What do people think of Tresorit?

mattyf
mattyf
Community Member

I like the ideas they talk about, but I don't have anywhere near the technical savvy to know if it more than just talk. I assume the people who post here are quite security savvy... What are the potential downsides? Does Tresorit actually look to be as secure as they say they are?

Comments

  • mattyf
    mattyf
    Community Member

    Nope? No one?

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited April 2014

    I've only been able to find one technical document (PDF) describing their system, and that covers authentication only. (They take an interesting approach there.). There are a couple of things about it I don't understand. (Some of their notation is unclear to me), but of the portions that I do understand, I like.

    I also find it interesting that their choice of PBKDF2 over scrypt is exactly the same as ours. I can't fault them for that, as they do the same thing that we do for very similar reasons.

    But without more detail about how it works, it is impossible to really evaluate.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    I've now found their whitepaper, describing what I need to know. This looks, Tresor looks very, very interesting.

  • benfdc
    benfdc
    Community Member

    I've been happily using SpiderOak for years for secure backup/sync of stuff that I would not entrust to Dropbox. From a quick perusal of the tresorit homepage it looks like the main new feature is secure collaboration. It would be interesting to see a comparative review of the two products.

  • mattyf
    mattyf
    Community Member

    My personal fear is that while I like what they say, I just don't have enough technical knowledge to determine whether its safe to use with something as important as my entire password vault. Any thoughts you guys have would be great, since if I can't trust you all... I'm f-ed anyway! :p

  • mattyf
    mattyf
    Community Member

    Hey JP- Do you have further thoughts after looking at the White Paper?

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    They do some very interesting things in there that allow this service to have a combination of functions and security that I haven't seen anywhere else. There are a couple of academic papers that it is based on, and I would like to get a chance to read those, but I've been busy.

  • mattyf
    mattyf
    Community Member

    Thanks for the quick response. Will you post back here where you do have a chance to read that stuff? And any thoughts you may have about trusting (already encrypted) 1Password vaults to the service?

  • StinkyPants
    StinkyPants
    Community Member

    Ya I just read about them on lifehacker.com. I too would be interested in this topic.

    wouldnt just using Knox prior to putting up to any cloud service be the same? That is kind of end to end encryption isnt it?

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited April 2014

    What makes me so interested in Tresorit, is that they appear to have solved a problem of providing strong ACLs (Access Control Lists) in an encryption-only system. Because there isn't an authentication system, the "access" of "ACL" is probably not the right term, but they get behavior which is ACL-like.

    So imagine getting the sharing of Dropbox (with more fine tuned control of granting, say, "read only" permission) while having the security of say, SpiderOak, where the sever operators have no ability to decrypt your data. Their sharing system also allows the original data owner to revoke permissions granted to others. This is a difficult problem for encryption-based systems. (It's easier for authentication based systems, but authentication based systems allow the server operator to have a great deal of power.)

    This is exciting stuff, though if you are not planning on using their sophisticated sharing features, I don't know whether it is worth the underlying complexities involved. But if you want to have those sorts of sophisticated sharing controls along with genuine end-to-end encryption, this looks like the way to go. (Of course I'd like to see more independent analysis; this is a "new" thing and there may well be a design flaw that hasn't been spotted yet.)

  • mattyf
    mattyf
    Community Member

    Would you trust your (already encrypted) 1Password library to this service, JP?

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Yes @mattyf, I would. I would also want to make sure that I have good backups, in that I wouldn't not want to rely on a new-ish service like this as anything like a substitute for backups.

  • nev
    nev
    Community Member

    I presume keeping a 1Password vault in Tresorit is as secure as keeping it ... anywhere else ?

  • khad
    khad
    1Password Alumni

    Indeed, @nev. End-to-end encryption protects your 1Password data. The same principles outlined in this blog post about Dropbox would apply to any cloud service since your 1Password data is protected independently. :)

    Your Master Password is your defense from Dropbox breaches, real and imagined

  • nev
    nev
    Community Member
    edited May 2014

    @khad - thanks. I note the above points about using reliable local backups with a relatively unknown syncing service, though I have to say that Tresorit does look promising - no-one seems to have beaten their "hack us" challenge yet.

    I guess it would add another layer of security (even if it may be considered superfluous). But Tresorit syncing isn't catered for in the iOS version, is it?

    Slightly off-topic - am I right in understanding that the client password never leaves the client, even in encrypted form?

  • khad
    khad
    1Password Alumni

    But Tresorit syncing isn't catered for in the iOS version, is it?

    That's correct. I should have mentioned that in my previous reply. On the desktop, where we have full access to the file system, you can use any sync solution you choose. On iOS the solution needs to be baked into 1Password since all iOS apps are sandboxed.

    Slightly off-topic - am I right in understanding that the client password never leaves the client, even in encrypted form?

    In 1Password this is absolutely true. Your 1Password Master Password is not stored in your data file. When you enter your MP, an attempt is made to decrypt the encryption key which is 1024 bytes of random data generated when the data file was created. If the MP is correct, the key is provided. Otherwise, nothing is returned.

  • benfdc
    benfdc
    Community Member

    In 1Password this is absolutely true. Your 1Password Master Password is not stored in your data file.

    True unless you ever used older versions of 1Password for iOS that predated 1Password 4.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    I've actually been having a very nice and helpful conversation with some of the Tresorit people about some technical questions that I had. They have developed to really cool technology. I am deeply impressed with them. They, however, are not particularly impressed with how poor my Hungarian is. (Their English is excellent; so the only communication issues are when I try to "show off" my Hungarian.)

    But as @khad‌ pointed out, without an SDK that we can use on mobile devices, we can't integrate on mobile. Like AgileBits, they are reluctant to talk about new developments until they are actually released. It is so tempting to talk about some of the great things we'd like to bring, but we've been in the situation where we've promised something that was 90% done and the last 10% killed us. We do not want to be in the vaporware business.

    @benfdc is correct that there were (and are) a few cases where the obfuscated Master Password might get written to the iOS keychain. But these are never including in synching. Even when the Master Password was obfuscated in the iOS keychain in 1Password 3, it was never included in anything that synched. (Note also that this applies to 1Password 4.5 and above for Advanced PIN settings that will allow the Master Password to be temporarily stored (obfuscated as well) in the iOS keychain.)

This discussion has been closed.