A security vulnerability in the way that online storage provider DropBox (and possibly rival Box) handles links to shared files caused some documents (which were supposed to be viewable only people designated by the file owner) accessible and available to web site owners using Google’s visitor analytics and advertising tools. The rival online storage firm which found the issue claimed to have reported the problem (which gave access to sensitive files like mortgage documents and tax returns) to Dropbox last November. Dropbox fixed this issue, which it insists is a feature rather than a security flaw, this past Monday.
This issue highlights the need to make encryption of files and data stored on cloud service providers with keys stored on the user’s local system simple enough for non technical folks. The solution also needs to be able to support sharing of encrypted files securely with a third party or with other cloud services you authorize. If cloud providers can get this right (no small feat), living your life in the cloud will truly be ready for prime time.
Some solutions which currently exist:
- Boxcryptor is a software solution which sits on top of Dropbox and other storage providers and automagically encrypts files as they are sent to and received from the cloud. They provide secure sharing as well as mobile apps for the major platform. Of course, since Boxcryptor is an overlay to services like DropBox, using this product would break the integration between DropBox and other cloud apps.
- There is at least one consumer usable provider (SpiderOak) which currently claims to offer this type of Zero Knowledge Encryption.
The real answer to the issue of cloud encryption lies in having the encryption built in to the platforms in a standard and interoperable way. C’mon cloud vendors, you can do it!