How Secure is my Dropbox?

The answer to this is: Secure as any other “private” content uploaded to the Internet, which is “not very.”

Dropbox is a widely-used service that lets you keep a specific directory in sync across many computers. Copy a file into the Dropbox folder on your work computer and it is nearly instantly available on your phone and your home computer. No more emailing files to yourself or scrambling to find a site that’ll let you upload a big file. They even give you a slick, web-based interface to browse your files.

This all sounds really easy and convenient which, unfortunately, usually means it’s not secure. The problem is that Dropbox stores your files on their servers encrypted in a way that they can read them.

First, what does one mean by “secure”? My definition of secure is that no one else in the world could possibly see the contents of something unless I let them. If it’s a text file, no one except me can read it; if it’s a photo, no one except me can see it.

For most of the files people want to share or sync, the security level of Dropbox is adequate. Disregarding that bug a couple of years ago where anyone could log in with any password, Dropbox is password protected and they recently introduced two-factor authentication, where you have to type in both your password and a short-lived, always-changing set of numbers from your phone. All connections between you and Dropbox go over SSL. This means no one can snoop on files you send to Dropbox and no evil person can trick your computer into thinking they are Dropbox.

From my limited knowledge of Dropbox’s internals, gleaned from reading a few security analysis reports, they do encrypt your files before uploading them. The downside is that they own the key to decrypt them “to ensure everyone has the ability to view and share files on the web painlessly.” Translated, this means that people-who-are-not-you can read your files.

I’ll assume that Dropbox, the company, follows industry standards for security. Only certain engineers get access to certain machines. Only certain support people get access to your files as necessary. Only code that’s been properly vetted for security bugs is deployed.

The weak spot in all of Dropbox’s efforts are the people. This isn’t a knock on Dropbox at all; people are the weakest spot in ANY security system.

Servers are constantly barraged by people trying to break in, and they often succeed. Support people sometimes stray and snoop at files they they shouldn’t. Developers write bugs that let random people on the internet get access to things they shouldn’t. It happens, despite best efforts in engineering or culture. People make mistakes.

If you’re wanting to keep your music in sync between computers, or want to quickly send a photo to a friend, Dropbox is great. It’s incredibly convenient. If it’s a file that you wouldn’t want another person to have, like your password file or financial documents, you don’t give it to Dropbox.

There is one (and only one) workaround to this though. If you encrypt a file on your computer before giving it Dropbox, they won’t be able to read it. 1Password, the popular password manager, takes this approach. They store your passwords in a file they then encrypt on your computer using high-grade encryption software. They then place this encrypted file into your Dropbox. Even if this file was to leak somehow, no one else but you could open it. Dropbox is purely the syncing service, which is still a handy thing to have.

The sad part of encryption is all the tools are terribly hard to use. TrueCrypt is probably the easiest of the bunch but there’s still a bit of learning curve to the terminology (partitions, volumes, and encryption algorithms?). I use GnuPG to encrypt my files, but that involves using a command-line interface, something most people aren’t (and probably shouldn’t have to be) comfortable using. OpenSSL is the Swiss Army knife of all things encryption but using it properly is like knowing some secret wizard’s spell.

Dropbox can read anything you give to it, in the state you give it to them. Give them something that only you can read and you get the joy of having this file everywhere while still being the only one who can open and read it.

I’m not saying to not use Dropbox. It’s just a fact that any file uploaded to Dropbox, given enough time, stands a good chance of being seen by someone you don’t know, so adjust your file syncing accordingly.

This post was inspired by a Twitter message from Kellan yesterday.