Secure Alternatives to Dropbox

,

So there’s been a lot of talk lately about how Dropbox, which promised that it was encrypting our files, actually is only doing so server side and employees and possibly hackers if sophisticated enough could get access to your files. In the comments to a Business Insider article, reps from two companies posted their solutions. I’m sure there are more, but just so I don’t forget these guys, they are

  1. Secret Sync – this is an add-on that encrypts files on your computer, using a key that nobody at Dropbox has, so even if someone gets into your Dropbox account, they can’t read your files. It’s free, but they plan to roll out a “pro” model with additional features.
  2. Spider Oak offers client-side encryption built in, so it’s essentially the same as Dropbox + Secret Sync and is, like Dropbox, free for 2GB.

Secret Sync (or actually, I think it’s SecretSync as one word), being a different company entirely from Dropbox, means that your DB and SS passwords are not shared between companies, so that should be as secure as your passwords.

Spider Oak is one company, but they claim a higher level of privacy than Dropbox:

At SpiderOak we have created a true ‘zero-knowledge environment’ meaning that no one including the SpiderOak employees will ever know what you are storing on your SpiderOak Network. We can maintain this environment because at no time will anybody know your password (or the answer to your password hint) except you.

I still haven’t decided whether to switch. I’m pretty pissed off at Dropbox for the misleading statements they make on their site (saying all files are AES 256 encrypted – essentially unbreakable – but neglecting to say that they have the keys and with certain forms of attack the hackers could have them too!). Still, one of the things about Dropbox is it is very bandwidth efficient and I am bandwidth limited because I’m often connected over satellite. Dropbox tries to upload just the pieces of a file that have changed (based on filesystem sectors?) and to not even upload common files that a lot of people share (very popular songs). Once you switch to full encryption, I would think that changing a single period in a document would result in a completely different encrypted file, like if you were doing a hash, and require a full upload.

Spider Oak says no:

SpiderOak will scan the file and find only the changes, and store new data blocks for those areas of the file. This means that SpiderOak is able to store all historical versions of a document using little additional space.

For example, if you’re working on a research paper, and add new sections, charts, and other information to it as you go along, SpiderOak just stores these additional items. So, SpiderOak will be able to store all of the historical versions of your research paper using about the same amount of space as would be needed to only store the most recent version.

So it would probably be worth it to switch, but we turtles don’t do anything fast!

13 Responses to “Secure Alternatives to Dropbox”

  1. Hi Tom, well spotted —

    “Secret Sync, being a different company entirely from Dropbox, means that your DB and SS passwords are not shared between companies, so that should be as secure as your passwords.”

    This is how we feel we can provide stronger privacy while maintaining convenience. We provide a truly random 256-bit key, rather than one simply generated from a generally much weaker secret, like a password. The key is controlled separately from your data, and we deliver the key without you having to try and remember it somehow. Of course, the other big win is that encryption happens on your client.

    That being said, we’ve just updated SecretSync to allow you to optionally specify a client-side passphrase.

    http://getsecretsync.com/ss/getstarted/#pass

    This allows you to have your own secret in addition to the key we provide, giving more advanced users a much more powerful level of privacy and security.

    Thanks, James (from SecretSync)

  2. Thanks for stopping by with the clarification James. I think you guys are well-positioned for a big bump in users, as many of us thought the service you provide was built into DB from the get go and are dismayed at what we see as misleading marketing from Drop Box.

  3. You’re right, they did seem to throw around the word ‘encryption’ whenever they talked about security, without clarifying how the encryption was actually implemented. I see this on most ‘cloud-based’ services, so it’s not unique to Dropbox. Good old marketing. :)

    Despite it’s recent bad press, I personally don’t think Dropbox is a bad company. Perhaps a little careless, but they’re paying for that now in spades.

  4. Although Dropbox as a service was a handsdown winner for me, the security and file ownership was a problem for me, too. So like you, I switched to SpiderOak, and wrote a blogpost on how you could make it do what Dropbox did: http://rolfje.wordpress.com/2011/07/03/1355/

    SecretSync is new to me, and I would have definetely considered it if I knew it earlier, but I see that they do not have an OSX client, which is a show-stopper for me. It has to run on Windows, Linux and most importantly, the Mac.

    Most syncing companies mention secure *transport* between your computer and theirs, but they don’t say anything about how the files are then stored at their site, and wether they can access them unencrypted. Most American companies are wimps and will hand over your data unencrypted to anybody who walks in with a uniform, steer clear of those.

    Spideroak has the strongest encryption statement I’ve read so far, and it was good enough for me to switch. It’s slightly slower than Dropbox and doesn’t have the sharing features (which is ofcourse because of the stronger encryption architecture). But it has worked flawlessly since my switch. Great service, responsive helpdesk, good referal program.

  5. Thanks Rolf! Nice writeup on your blog. I think that will help some folks.

  6. Very good point about the separation achieved by letting one service (and company) handle the sync/storage while another handles encryption. I have to say, though, that for stuff I want to keep really secure, I’m still a bit hesitant to sync them over any third party service.

    Just thought I’d leave a tip about Wuala ( http://wuala.com ). The security architecture is well documented and comparable to that of Spider Oak. And it’s Swiss… The swiss have an indisputable heritage when it comes to keeping secrets… ;-)

  7. Yes… but then Dropbox was keeping secrets about not keeping secrets ;-)

    Thanks for the heads up on anoher service!

  8. So Tom did you decide on one yet?

    Have I told you how much I love Microsoft Live Sync? Since it has come out of beta it’s quite stable. 25GB of storage on SkyDrive and unlimited storage between PCs. You still can’t sync Outlook PST files and a few other types, but for most data it works great.

    The other one I’ve been playing with is SugarSync. You get 6GB or so for free now. It works well in my tests, but I fear it suffers from the same security vulnerabilities as DropBox. You’d want to encrypt any files yourself before syncing.

  9. Bill, I’ve sort of let well enough alone for now. I don’t have that much of value on Dropbox and now I’ve just decided to make sure I keep it so.

    If I could get true high-speed internet where I live, I would immediately sign up for Live Drive and get 2TB of space for $80/year and advanced sync options for $160/year.
    http://www.livedrive.com/ForHome/#CompareProducts
    Looks very interesting

  10. We offer a Secure Dropbox alternative for businesses and have done so since mid 2000’s. a small preview from our security section:

    ISO/IEC 27001:2005 Information Security Management System (ISMS) certified‐ ISO 9001:2008 Quality Management System certified- ISO/IEC 20000 certifications. (Europe)‐ 7x24x365 IBM ISS Monitored Firewalls‐ 24 x 7 x 365 Network Operation Centre‐ Three factor access control (fingerprint, access card and PIN) and 24 x 7 x 365 CCTV- Tier III+ fully redundant infrastructure to ensure no single point of failure and business continuity

    Microsoft EFS is used for encrypting data at rest using AES, SHA, and ECC cryptographic algorithms compliant with Suite B encryption requirements as defined by the National Security Agency to meet the needs of United States government agencies for protecting classified information.

    more here> http://www.thruinc.com/solutions/secure-dropbox/

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>