Skip to main content
Jono's Corner

How deep is your faith… in the cloud?

I started a small blog in 2011 to talk about a file sync project I was creating, Mybox. Trying to find some of my old writings I found one of the earlier posts on the wayback machine.

In the past few days there has been some buzz about two seemingly major security issues in Dropbox. What can we learn from these and why where these so major that Jupiter Broadcasting dedicated most of a show to it? I will begin by saying, yes, I like Dropbox. It was what inspired Mybox in the first place. And yes, I pay attention when it is mentioned in the news and occasionally check the Dropbox Feature Request site just to keep up with the state of sync.

However, my intention is not to copy Dropbox verbatim. I just want to do what they have done with filesystem integration and bring it to open source. There are certainly things I would do differently, for example I have a different interface in mind for selective sync as I have had since before their implementation. I try not to think in terms of “What would Dropbox do?”

Back to the news. The first concern is the Dropbox server side encryption method. They have made it clear that the Dropbox company has the power to decrypt user data. To this I say, if you are storing anything in the cloud it is best to assume it is unsafe, for several reasons. This is why I would not store passwords in a Gmail account and while I like Firefox’s password sync feature, it is most certainly safer to sync to your own server then use theirs. So, keep your sensitive data out of Dropbox or if it has to be there encrypt it before it gets to their servers.

This is a good case for Mybox in that a single organization can host their own server. All confidential information to that organization can be managed by the organization itself, rather then an outside entity. You don’t have to be Richard Stallman to see the dangers of putting all your assets in someone else’s hands.

The second issue is much more severe and concerns user authentication spoofing. If someone is able to get their hands on a specific file in the application settings for your Dropbox install, they can easily pretend they are you and get your data. Even changing your password will not thwart the malicious user. This is interesting because I have been thinking about how to perform password updates recently. I have thought that once a user changes their password on the server, they will have to enter it again on the client. I am not sure how this is going to work yet because I have not settled on a security layer yet, but this will probably happen through remote invalidation of the client’s security key.

While Dropbox figures out how to address these, here is a quick side-thought about web services. I don’t take an out-of-house service for their word because I don’t know who they are (in terms of intent or knowledge) or who they might become. But my complaint is about the users not the providers. This holds even more for free services. I don’t understand why people complain about free web services. You are free to use them and free to stop using them. If Facebook decides to change their homepage, deal with it. If Dropbox decides to sell your files, then so it is. If Gmail deletes all your email by accident, don’t be shocked. It could happen to anyone.

I have nothing against any of these services. I use and admire them for being powerful tools. All I am saying is that faith in the cloud is an expected but false luxury.