Dropbox Security Questions

Dropbox Security Questions

Jeffrey Goldberg by Jeffrey Goldberg on

Dropbox and 1Password are just awesome together. So when questions arise about Dropbox security we pay very close attention to what it means for our users. We owe it to ourselves and to our users to examine these and adapt and modify our recommendations accordingly.

Dropbox Security Questions

The bottom line is that there is no need to panic about Dropbox security. The issues that have come up all do raise very legitimate concerns about how Dropbox presents their security claims and addresses issues when they arise, but the actual issues are not nearly as serious as some of the the discussion would suggest. They are even less of an issue for 1Password users. Your sensitive information in your 1Password data is extremely well encrypted and we remain comfortable recommending syncing with Dropbox.

The Issues

We discuss these issues in more detail in our cloud security document, but very briefly:

  1. When syncing with mobile devices, Dropbox does not encrypt the file names. (File contents are encrypted.)
  2. On desktops, Dropbox does not protect its automatic login token as well as might be expected. They have made improvements in the most recent update and promise more to come.
  3. Contrary to what was stated in the Dropbox security FAQ, Dropbox employees are capable of removing Dropbox’s own encryption on your data. Dropbox have now clarified and corrected the original statement. They take steps to limit what individual employees can decrypt, but the capability to undo Dropbox encryption remains with Dropbox.

The Upshot

Because our filenames are arbitrary, issue #1 has no effect on 1Password security.1Password does its own encryption, so removing Dropbox encryption (issue #3) is not really a problem for mobile 1Password users. If you are using Dropbox on mobile devices for things other than 1Password, then you should be careful not to include sensitive information in your file names.

Issue #2 is something that is faced by any system that involves automatic login without user intervention. Some secret token must be stored on the client computer which is used for automated authentication. There was substantial room for improvement in how Dropbox handles these tokens, but we are happy to report that they have already made important improvements and promise more, saying:

Last week’s update to the Dropbox desktop application already sets more restrictive permissions on the folder that stores the authentication file. We are also working diligently on a solution that will make the authentication file useless on a second computer.

This, of course, means that if you haven’t updated Dropbox on your desktop recently, it is time to do so. The most recent version of Dropbox for 1.1.24 (April 15) for Mac and Windows.

Issue #3 is largely the result of Dropbox stating something unclearly in their security FAQ. They have apologized for the confusion and have clarified to some extent what employees can and cannot do. Here is their statement:

In our help article we state that Dropbox employees aren’t able to access user files. This is not an intentionally misleading statement – it is enforced by technical access controls on our backend storage infrastructure as well as strict policy prohibitions. The contents of a file will never be accessed by a Dropbox employee without the user’s permission. We can see, however, why people may have misinterpreted “Dropbox employees aren’t able to access user files” as a statement about how Dropbox uses encryption, so we will change this article to use the clearer “Dropbox employees are prohibited from accessing user files.”

Although the 1Password data format is designed to withstand sophisticated attacks should it fall into the wrong hands, we still wouldn’t want the bad guys to get a hold your 1Password files as data needed for indexing, searching and matching is not encrypted. (See our cloud security document for details). Because of this, along with other reasons, we are continuing to watch the situation with Dropbox very carefully.

Over the past week, there has been terrific discussion on our forums regarding Dropbox security and its relation to 1Password. It’s a great place to share thoughts and ideas on this matter. Please join us there.

The Future In a forthcoming blog post, I will be talk a bit more about how security is an on-going process and more specifically what we are working on to make the 1Password data format even better protected as it lives its life in the cloud.

Principal Security Architect

Jeffrey Goldberg - Principal Security Architect Jeffrey Goldberg - Principal Security Architect

Tweet about this post