Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I don't know anything about how Dropbox or Turtl handle data and when they do their encryption but it would still be possible for Turtl to do hash level checking even with client side encryption. They could just hash the file and encrypt it all client side and then send both back to the server. It seems that this article is insinuating that Dropbox has full access to your data (which I dont know is true or not).


> this article is insinuating that Dropbox has full access to your data

They do. They send data over HTTPS from the Dropbox client, and they store it "encrypted" on S3, but they hold the encryption keys and also have full access to the unencrypted data while it's in memory on the servers.

Turtl encrypts all data with the user's personal key before it leaves the client, meaning the server has no access to the unencrypted data.

As far as hashing in the client, that's true, we actually could do that, and it might be a viable option if we ever implement public file sharing. Right now, all sharing is person-to-person (and private).


Cool thanks for the info. I don't actually use Dropbox's service but its awesome to see a solution that cares about the security of its users data.


How will they know the hash coming back from the client hasn't been manipulated?


The request can be signed and then checked for authentication on the back end. Using public key encryption it would be sent safely to the server and checked for authenticity.


Signed by whom? The app running on the client's machine? One should know better than to trust that.


Could they use a homomorphic encryption scheme where it's still possible to verify a hash without getting access to the encrypted data?


Dropbox does have full access to its users data, and uses this property to enable its deduplication and public sharing features.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: