Hacker News new | past | comments | ask | show | jobs | submit login

Why is 1Password over Dropbox the "worst of both worlds"? Seems like it's potentially safer, because it's encrypted with your passphrase and also your dropbox credentials. Sure, the NSA can probably get it, but J Random Hacker can't.



I'm not even convinced the NSA can get it. There are no side-channels to exploit here (which we know the NSA is good at) and cooperation from online services won't work either. The protocols used to encrypt this are fairly simple and well-understood and we should not assume that the NSA is capable of breaking the underlying (strong) primitives.


The NSA will just get your data off Dropbox by having a judge ask them nicely. That much is undeniable.

Whether or not they can break the Keepass encryption after getting your data is debatable but strikes me as "probably yes."


Anyone else remember that time Dropbox accidentally turned off authentication and you could log in as anyone?

https://nakedsecurity.sophos.com/2011/06/21/dropbox-lets-any...


I'm not sure how encryption will stand up when you have a set of all deltas from V1... Vn of the encrypted file.

From my admittedly small knowledge of encryption I would assume that such a set of data could be used to greatly decrease the size of the search-space for the decryption key.

There are a few people experts who post here, anyone care to comment?


I'm not sure whether I'm an "expert", but I can't think of a competently designed cryptosystem falls to that particular attack.


1Password actually stores new data in new files, presumably to make synchronisation work properly. For example, I have approximately 600 such files in my Dropbox. Interestingly, some metadata such as the login URL and the creation date is not encrypted, so it would be possible to build a list of the sites I have stored passwords for.

Formally, if your cipher would weaken in a way that makes practical attacks possible as more data is encrypted, it would be considered broken. Furthermore, it is possible to work around this by rotating keys and just encrypting the keys in a master file. 1Password definitely uses encryption keys that are fully independent from your master password, although I don't know if they periodically use new keys for new data.


Dropbox doesn't encrypt files, AFAIK.


- Dropbox files at rest are encrypted using 256-bit Advanced Encryption Standard (AES).

- Dropbox uses Secure Sockets Layer (SSL)/Transport Layer Security (TLS) to protect data in transit between Dropbox apps and our servers; it's designed to create a secure tunnel protected by 128-bit or higher Advanced Encryption Standard (AES) encryption.

Source: https://www.dropbox.com/help/27


But don't they provide the "I forgot my password" option?? Doesn't that mean tjey have enough info to decrypt your data whenever thy want to, let you change your password, and encrypt it again with that new one??? Looks like the same problem to me in the fact that any Dropbox worker can take anything you upload. Moreover, Condoleza Rice hired??! Wtf.


I think Dropbox encrypts data before storing it with 3rd-party providers (Amazon). At least I think they used to.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: