This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.

Sync without Dropbox

I'm looking at 1Password as a potential solution for Windows and iPhone (today), and potentially Windows Mobile 7.



I really like the product but the use of dropbox is a deal breaker for security reasons (requirement for a Dropbox client with full file system access, recent security issues, etc.). I realize that AgileBits is quite commited to supporting Dropbox from the blog posts rationalizing why its "secure" and how other sync solutions like WebDav were "unsuitable", but the corporate IT folks here point out that other products are using wireless sync or cloud-based services that don't require installation of a separate client with full file system access.



In one of the other posts here there was a note that a non-dropbox sync solution was being developed along the lines of the wireless sync available with the Mac. Is there any news on when this might be coming along?

Comments

  • Stefan von Dutch
    Stefan von Dutch Community Moderator
    If you want to sync between Windows and iPhone, I'm afraid Dropbox is currently our only solution.
  • I've heard of no plans to add a Wi-Fi sync option to 1Password for Windows.
  • adzy
    edited July 2011
    edit: nvm
  • BlooBeats
    edited July 2011
    I agree with CraigBaltzer, the fact that the only way to sync with the windows client is through DropBox is really annoying. Regardless of how many times you guys rationalize and explain why using DropBox is "secure" for syncing, I still won't feel completely safe using it, especially with all the hoodoo voodoo going on with their ToS recently.
  • DBrown
    DBrown
    edited July 2011
    BlooBeats, the [i]reason[/i] we feel Dropbox is secure (no quotation marks needed) for sync'ing your 1Password data is that we feel your 1Password data itself is secure.



    The thing to remember is that, no matter where it's stored, your 1Password data is protected with 128-bit AES encryption:

    [list]

    [*][url=http://help.agilebits.com/1Password_Windows/security.html][i]How secure is 1Password?[/i][/url]

    [/list]

    Please see these documents for a more thorough discussion of the issue:

    [list]

    [*][url=http://help.agilebits.com/1Password3/cloud_storage_security.html][i]Security of storing 1Password data in the Cloud[/i][/url]

    [*]Our blog - [url=http://blog.agilebits.com/2011/04/dropbox-security-questions/][i]Dropbox Security Questions[/i][/url]

    [*]Dropbox's blog - [url=http://blog.dropbox.com/?p=735][i]Privacy, Security, and Your Dropbox[/i][/url]

    [/list]
  • [quote name='DBrown' timestamp='1310067742' post='31389']

    BlooBeats, the [i]reason[/i] we feel Dropbox is secure (no quotation marks needed) for sync'ing your 1Password data is that we feel your 1Password data itself is secure.



    The thing to remember is that, no matter where it's stored, your 1Password data is protected with 128-bit AES encryption:



    <snip>



    [/quote]



    Thanks David. I'm sure that AgileBits feels that the data is secure, however without some formal certification of the AES128 implementation then I can't prove it to the security review and audit folks (i.e. the product hasn't gone through an independent CAVP/FIPS validation). All it takes is one small error in the implementation and the strength of the encryption is drastically reduced, as has happened with a number of other implementations.



    The further challenge is the general security "best practice" of not putting something of value "out in the open" regardless of how well you believe its protected (i.e. "defence in depth"). Sort of the same idea as leaving $1M sitting in a locked briefcase on the front seat of your car in a parking lot; the doors may be locked, but its still not a good idea, esp. if your car has a history of locks that "pop open" unexpectedly...



    For basic sync between devices within an organization there is no need for the data to be "in the cloud" (a.k.a. dropbox), so why put it there if it doesn't need to be there? A key part of the successful use of the "cloud" model is to put what's appropriate/necessary "in the cloud", and keep what isn't more closely held. I understand that using dropbox may be an expedient development choice and ok for the "home/consumer" user, however its not a sound approach for organizations.



    In any case I understand AgileBits' position on this and we'll move on to looking at other products. I appreciate you taking the time to discuss and hope that the feedback will be useful to the product management team for consideration in future versions.
  • My own opinion on "need to put it in the Cloud" is that sync'ing is far less useful to me if I'm forced to have my Macs, PCs, iPhone, and iPad in the same network to do a sync. With Dropbox sync'ing, I can create, edit, and delete items in 1Password at home, at work, and on the road, and that up-to-date data is available on all those machines and devices, essentially instantaneously, no matter where they are. That's invaluable to me.



    What works for you, of course, may differ. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />



    I ask that you post these thoughts and ideas on our blog, where folks much more technically qualified than I am will be able to respond. There's a series of related posts, the most recent being [url="http://blog.agilebits.com/2011/07/dropbox-terms/"]Dropbox terms[/url].



    Thanks, Craig!
  • RRRob
    RRRob Junior Member
    edited August 2011
    My question is, if Agilebits is so confident in the security of the 1Password data format that it doesn't consider concerns over Dropbox security a significant issue, why [b]doesn't[/b] it add syncing by other means, i.e., WebDAVS or SFTP, that don't have to involve a third-party server?



    The key problem of using Dropbox in a corporate environment—for [b]any [/b]purpose—is the lack of encryption of users' data on Dropbox's servers. It doesn't matter if 1Password's data is encrypted when the Dropbox client will upload anything, e.g., trade secrets, company financial information, product planning, etc., from a user's machine, encrypted or not, and store it in the cloud in an insecure manner. Adding a simple proxy server rule to block Dropbox.com on port 443 is all it takes to close that security hole, break the Dropbox client and web UI, and take 1Password sync with it.
  • Stefan von Dutch
    Stefan von Dutch Community Moderator
    [quote name='RRReed' timestamp='1313791066' post='40878']

    My question is, if Agilebits is so confident in the security of the 1Password data format that it doesn't consider concerns over Dropbox security a significant issue, why [b]doesn't[/b] it add syncing by other means, i.e., WebDAVS or SFTP, that don't have to involve a third-party server?



    The key problem of using Dropbox in a corporate environment—for [b]any [/b]purpose—is the lack of encryption of users' data on Dropbox's servers. It doesn't matter if 1Password's data is encrypted when the Dropbox client will upload anything, e.g., trade secrets, company financial information, product planning, etc., from a user's machine, encrypted or not, and store it in the cloud in an insecure manner. Adding a simple proxy server rule to block Dropbox.com on port 443 is all it takes to close that security hole, break the Dropbox client and web UI, and take 1Password sync with it.

    [/quote]



    We did investigate WebDAV, but it was extremely slow. As for other cloud alternatives, most of them do not offer a mobile API, which is what we need for iPhone, iPad, and Android.



    By the way: your data IS encrypted on Dropbox servers. And because 1Password encrypts your data too, it is actually double encrypted.
  • DBrown
    DBrown
    edited August 2011
    As Stefan points out, no matter where it's stored or how it's transmitted, your 1Password data is protected with 128-bit AES encryption; and Dropbox does, indeed, protect the data stored on their servers with 256-bit AES encryption ([url="https://www.dropbox.com/help/27"]https://www.dropbox.com/help/27[/url]), so your data should be particularly safe there. Dropbox also uses SSL for all transfers to and from your Dropbox-sync'ed devices, so they're arguably even more secure in transit than Wi-Fi transfers between devices would be.
  • ashleyk
    edited August 2011
    I almost wonder why AgileBits hasn't created a comparable system of their own purely for users of 1Password to store and share their keychain info between their different devices that use 1Password. Throw in some clear T&Cs with a secure setup and I am sure that would be very popular with users and I imagine it could be an integral part of 1Password.
  • It is definitely an interesting idea, but we like to focus on our core competencies. This may be something we explore in the future, along with looking into other 3rd party sync solutions, but for now Dropbox is the best option.
  • [quote name='Stefan von Dutch' timestamp='1309887195' post='31200']

    If you want to sync between Windows and iPhone, I'm afraid Dropbox is currently our only solution.

    [/quote]

    ...or between 1Password for Windows and any of our other 1Password products.
  • Stefan von Dutch
    Stefan von Dutch Community Moderator
    [quote name='ashleyk' timestamp='1313970945' post='41336']

    I almost wonder why AgileBits hasn't created a comparable system of their own purely for users of 1Password to store and share their keychain info between their different devices that use 1Password.

    [/quote]



    We investigated that concept, too.
  • RRRob
    RRRob Junior Member
    edited August 2011
    [quote name='Stefan von Dutch' timestamp='1313821106' post='40961']

    We did investigate WebDAV, but it was extremely slow. As for other cloud alternatives, most of them do not offer a mobile API, which is what we need for iPhone, iPad, and Android.



    By the way: your data IS encrypted on Dropbox servers. And because 1Password encrypts your data too, it is actually double encrypted.

    [/quote]

    WebDAV may be slow, but it would give corporate IT departments (and those of us with more than a few gigabytes of accessible online storage) an alternative to using an untrusted third-party cloud storage provider to do synchronization. And I'll have to take your word for it at present about Dropbox encrypting data on their servers—I can't access their site from work anymore to read the FAQ. My company [b]did[/b] add that little proxy server rule to block access, and I'm now in the process of trying to qualify for an exception.



    In the meantime, I'm using a four-step process to synchronize my work 1Password data with my iPhone; GoodSync to synchronize my old Dropbox folder at work over WebDAVS to my iDisk at me.com (MobileMe), Mac OS X iDisk sync to my iDisk share at home, Dropbox to DropBox.com, and [b]then [/b]1Password Pro from Dropbox.com to my iPhone. Yes, it's slow, but it works (until iDisk is sunset next year, by which time I'll have something else set up), and it would be faster if 1Password iPhone could sync directly from the iDisk WebDAV share.
  • Thanks for your post, Rob!



    Wow, that sounds like a lot of work just to do what Dropbox does quickly, automatically, and dependably. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/sad.png' class='bbc_emoticon' alt=':(' />



    Please note that we [i]cannot[/i] recommend using iDisk to store your 1Password data ([i]http://help.agilebits.com/1Password3/idisk_syncing.html[/i]). You may be satisfied with it, but in our opinion "1Password and iDisk do not work well together at this time."
  • RRRob
    RRRob Junior Member
    edited August 2011
    My use of iDisk is temporary until I get a WebDAVS or SFTP share set up on either my main machine at home or a NAS, at which point I will move the Dropbox folder there and eliminate the iDisk local sync. Hopefully GoodSync and Dropbox can play nicely together when synchronizing the same remote share, but I'll try to avoid testing that.



    But you now understand the problem of relying solely upon Dropbox for syncing, especially in a corporate environment. Large corporations with significant intellectual property place great emphasis upon network security; Dropbox creates a [i][b]really [/b][/i]big hole in that security and requires blocking precisely because its syncing is quick, automatic, and dependable. And don't ask me why remote WebDAV and FTP shares aren't blocked by default by my work network along with certain other cloud storage sites when Dropbox is; I've already made that point to my manager.



    It's ironic that an otherwise excellent family of products designed to improve password security is hampered by its dependence upon another product that corporations see as a threat to their network security.
  • It must be equally frustrating that corporations see one tool as a threat and another equivalent tool as no threat at all.



    What's more dangerous, a blue hammer or a green hammer? <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/skype_worried.png' class='bbc_emoticon' alt=':S' />