Dropbox has been forced to rectify its security clauses, by demonstrating that it does not adequately protect the files of users, or at least, not as the company initially announced on its website.
Dropbox is a widely used online file hosting service "in the cloud" (25 million users), which thanks to the previous analysis of the hash allows you to save space: if you try to upload a file whose hash is already present in Dropbox (in the account of another user for example), the system simply links to it without having to upload it again. Dropbox's security is based on AES256 encryption with key created and hosted on its own servers.According to the formal complaint filed with the US Federal Trade Commission (FTC) by researcher Christopher Soghoian, Dropbox lied to users when it advertised its service as fully encrypted and, as they announced, "without internal access of the company to the content of the same".
As the information became public, Dropbox has been modifying the encryption information clauses:
Initially, it was announced: "All files stored on Dropbox servers are encrypted (AES256) and are inaccessible without your account password." (All files stored on Dropbox servers are encrypted with AES256 and are inaccessible without the account password.) Then, in April, it was modified to a simple: "All files stored on Dropbox servers are encrypted (AES 256)." (All files stored on Dropbox servers are encrypted with AES256.) Later: "Dropbox employees aren't able to access user files, and when troubleshooting an account, they only have access to file metadata (filenames, file sizes, etc. not the file contents)". (Dropbox employees don't have access to user files, and when you study accounts, you only have access to metadata and not file content.) Now, the website says: "Dropbox employees are prohibited from viewing the content of files you store in your Dropboxaccount, and are only permitted to view file metadata (e.g., file names and locations)". (Employees are 'prohibited' from accessing the contents of the files and can only inspect the metadata of their accounts (file names and paths). And they also warn that: Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). ("Like most online services, we have a small number of employees who have full access to user data for reasons set out in our security policy (e.g. where legally required)." The investigation also warns that its Mobile service does not use an SSL channel when sending files contrary to what could be understood by Dropbox advertising.These rectifications by Dropbox have motivated Soghoian's attempt to get the FTC to investigate the company for its dubious security policy and get it to correctly warn the user of the true level of it.
Until the matter is clarified, the only possible solution to fully secure the data is to encrypt it locally when uploading it to Dropbox or directly use alternative services such as SpiderOak or Wuala.
Source: Hispasec
