Speaking of on-line/cloud storage... Wuala
    Richard Pieri 
    richard.pieri-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
       
    Mon Apr 25 13:47:03 EDT 2011
    
    
  
On Apr 25, 2011, at 11:22 AM, Ian Stokes-Rees wrote:
> 
> Can someone either give the 30 second version of security shortcomings
> in Dropbox, or point me to something which describes this?  I'm
> interested in understanding this better.
Dropbox has master keys for everything.  If the FBI knocks on Dropbox's door and demands your files, Dropbox can and will provide those files.
Wuala has no master keys.  Same basic security model used by Carbonite.
All Dropbox storage encryption happens server-side.  Dropbox relies on the security of SSL when authenticating and when moving files between S3 buckets and clients.
All Wuala storage encryption happens client-side.  Encryption keys are never sent over the wire.
Both Wuala and Dropbox are potentially vulnerable to client-side exploit.  To wit, someone steals your notebook, he has your files.
On a Cryptree, if you change one bit of a file and then save it, that looks like a new file to the Cryptree (same with a file in the Dropbox folder, by the way).  This entire file needs to be synchronized.  This is more efficient than a monolithic volume system like TrueCrypt but is also a little weaker.  An analyst can see which files on a Cryptree are modified and the times of these modifications.
--Rich P.
    
    
More information about the Discuss
mailing list