I don't know why, but I all of a sudden feel like all my private dropbox data is now vulnerable to some form of hack, bug, exploit, malicious script, etc, that turns it all into a public web page.
Sharing with just people I know is one thing, but creating a web page of some of my data is another.
I don't know, it just doesn't feel right.
Dropbox, remember, you're dealing with private files on our personal computers, and one step too far and you're looking at mass exodus. Learn from Facebook. Use caution with new features.
Yes, I have to add to this sentiment. In my mind, I imagine Dropbox to be just as secure and private as my own hard drive. It's a bit of a fiction, I know, but until now nothing caused me to really question it. I use it for important files -- the sensitive ones that I really don't want to lose.
Maybe it's all perception, but this makes my private files feel dangerously close to the wide open web.
Dropbox, don't make me feel dumb for using your service for stuff that matters. If your service is meant for funny cat pictures and not my tax returns, please tell me now.
I helped build this feature and just wanted to say we're as concerned about privacy and security as you are. A couple specifics that might help:
* No feature is for everyone -- this is opt-in in the strictest sense. (And, since you pick the files/directories, as fine-grained as you want.)
* You can disable a link anytime: from the the sharing tab (https://www.dropbox.com/share), click "Linked Items" to see all your links and disable anything.
* 3 means of sharing (shared folders, a public dir, and sharing links) gives you more control over privacy, not less.
* Similar to etherpad links, the shortened db.tt links are public but unfeasible to guess. We've heard a few concerns about the 6-digit hashes -- well, as more links are shared, don't assume the hash will stay at 6 digits :) can't get into details but we do a few more things to make link fishing near-impossible.
The problem is how close my data is to being a web page now.
I feel like all that private data is one click away from being public. Anyone passing by my computer can right click and change a folder to a web page, when they get back to their PC, download everything.
At least before there was somewhat of a barrier, though narrow, it was there.
Do the "linked" files at least get a new bold icon with a globe on it or something so I know it's public. Do I get an email when a folder is made public? Something? What if a malicious script is run on my computer that just makes everything public in my Dropbox folder?
> Similar to etherpad links, the shortened db.tt links are public but unfeasible to guess
I imagine people will be searching Google for them, and later creating programs that just go through all the possibilities (if the hash isn't long enough), download whatever they can find, and then later go through whatever they got to see if there's anything of value.
A natural progression. I'm glad they finally went there. I am a happy customer of their 50 gig offering. I know there are a lot of YC companies out there (most of which I am not interested in the least, but hey, different market), but they hit a big market with DropBox.
I'm signing my parents up to coordinate pics, music and videos soon.
Bonus points to the first person to write a FUSE filesystem to mount shared Dropbox folders so you can easily download the entire contents of a folder.
Or they could just add a "download folder" link, but that sounds boring. It also looks like they want people to use "Copy to my Dropbox" for that, which would lead to more signups.
I'd have to go with yes. Hate to be an entropy nazi, but here goes:
Hash is 6 characters long, characters are alphanumeric (a-zA-Z0-9). So that makes:
(26 * 2 + 10) ** 6 => 5.6E10
That looks like a big number, but it isn't. Because at the scale of dropbox there will be 10 million links out there in no time. So then the math goes:
( (26 * 2 + 10) ** 6 ) / 10_000_000 => 5680
So you have to make only a few thousand guesses to get a random file from another user. I'd say that's not very secure.
Note that the links redirect to a page with a far longer (and presumably far more secure) hash code. Any time when you see short hash -> longer hash alarm bells should go off.
I'm assuming the share links last forever. If the share links would last only 24 hours then system looks pretty safe.
Anyway, this is only my first impression. I might very well be wrong. Either way I think it's pretty silly to give up so much entropy to get a prettier URL. Why not just use the complete 128bit hash?
I haven't used the feature yet, but from reading the forum thread it sounds like the 6 random characters are only created if someone chooses to shorten their link with db.tt (presumably Dropbox's shortener). By default, resources have 15 random characters. Since URL shortening is mostly for use with twitter, I think the number of non-public files/folders with a corresponding 6-random-character link will not approach 10MM any time soon.
So, if you feel like "I wanna share this folder to the wild world, now!", just do it! You can change your mind at anytime later and the folder will be no longer accessible. Very intensive, careful design & implementation!
I think you're overstating the risks of random URLs. Unlisted cell phone numbers are not considered public even though you give them to all your friends and to every nearby cell tower. Credit cards are not considered public even though you might hand yours to a lot of strangers.
That is beyond cool. I bet you can put a git repo in dropbox and clone it using the shareable link. I'd test if I didn't have a program to deliver in 4h.
"There are currently no hard limits on public bandwidth usage. We do, however, have an automated system for detecting and flagging unusual amounts of bandwidth usage. We will send an email notification whenever an account is flagged. Once flagged, public links will be temporarily disabled and users who use the links will see an error page instead of your file."
So, there's no bandwidth limit, but there's a bandwidth limit. :)
This sounds a lot like drop.io or mediafire etc.. file sharing services with a web interface. Since people were already using the public links to share individual files it makes a lot of sense to expand it to the folder level.
I tried the feature and I like it. The only confusion was about "Copy to my DropBox" button. It does only one-time snapshot of the shared area. I would expect to have live access to shared area through my local folder.
Any file or folder in your Dropbox is now linkable!
But not quite yet, presumably very soon. Apparently appears in the 0.8 beta clients only, didn't see anything specific about the website (though I don't see it on my account).
Another important point (mentioned in a later comment): unlike public folders, only things you choose to make linkable can be viewed. The public folder continues to work the same way.
Sharing with just people I know is one thing, but creating a web page of some of my data is another.
I don't know, it just doesn't feel right.
Dropbox, remember, you're dealing with private files on our personal computers, and one step too far and you're looking at mass exodus. Learn from Facebook. Use caution with new features.