Hacker News new | past | comments | ask | show | jobs | submit login

The answer is, of course, to store your data online and encrypt it.



Which is what we thought was happening with Dropbox and why people were up in arms about discovering that it wasn't the case.

There remains the space for a cloud sync service that encrypts client side and provides good enough clients for every major platform.

Spider Oak comes close, but it's just too damn ugly an interface and isn't the "Install and forget" option that Dropbox is.


I use Wuala. I think their software is pretty nice; don't know how it compares to SpiderOak since I've never used it. They encrypt client-side. Employees can't access data. Or so they say, since the client isn't open source, which is my main hangup.

If I understand correctly, it's not as secure/confidential as Spider Oak: the encryption key for file A is Hash(A) and your own key is only used to gain access to Hash(A) in order to decrypt the files. This lets them deduplicate more efficiently on their end, but it also means they can determine if two users have the same file. It also has some other repercussions (there is a HN story about it). It's still a lot better than DropBox, though.


knowing file hashes assists substantially in cryptanalysis via PoE


Who thought that was happening with Dropbox? Did they ever make the claim that they would encrypt people's data?


https://www.dropbox.com/features claims "Secure Sockets Layer (SSL) and AES-256 bit encryption," and I truly do believe they encrypt.

However, I also know that since their website allows me to access data and reset my password, their key management doesn't prevent Dropbox employees from viewing my stuff.


"they encrypt" can mean several different things. It's understandable that a naive ordinary internet user may get confused about the differences between "We use SSL" vs "We use client-side encryption and never see your passphrase" vs "we promise to encrypt your data before it's stored on third party servers". However, there's no excuse for any technically inclined person to confuse those things.

Dropbox had said that they encrypt data before storing it at Amazon, but their systems see all of your raw data because they do deduplication, and because they could reset your passphrase, and because client-side encryption of stored data would make web access very complicated if not impossible.

If all that weren't enough, the dropbox forums, long before the early 2011 PR problem, had threads about using truecrypt containers on dropbox shares to ensure security. It also had feature requests to add client-side encryption to the dropbox client. If some people didn't get the message that dropbox has access to raw data, after all of that evidence, they have only themselves to blame.


Fair enough, I didn't really think that comment through.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: