Dropbox Criticized for Encryption Key Control Policy
The problem was identified by a user, who reported it on Dropbox forums and contacted independent security researcher Christopher Soghoian, a doctoral student at the University of Indiana. He posted the tip onto text-sharing site Pastebin. "I found I was able to log into my account using an incorrect password, and on further investigation I found I could log in and access files on any of the three accounts I tested (mine and two friends') using any password," the unknown user wrote Soghoian.Soghoian has long been a vocal critic of Dropbox. In May, he wrote a letter of complaint to the Federal Trade Commission, alleging the company deceived its users by overstating how secure its file service really was. Dropbox used to claim that employees at the company had no way of viewing user files when a few of them had administrative privileges. Dropbox recently updated its terms of service to reflect that fact and that it would decrypt users' files and give the government access to them if asked.Individuals and businesses need to be responsible for the security of their files, wherever they are stored, according to Webb. "No controls put in place by a third party can be relied on 100 percent," Webb said. Dropbox allows users to store files, regardless of file type, on remote servers that are accessible from anywhere in the world. The company claimed to store more than 200 million pieces of data in April. Letting Dropbox control the encryption key makes the service easy to use and allows users to recover their files even if they forget their password. If the user controlled the encryption key, the data would be lost forever if they ever lost the password, according to Dropbox. The encryption key will also have to be entered on every single device the user wants to use to sync to the service. Soghoian argued the company's encryption model introduced too many vulnerabilities and customers should retain full control over encryption. "The reality is that most end users are not equipped to implement proper key management," Mushegh Hakhinian, a security architect at IntraLinks, said. Delegating key management to an end user doesn't really make sense, he said, noting that providers can store the information in a "very secure" data center. "Dropbox isn't the problem here. It's the unreasonable expectation that simply moving files into the cloud will somehow keep them safe-no matter who operates the service. It won't," Webb said.