai

From all I've read Jungle Disk is setup in such a way that even it's own staff can not access and decrypt user's data. The Politzia need to visit the user with a warrent for the login details rather than hit up Jungle Disk without the user's awareness. I've forgotten the name of the others.. wooble.. wube.. something like that is another up to the industry's better standard of not being able to access it's user's data stores.

Michael Kassner
Michael Kassner

The other problem that surfaces is encryption services do not always work on mobile devices. For example, as far as I know, TrueCrypt is not ported to the iPhone. One of the big reasons for using Dropbox is to have files synced to mobile phones. Now you have to make a choice. And, due to its popularity, all sorts of mobile apps sync using Dropbox, which adds to the anguish.

baconseet
baconseet

Is there a Dropbox hosted within a company and employees can use it to sync from their PC, iphone,and ipads? Beef up with security features for the host within organization. Will this be something useful for corporates?

Michael Kassner
Michael Kassner

How do you go about blocking Dropbox? I have been wondering how to do that. I have not checked the packet traffic yet to see if that is an option.

chenli wang
chenli wang

Hi Sean, You can find this information in the Security Overview, in the Help Center, and quite extensively discussed in the forums: https://www.dropbox.com/security http://www.dropbox.com/help/28 http://forums.dropbox.com/search.php?search=truecrypt We want to make Dropbox easy to understand and simple to use for the mainstream consumer audience, so we have not talked about third-party encryption on our features page. The question of what data is "sensitive" is different for different people, but we recommend third-party encryption for more advanced users who understand and feel comfortable with these solutions. The help center is frequently the next place users go for questions, and we do discuss TrueCrypt there. Many of our more advanced/technical users also go to our forums to discuss how they use different encryption solutions on top of Dropbox.

chenli wang
chenli wang

Hi Sean, You can find this information in the Security Overview, in the Help Center, and quite extensively discussed in the forums: https://www.dropbox.com/security http://www.dropbox.com/help/28 http://forums.dropbox.com/search.php?search=truecrypt We want to make Dropbox easy to understand and simple to use for the mainstream consumer audience, so we have not talked about third-party encryption on our features page. The question of what data is "sensitive" is different for different people, but we recommend third-party encryption for more advanced users who understand and feel comfortable with these solutions. The help center is frequently the next place users go for questions, and we do discuss TrueCrypt there. Many of our more advanced/technical users also go to our forums to discuss how they use different encryption solutions on top of Dropbox.

Michael Kassner
Michael Kassner

If they are keeping things "close to the vest" due to the injunction. The way I found to move around the website was to use the "fine-print" links at the bottom of the home page. Sean, PM me please.

apotheon
apotheon

I find that most people tend to: 1. refuse to learn about different ways of doing things that might be more secure and no more difficult than how they already do them (or, in some cases, even easier than how they already do things) 2. Nope, I guess there's just that one case that comes to mind right now. Everything else that springs to mind to add as another enumerated point can be derived from point 1.

apotheon
apotheon

If you're using the iPhone to manage your data, you either don't care about the security of your data or don't understand security.

dnletoile
dnletoile

We started taking a two-prong method. Initially, we blocked the domain name on our web filter. Next, we will add the application to our "denied application" list to prevent the program from executing on workstations.

seanferd
seanferd

You maintain that one more bullet point saying that a user can also use their own encryption on files prior to uploading would be confusing? I'd expect that people who are not storing anything that they consider to be sensitive would just ignore it. People to whom the option may apply might stop and think, "Hey, good idea. Why should I count entirely on someone else to secure my data? I should take some responsible action here." Why should you, as a service, be in a position where people who don't think about security (maybe until they see it mentioned as one more feature) are going to wrongly blame you for their own errors? The help center is frequently the next place users go for questions, and we do discuss TrueCrypt there. I do volunteer support for another well-defined and entirely unrelated service, with plenty of KB articles, instructions, and a forum filled with previously answered questions and solved problems. Many people seeking support are quite incapable of reading anything beyond the one or two pages that they absolutely had to load to sign up, never mind all the links to readily available information. Maybe your experience is different. But like Facebook, I rather suspect you have users who expect that certain people can access their files while others cannot, magically. (Again, not via proper configuration or taking precautions, but magically.) I suppose that your mileage may vary. Best wishes to you and Dropbox.

seanferd
seanferd

I'm sure there are plenty of good reasons to not address publicly those claims at this time.

Michael Kassner
Michael Kassner

I tend to see the opposite. Once I explain all possible pros and cons, I find that clients will lean toward increased security.

tbmay
tbmay

Oh, I occasionally change minds. Often they're changing begrudgingly though. I have very recently had advanced IT pros tell me they couldn't care less about most security and privacy concerns. They think obscurity is "good enough" security. "There's really no need to put in a VPN. What are the chances anyone's going to be actually snooping?" This was regards to two networks passing HIGHLY sensitive data. I won't say any more. If people who know better, people who know full well what a packet trace is and have done them, have that attitude, why the heck would we expect the non-technical people to be better?

Michael Kassner
Michael Kassner

Quite closely. Most of the time it is seriously complex. I then ask for his junior version.

JCitizen
JCitizen

I was also impressed with the author's statement about responsibility in reporting bugs in such sciences. He likened it to a bridge impending collapse. I agree with his dogma!

venenom
venenom

those iPhones use state of the art hardware based encryption and unless you're using a 4 digit number in order to log on, yes, your data is actually very secure.

Neon Samurai
Neon Samurai

In your case, it may be encrypted behind a solid passphrase but anyone with a weak passphrase is screwed.

Michael Kassner
Michael Kassner

In the case of password managers, all Dropbox does is sync an encrypted file.

Neon Samurai
Neon Samurai

Bah.. that right there is reason to start shopping for a better password manager. As a permitted choice, perhaps. As a standard default.. not for me thanks. I can rsync just fine on my own.

apotheon
apotheon

Using blacklists to block proxies is kind of a losing game. Any technically-oriented user should be able to work around a blacklist like that.

Michael Kassner
Michael Kassner

That is one of the big reasons it is so popular. My password manager uses Dropbox to sync the encrypted database. My office editor uses Dropbox to sync documents as I edit them. The list goes on and on.

Neon Samurai
Neon Samurai

why even worry about installing a local app. All those devices ship with a web browser on them now so you've already got a "dropbox client" installed by default. With smartphones using the mobile network isntead of company controled wifi.. skee-roo-id

Michael Kassner
Michael Kassner

Dropbox has apps for all the phone OSs and users can access the website.

dnletoile
dnletoile

We don't allow proxy servers, our web filter blocks those automatically using vendor-provided lists. So many exceptions have been given to mobile device users, I can't even tell you WHAT the policy was... :-(

Michael Kassner
Michael Kassner

What is your policy on proxy servers and mobile devices.

apotheon
apotheon

> I have taken several classes in debate and how to change people's minds. It is a tough thing to do, but with the right approach, one can work wonders. . . . until they change it back. I can be pretty persuasive, but no amount of persuasion is a perfect defense against a relapse. They say distance makes the heart grow fonder, but it also tends to make the mind a bit softer. Time and distance make people give up, or forget, their earlier resolutions.

Neon Samurai
Neon Samurai

There are a few very nice ones that easily share the same database file across multiple systems. My Keepass runs happily on probably twenty different OS types and hardware sized incuding PalmOS, Android and Iphone. It's an easy way to deal with the "too many passwords to remember" issue. Passwords should be disposable and unreused. Sidenote: Everyone on Facebook has been screwed since 2007. They recently fixed the issue but user's need to change there passwords before the fix takes affect. (details: the way applications managed the access tokens left them sprayed across the internet in webserver logs. Anyone that plucks the token from a logged url has access to your FB profile.)

Michael Kassner
Michael Kassner

I have taken several classes in debate and how to change people's minds. It is a tough thing to do, but with the right approach, one can work wonders.

Michael Kassner
Michael Kassner

Is that encryption is not ported to smart phones. And most of the people I interviewed use Dropbox as it allows syncing to their smartphone.

itadmin
itadmin

I have too many passwords already. Most of my stuff is mundane and boring and my memory isn't getting better with age. Doesn't matter where you store your stuff, someone can get at it. If you use symmetric encryption, say Twofish, to encrypt your data before storing on Dropbox and keep the key on, say a thumbdrive, not a computer connected to Dropbox, good luck to anyone who steals your encrypted data. It will be useless.

apotheon
apotheon

I can't lean over everyone's shoulder all the time, especially when they stopped paying me after the initial deployment or fix I provided.

Michael Kassner
Michael Kassner

I am forever the optimist. I try to convince people, by using what has happened to me.

pgit
pgit

Which is why I keep showing face, touching bases and reinforcing whatever small victory I've accomplished.

pgit
pgit

I wonder if it's in the delivery? I seldom fail to convince users to move in the direction of better security, even if it means inconvenience or that they have to learn and retain additional knowledge. The one big exception to that rule is I often find noscript totally disabled. =(

Neon Samurai
Neon Samurai

outrageous.. we can't do that! (and out come the old self confirting excuses) "no one is trying to get our stuff anyway." "what could they do with this information anyhow?" "it costs too much" "we haven't had a problem yet, we'll worry about that if it happens" "don't fix what we've decided isn't broke." bah.. you can't protect people from themselves

apotheon
apotheon

. . . but the moment I stop looking over their shoulders, they start to revert to their old, bad habits.

apotheon
apotheon

They don't care about the data. People only put real effort into protecting something when they actually care about it. I made that point in an article about how people "protect" their passwords, Like Passwords For Chocolate, Coming Soon To A Security Theater Near You.

ToR24
ToR24

What your IT Pros really want to say is... "I don't care about YOUR data. Now if we got paid a bonus of $0.0001 for every network packet we encrypted, and $0.10 for every encrypted megabyte-file stored per month, then we'd be all over it and everything would be encrypted. We'd even encrypt VoIP, internet radio, temporary cache files, backup tapes, and USB fobs! We'd be encrypting fools!" Turn to human nature. If there weren't laws or loan requirements for people to carry insurance on stuff, how many people would actually pony up the premiums? Let's face it, encryption is insurance. Throughout the company, everyone wants to bury encryption support operations into overhead instead of programming operating costs. You need to have dedicated, capable staff encouraged with positive incentives to support a program of this complexity. Or the company needs to stash the cash for the potential loss payout, because fundamentally one person's bits of crap is another person's highly sensitive data. It all depends on who has a vested return value in those bits.