There is a difference between dropbox’s standard offering and what they sell to businesses. I don’t know too much about their offerings but I would suspect the business version has a far more secure infrastructure than the standard offering.
I mean, it’s not “not secure,” right–it’s just as insecure as SSL/TSL is. Which is to say, a sophisticated attacker could break it. But not as easily as they could break an unencrypted connection or just smash a window and read our files at night, right?
Is this not true for emails stored on a remote server? I would have thought that so long as I’m sending an email that isn’t itself encrypted by PGP or MIME or whatever that the file is encrypted in transit but not on the server. Is that wrong?
This is really the point, I think. Security is relative. The scorn for Dropbox seems misplaced when most places don’t even properly implement encryption in transit for their email server.
That post is a little unclear. Here is how I thought it worked:
Encrypted in transit using SSL
[ul]
[li]Dropbox files[/li][li]Most email clients if properly configured[/li][/ul]
Encrypted with AES-256 on the server (but third party has key)
[ul]
[li]Dropbox files[/li][/ul]
SSL only encrypts your connection with the mail server. The path can look like this:
Sender -----SECURE—> Sender’s Mail Server ----UNSECURE----> Receiver’s Mail Server ----SECURE----> Recepient
The issue is that security was never a part of the e-mail system. When one e-mail server talks to another there is no agreed upon encryption method. So they send it in plain text/unencrypted. It’s getting a lot better as more e-mail providers implement encryption. Google says 84% of outbound e-mails, that is a Google user to a non-Google user, and 72% inbound are encrypted.
https://www.google.com/transparencyreport/saferemail/
It is stored encrypted on the server (for both Dropbox and e-mail). The issue is that the keys are also stored. So if Harry Hacker breaks into Dropbox and steals your data he probably can steal your key as well.
Thanks for the explanations.
I imagine there are cloud file storage companies who offer encrypted storage with the key stored locally. But probably not free 5GB ones.
That’s what SSAE16 SOC2, ISO 27001, and their equivalents are for. Do some research into the various assurance and compliance regimes used by hosted solution providers, and pick an email vendor that complies with those standards. They should be able to give you a third party engagement report from an independent auditor.
S/MIME has been around for 20 years now. It provides complete end-to-end encryption of messages from sender to recipient, as well as encryption of stored messages in the sender’s Sent folder. Encryption of traffic between mail servers is better than nothing, but (unless you use S/MIME or equivalent) stored messages are still unencrypted on disk, where it could be read, for example, by a rogue system administrator. Key management (especially across separate organizations) is still a hassle.
This is ridiculous!
You can walk into your local computer store and get a UPS system for less than the fee for 2 hours of a lawyers time. This will be good enough to cover outages of a half-hour or so , and to gracefully shut the system down after that. Do it!
It is so incredibly stupid not to be doing this that I think Pantastic may have it here – whoever is providing your IT service is making a lot of money off these 24-hour emergency recoveries.