This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.

Security: Dropbox Authentication

2»

Comments

  • thightower
    thightower "T-Dog" Agile's Mascot Community Moderator
    edited May 2011
    [quote name='NovaScotian' timestamp='1305505932' post='27075']

    Just joined this thread to post the link Boru has found (discovered independently). My take is that my 1P stuff is safe and secure because it carries its own encryption -- it's anything else I have there in unencrypted (raw) form that is not. While several of my documents there are not super-sensitive, they are not public just the same, so I've removed them from my dropbox folder.



    What encryption tool to readers of this forum recommend for secure storage of their stuff on Dropbox?

    [/quote]



    There are several, Truecrypt is recommended on the Dropbox forums by users all around. [url="http://www.truecrypt.org/"]http://www.truecrypt.org/[/url] Plus it supports Win/Mac/Linux



    Personally, I use another app that is not recommended for Dropbox syncing but i have never had issue with it. I with hold its name as I don't want to steer others into using it with Dropbox.
  • khad
    khad Social Choreographer
    edited May 2011
    I think Tommy is referring to Knox. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_wink.png' class='bbc_emoticon' alt=';-)' />



    It is a delicate thing, but the short version is that if you use .sparseimages and only open them on one computer at a time, you should be fine. Generally speaking, though, he is correct. Knox + Dropbox is not advised. Y'all power users may proceed at your own risk. It's how I roll, but I also have other backups. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_bigsmile.png' class='bbc_emoticon' alt=':-D' />



    Check out the "[url="http://help.agilebits.com/Knox/sync_vaults.html"]Syncing Knox Vaults[/url]" page in the Knox User Guide for further details.



    This has also been discussed in the [url="http://forum.agile.ws/index.php?/topic/3714-storing-knox-vaults-in-dropbox/"]Knox forum[/url].



    Your mileage may be different than my own in this regard.
  • thightower
    thightower &quot;T-Dog&quot; Agile&#39;s Mascot Community Moderator
    [quote name='khad' timestamp='1305509551' post='27077']

    I think Tommy is referring to Knox. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_wink.png' class='bbc_emoticon' alt=';-)' />

    [/quote]



    Eh could be, hehe



    as your link indicates use sparseimages they are less prone to corruption. I can't say for sure either way but many many smart folks i know suggest this .....and I am in no way gonna think they don't know what they are talking about.
  • The only reason I use Dropbox for 1Password sync is due to the iPhone app. If you guys added WebDAV support, I would feel a whole lot better in general. I like having my stuff on my own boxes. That's ironic considering I do sysops for one of the cloud products of my employer.
  • Version 2.1.31 [url="https://www.dropbox.com/help/category/Mac"]was released[/url] yesterday.
  • thightower
    thightower &quot;T-Dog&quot; Agile&#39;s Mascot Community Moderator
    Mark,



    Forgive me if I am incorrect here but if you are refering to Dropbox it is actually v 1.1.31 not 2.1.31



    The 2 you see is actually a little fudging on the Dropbox teams part in order the get around a few limitations on Lion.



    True the app info screen say 2.xx etc but look at the pref pane it says 1.1.31



    As I said if that's not what your talking about then please ignore me <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />
  • Thanks for the clarification; I am sure you must be correct.



    I'm on Snow Leopard, however - 10.6.7, and the Version in my Info box still says 2.1.31…



    Curiouser and curiouser <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />
  • [quote name='jpgoldberg' timestamp='1303141508' post='25130']

    Yeah. I was waiting to see whether the folks at Dropbox has a reason for the bizarre permissions on those files before recommending this change. I've tested this myself waiting to see if anything broke, but it works fine for me.



    1Password does read your .dropbox/config.db to find out where your Dropbox folder is, but it doesn't need the wide open file permissions for the config data that come with the Dropbox installation.



    So to clarify sjk's advice, Mac users can paste that commend he gave into a Terminal window and press RETURN. Terminal.app can be found in the Utilities folder under /Applications. This will put in some restrictions to access to Dropbox configuration information file.



    Cheers,



    -j

    [/quote]

    Many thanks for this.
  • khad
    khad Social Choreographer
    Welcome to the forums, Dandypandy and Andy! (That makes me chuckle a bit to myself.)



    We are constantly evaluating the sync landscape to see when and if we need to make some changes. We did look at WebDAV in the past and there were some performance problems, but that doesn't mean we won't revisit the idea. It's what keeps us agile. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



    Thanks for letting us know you would be interested in this.



    Andy, on behalf of sjk and Jeff, you are quite welcome! I'm glad that you have found that tip useful. Hopefully there are many more where that came from if you stick around here. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



    Cheers,
  • Felix
    Felix Junior Member
    Since the Agile team has frequently touted Dropbox here on the forums, I'm wondering if there's anything in [url="http://www.electronista.com/articles/11/05/13/dropbox.accused.of.using.deceptive.trade.practices/"][u]this[/u][/url] complaint which we need to be concerned about. Are our 1Password passwords still adequately protected by our master password and unreadable by Dropbox employees as alleged by Christopher Soghoian?
  • [Deleted User]
    edited May 2011
    [quote name='Felix' timestamp='1305576111' post='27129']

    Since the Agile team has frequently touted Dropbox here on the forums, I'm wondering if there's anything in [url="http://www.electronista.com/articles/11/05/13/dropbox.accused.of.using.deceptive.trade.practices/"][u]this[/u][/url] complaint which we need to be concerned about. Are our 1Password passwords still adequately protected by our master password and unreadable by Dropbox employees as alleged by Christopher Soghoian?

    [/quote]



    Felix,



    I am not an encryption expert (or layman for that matter), but your question was discussed quite a bit in the Lounge. I'm sure one of AB's experts will respond to your inquiry, but I thought you would like to read the most recent debate: [url="http://forum.agile.ws/index.php?/topic/4451-security-dropbox-authentication/page__view__findpost__p__25085"]Security: Dropbox Authentication[/url]



    Based on that thread and a blog post by AB's Chief security guru, Jeff Goldberg,[i] I [/i]believe that the 1Password.agilekeychain is still safe, even if a Dropbox employee decrypts your specific user files. Please read and see what decision you come to. [url="http://blog.agile.ws/2011/04/dropbox-security-questions/"]Dropbox Security Questions[/url]



    Cheers!



    Brandt
  • Hi Folks,



    just wonder if someone would be able to comment on this article regarding the possible access of third parties to the 1Password database stored with Dropbox.

    http://www.infoworld.com/t/data-security/dropbox-caught-its-finger-in-the-cloud-cookie-jar-179?page=0,0&source=IFWNLE_nlt_blogs_2011-05-17



    Many thanks,

    Wolfgang
  • Hi Wolfgang,



    Agile has a blog post on this particular issue:



    [url="http://blog.agile.ws/2011/05/dropbox-security-revisited-plus-ca-change/"]http://blog.agile.ws/2011/05/dropbox-security-revisited-plus-ca-change/[/url]



    Basically, there is no need for alarm.
  • [Deleted User]
    edited May 2011
    [quote name='Wolfgang Riedel' timestamp='1305664525' post='27218']

    Hi Folks,



    just wonder if someone would be able to comment on this article regarding the possible access of third parties to the 1Password database stored with Dropbox.

    [url="http://www.infoworld.com/t/data-security/dropbox-caught-its-finger-in-the-cloud-cookie-jar-179?page=0,0&source=IFWNLE_nlt_blogs_2011-05-17"]http://www.infoworld...logs_2011-05-17[/url]



    Many thanks,

    Wolfgang

    [/quote]



    Hello Wolfgang and welcome to the Forums!



    I responded to a similar question in another thread: [url="http://forum.agile.ws/index.php?/topic/4451-security-dropbox-authentication/page__view__findpost__p__27133"]Dropbox Security Questions[/url]



    After reading the posts I linked to in my response, I believe that regardless of whether Dropbox [i]decrypts[/i] my uploaded files...specifically, the 1Password.agilekeychain...my 1P data file would still be safe.



    Please read the thread and come to your own conclusion, but I believe the encryption afforded by 1Password would render any Dropbox vault decryption moot. They may be able to view my unencrypted files, but good luck decrypting my 1Password.agilekeychain.



    If you have further questions or concerns, please reply. I'm sure some of AB's security experts will be glad to put your mind at ease.



    Cheers!



    Brandt



    P.S. Thanks to Fooligan for posting a link to the newest Blog post discussing the recent Dropbox news. I had not seen it yet. Hope it is as comforting to you as it was to me.
  • [Deleted User]
    edited May 2011
    Greetings, Wolfgang!



    Just wanted to mention that I've responded with e-mail to your support message about this issue. I surprisingly discovered your topic here while I was composing the e-mail reply. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />



    Thanks, Fooligan and bswins, for your replies here.



    PS: Hope no minds that I've done a bit of related topic merging here.
  • [quote name='sjk' timestamp='1305686359' post='27234']

    Thanks, Fooligan and bswins, for your replies here.



    PS: Hope no minds that I've done a bit of related topic merging here.

    [/quote]



    No problem Scott. There have been a lot of posts concerning with the recent Dropbox revelations, as evidenced by Jeff's recent Blog.



    I suspect there will be several more posts merged in this thread before it's closed.
  • [url="http://blog.agile.ws/2011/05/dropbox-security-revisited-plus-ca-change/"]http://blog.agile.ws/2011/05/dropbox-security-revisited-plus-ca-change/[/url]



    [quote]Your sensitive information in your 1Password data is extremely well encrypted and we remain comfortable recommending syncing with Dropbox.[/quote]



    For some people the names and locations of the websites that are stored in the 1Password keychain are sensitive information as well.



    Maybe it's good for them to know that for instance "typeName", "location" (the url of the website), "title" (the title of the website), "createdAt" (I think that's the unix timestamp of the time the password was created) and "updatedAt" (I think that's the unix timestamp of the last modified time) are stored in plain text.



    Fortunately I read that a new data format which also encrypts this data is currently in beta testing mode (see: [url="http://forum.agile.ws/index.php?/topic/4769-dropbox-insecurity/page__view__findpost__p__27209"]http://forum.agile.ws/index.php?/topic/4769-dropbox-insecurity/page__view__findpost__p__27209[/url])
  • khad
    khad Social Choreographer
    [quote]Maybe it's good for them to know that for instance "typeName", "location" (the url of the website), "title" (the title of the website), "createdAt" (I think that's the unix timestamp of the time the password was created) and "updatedAt" (I think that's the unix timestamp of the last modified time) are stored in plain text.[/quote]

    Please take a look [url="http://forum.agile.ws/index.php?/topic/1958-all-information-is-not-encrypted/page__view__findpost__p__27143"]my post in the thread related to that topic[/url]. (It is a long thread, but feel free to go back and read the whole thing if you want.) <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />
  • Thank you.



    I read the topic (and made it even longer <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/wink.gif' class='bbc_emoticon' alt=';)' />)
  • khad
    khad Social Choreographer
    edited June 2011
    I am going to close this topic for now since I don't want people confusing this older, resolved issue with any other security questions in the future. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



    The last post on this topic was over a month ago as of this writing.



    Thanks for all your input, folks!
This discussion has been closed.