x404.co.uk
http://www.x404.co.uk/forum/

Dropbox authentication: insecure by design
http://www.x404.co.uk/forum/viewtopic.php?f=19&t=13410		 Page 1 of 1
Author:  forquare1 [ Wed Apr 20, 2011 9:43 pm ]
Post subject:  Dropbox authentication: insecure by design
Quote:
For the past several days I have been focused on understanding the inner workings of several of the popular file synchronization tools with the purpose of finding useful forensics-related artifacts that may be left on a system as a result of using these tools. Given the prevalence of Dropbox, I decided that it would be one of the first synchronization tools that I would analyze, and while working to better understand it I came across some interesting security related findings.


Continue reading

I know a few users here use it...It might be worth not relying on it quite so much for sensitive stuff...
Author:  ProfessorF [ Wed Apr 20, 2011 9:46 pm ]
Post subject:  Re: Dropbox authentication: insecure by design
I've only ever used it for photos when burning a DVD would be wasteful, and involve me getting off my ass to hand it over.
It never occurred to me to use it for anything that had a potential security aspect to it.
Author:  big_D [ Fri Apr 22, 2011 11:51 am ]
Post subject:  Re: Dropbox authentication: insecure by design
The information stored on the server is also encrypted using a key that Dropbox know, so they can decrypt the data and pass it on at will.

Any cloud service which does the encryption on the server, or sends the key to the server is insecure.

Wuala sounds better (from Lacie), they encrypt the data on the client, before sending it into the cloud. The same goes for Carbonite - although that is more a backup solution than a remote synchronsation system.

Jungledisk is also worth a look, if security is an issue. If you insist on using drop box, make sure you encrypt all data locally, before allowing it to sync with Dropbox.
Author:  JJW009 [ Fri Apr 22, 2011 1:07 pm ]
Post subject:  Re: Dropbox authentication: insecure by design
big_D wrote:
if security is an issue. If you insist on using drop box, make sure you encrypt all data locally, before allowing it to sync with Dropbox.

I suppose there's some pretty personal stuff on my dropbox, but if someone wants to get their kicks from looking at my holiday snaps or CV I'm really not that bothered :lol:

I don't have any security sensitive stuff on there. Considering I have dropbox on my phone and my PC at work, it would be quite silly. If I did, I'd probably RAR it up with a reasonably strong password. I think RAR is only crackable by brute-force?
Author:  paulzolo [ Fri Apr 22, 2011 7:02 pm ]
Post subject:  Re: Dropbox authentication: insecure by design
I may have to have words with a client, just to put them in the picture.
Page 1 of 1 All times are UTC
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/