Dropbox security revisited: Plus ça change

Plus ça change, plus c’est même chose
— Jean-Baptiste Alphonse Karr

Summary: Dropbox remains safe for 1Password use despite some high profile discussion of its security.

Keeping up with news about security issues can make your head spin. It certainly does that to me. Most often important news gets little public attention, and at other times non-events go viral. I think the latter has happened with respect to the complaint filed against Dropbox (PDF) with the United States Federal Trade Commission.

Naturally, when I heard that the complaint had been filed I had to read it closely. After all, the security of Dropbox is of great concern to us all. So what did I find? I found that every security issue mentioned in the FTC filing was something that we had already looked at. I discussed all of these points in earlier posting.

There is no new information in the FTC filing or discussion surrounding it, and so the conclusion posted earlier still stands:

[T]here is no need to panic about Dropbox security. The issues that have come up all do raise very 1Password in Dropbox
legitimate concerns about how Dropbox presents their security claims and addresses issues when they arise, but the actual issues are not nearly as serious as some of the the discussion would suggest. They are even less of an issue for 1Password users. Your sensitive information in your 1Password data is extremely well encrypted and we remain comfortable recommending syncing with Dropbox.

It seems that not even I can resist blogging about the FTC filing, but recent news has put me in the position of having to say that just because there is new “news” doesn’t mean there is new information. Real security must be based on level headed assessments of the threats, whether those are highly publicized or – as is more common – are only discussed by those in the field.

Informed users are the best users

Informed users are the best users, and the outpouring of questions to us regarding Dropbox let us know that you want to be informed. I am delighted by this, but it has also meant that we haven’t been able to respond to queries as quickly as we would like. We are all working hard to catch up, and we should soon be back to providing the speedy responses you deserve and have come to expect from us.

23 replies
    • Carlos Cordero
      Carlos Cordero says:

      Ditto. Cheers for the update, guys!

      Interesting reply to CurbedEnthusiasm regarding Betas. Personally, I will wait until you guys iron all of the kinks.

  1. CurbedEnthusiasm
    CurbedEnthusiasm says:

    I’m awaiting a Dropbox blog notice regarding enhanced security with authentication tokens on local PCs. They stated they were implementing a system that would prevent a stolen token being able to be used on another PC to access data. Also, I still feel comfortable in using 1Password with Dropbox, however, I am eagerly awaiting the new 1Password Data format, so that everything gets encrypted and all I see is garbage text when viewing a .1Password file. Looking forward to hearing more about that when its ready. Thanks.

    • Jeff
      Jeff says:

      Hi,

      The recent Beta version of the Dropbox client for Mac and PC already incorporates those security changes. You will need to go the to Dropbox forums to find the Beta version downloads. Note that if you use those, you should also use the Beta versions of 1Password to properly integrate with the changes Dropbox have made in their configuration file formats. Just go to Preferences > Updates in 1Password and check the box for “include Beta versions”.

      Of course, this is all Beta (testing) versions, and we ask those using the Beta versions to report issues in our forums, either to the Beta forum for 1Password for Mac or the Beta forum for 1Password for Windows.

      As for the forthcoming version of our data format, our elves (well actually Dave, Roustem, Chad, Stefan, and Gene) are working very hard at getting that ready for all platforms we support. We’ve been working on this for a while, but it is a big change and it will require a lot of testing before it can go public. So we ask for some patience here.

      Cheers,

      -j

  2. Marc
    Marc says:

    I love 1Password, but don’t like Dropbox for several reasons. I have had this opinion before the security questions about Dropbox got in the news.

    I hope that 1Password will offer other storage options, like WebDAV or SFTP, because I like to have that choice. I only use Dropbox now because 1Password only supports them.

    Currently I use Wuala (www.wuala.com) for my online storage needs. They are a zero-knowledge storage provider, which means that they don’t store and know of your login/password and all files are encrypted/decrypted on the client side. Because of this, if you loose your password they can’t recover it. That also means that they cannnot look into your data.

    Maybe 1Password should offer an own online storage (only for 1Password), just like f.e. RoboForm had?

    I hope 1Password will have extra options soon for online storage of my passwords …

    • Jeff
      Jeff says:

      Marc, you are certainly correct that it would be a mistake for us to exclude other syncing tools and services. We very much believe that people should have control (and therefore choice) about the location of their own data.

      The current lack of alternatives to supported syncing mechanisms in 1Password is not for lack of trying. We have certainly explored other options. We really tried to get 1Password syncing reliably with WebDAV about a year ago. After intensive effort, however, we needed to abandon that approach for a verify of technical reasons.

      Wuala’s client-end encryption is great, but for a couple of technical reasons it would be very difficult to get that to work with 1Password. 1Password’s data format is very file system intensive, and so it really requires that the data really be on a local drive. (The local caching of remote file systems used by several services just isn’t up to the job). The other thing is that we need APIs for all of the platforms that we want to sync 1Password data to.

      A dedicated, 1Password only, sync service is a very interesting idea. There certainly are many issues to consider there.

      I am not writing this to dismiss the suggestions of alternatives, but more to indicate that we have explored and continue to explore alternative sync services.

      Cheers,

      -j

  3. Ian
    Ian says:

    Another pat on the back for Jeff for the excellent analysis we have come to expect from him.

    Good job sir!

  4. Michael Grant
    Michael Grant says:

    I’m a disappointed paid Dropbox user who is moving most of his data over to a true zero-knowledge service (SpiderOak is my current candidate). 1Password is probably the only reason I’ll even bother to keep my Dropbox account around! But I’d love to ditch it completely. So let me offer another vote to provide some sort of alternative to Dropbox sync.

    • Jeff
      Jeff says:

      Thanks Michael.

      Again I don’t want to sound dismissive or as if I’m making up excuses, but SpiderOak is not designed for the kind of rapid, local file access that 1Password on the desktops require. I’ve learned around here to never say that something can’t be done, but I can say that getting 1Password to work reliably with SpiderOak would be very challenging. (Not that we don’t love a challenge.)

      We certainly have discussed and continue to discuss alternatives to Dropbox syncing, but we are also very actively working on making your 1Password data even safer in the cloud.

      Cheers,

      -j

  5. Ted
    Ted says:

    There’s a lot of nerdy looking guys in that blog header photo. Why don’t you guys just grab the Amazon S3 handbook and write your own dropbox? Not just for 1Password, but really, take on dropbox with a new product.

    • Jeff
      Jeff says:

      Thanks, Ted.

      I’m the nerd in the back with the black Bletchley Park “Enigma” shirt. I used to live not to far from there.

      Thanks for your vote of confidence. Any sync service specifically for 1Password data would immediately become a “high value” taget, so it must be thought through very very carefully.

      Cheers,

      -j

  6. Marc
    Marc says:

    Jeff said: “1Password’s data format is very file system intensive, and so it really requires that the data really be on a local drive.”

    So it you could change the data format to a low intensive one, then it would be easier to support more online storage options? I of course don’t know why it works the way it works now and if it’s possible to change that. Maybe you are already working on that?

    • Jeff
      Jeff says:

      We are working on a number of things, but we like to keep those as a surprise until we actually release it. What I can tell you is that we are working on new data format that better designed for life in the cloud. We are also working very hard on getting ready for OS X 10.7 Lion. Other things will be a surprise.

      Cheers,

      -j

  7. Imfrenchbutiloveengland
    Imfrenchbutiloveengland says:

    Your French is a bit rusty, the exact phrase is :
    Plus ça change, plus c’est LA même chose

    • Jeff
      Jeff says:

      That reminds me of a joke. I won’t tell the whole build up, but it ends with an Englishman in a restaurant in France calling over the waiter saying, “Le mouche est dans ma soupe” The waiter respondes, “Non monsieur. La mouche”. To which the man exclaims, “Damned good eyesight! you have!”

      Cheers,

      -j

  8. Steve
    Steve says:

    Will you please look at supporting iCloud SDK on the Mac side so that I can ditch Dropbox? I really hate having an account there with all the bad security goofs they’ve done (including today’s).

    • Jeff
      Jeff says:

      I can’t say what we are working on. We don’t like to announce features until we deliver them. But I can say that we are extremely excited about what iCloud may have to offer.

  9. Mike
    Mike says:

    Please give us more options, Dropbox’s major authentication bug proves we need them. In all truth, I am not that mad about the bug, but the fact they didn’t send out an email to their customers that is shameful. http://blog.dropbox.com/?p=821

    • Jeff
      Jeff says:

      It would be foolish of us to completely hitch our wagon to a third party. So alternatives are always being explored. But we are not in the vaporware business, so no promises until we have things delivered.

      Cheers,

      -j

Comments are closed.