Security: Dropbox Authentication

2»

Comments

  • khad
    khad
    1Password Alumni
    edited May 2011
    I think Tommy is referring to Knox. ;-)

    It is a delicate thing, but the short version is that if you use .sparseimages and only open them on one computer at a time, you should be fine. Generally speaking, though, he is correct. Knox + Dropbox is not advised. Y'all power users may proceed at your own risk. It's how I roll, but I also have other backups. :-D

    Check out the "Syncing Knox Vaults" page in the Knox User Guide for further details.

    This has also been discussed in the Knox forum.

    Your mileage may be different than my own in this regard.
  • thightower
    thightower
    Community Member
    khad wrote:

    I think Tommy is referring to Knox. ;-)


    Eh could be, hehe

    as your link indicates use sparseimages they are less prone to corruption. I can't say for sure either way but many many smart folks i know suggest this .....and I am in no way gonna think they don't know what they are talking about.
  • The only reason I use Dropbox for 1Password sync is due to the iPhone app. If you guys added WebDAV support, I would feel a whole lot better in general. I like having my stuff on my own boxes. That's ironic considering I do sysops for one of the cloud products of my employer.
  • Mark Sealey
    Mark Sealey
    Community Member
    Version 2.1.31 was released yesterday.
  • thightower
    thightower
    Community Member
    Mark,

    Forgive me if I am incorrect here but if you are refering to Dropbox it is actually v 1.1.31 not 2.1.31

    The 2 you see is actually a little fudging on the Dropbox teams part in order the get around a few limitations on Lion.

    True the app info screen say 2.xx etc but look at the pref pane it says 1.1.31

    As I said if that's not what your talking about then please ignore me :)
  • Mark Sealey
    Mark Sealey
    Community Member
    Thanks for the clarification; I am sure you must be correct.

    I'm on Snow Leopard, however - 10.6.7, and the Version in my Info box still says 2.1.31…

    Curiouser and curiouser :-)
  • jpgoldberg wrote:

    Yeah. I was waiting to see whether the folks at Dropbox has a reason for the bizarre permissions on those files before recommending this change. I've tested this myself waiting to see if anything broke, but it works fine for me.

    1Password does read your .dropbox/config.db to find out where your Dropbox folder is, but it doesn't need the wide open file permissions for the config data that come with the Dropbox installation.

    So to clarify sjk's advice, Mac users can paste that commend he gave into a Terminal window and press RETURN. Terminal.app can be found in the Utilities folder under /Applications. This will put in some restrictions to access to Dropbox configuration information file.

    Cheers,

    -j

    Many thanks for this.
  • khad
    khad
    1Password Alumni
    Welcome to the forums, Dandypandy and Andy! (That makes me chuckle a bit to myself.)

    We are constantly evaluating the sync landscape to see when and if we need to make some changes. We did look at WebDAV in the past and there were some performance problems, but that doesn't mean we won't revisit the idea. It's what keeps us agile. :-)

    Thanks for letting us know you would be interested in this.

    Andy, on behalf of sjk and Jeff, you are quite welcome! I'm glad that you have found that tip useful. Hopefully there are many more where that came from if you stick around here. :-)

    Cheers,
  • Felix
    Felix
    Community Member
    Since the Agile team has frequently touted Dropbox here on the forums, I'm wondering if there's anything in this complaint which we need to be concerned about. Are our 1Password passwords still adequately protected by our master password and unreadable by Dropbox employees as alleged by Christopher Soghoian?
  • bswins
    edited May 2011
    Felix wrote:

    Since the Agile team has frequently touted Dropbox here on the forums, I'm wondering if there's anything in this complaint which we need to be concerned about. Are our 1Password passwords still adequately protected by our master password and unreadable by Dropbox employees as alleged by Christopher Soghoian?


    Felix,

    I am not an encryption expert (or layman for that matter), but your question was discussed quite a bit in the Lounge. I'm sure one of AB's experts will respond to your inquiry, but I thought you would like to read the most recent debate: Security: Dropbox Authentication

    Based on that thread and a blog post by AB's Chief security guru, Jeff Goldberg, I believe that the 1Password.agilekeychain is still safe, even if a Dropbox employee decrypts your specific user files. Please read and see what decision you come to. Dropbox Security Questions

    Cheers!

    Brandt
  • Wolfgang Riedel
    Wolfgang Riedel
    Community Member
    Hi Folks,

    just wonder if someone would be able to comment on this article regarding the possible access of third parties to the 1Password database stored with Dropbox.
    http://www.infoworld.com/t/data-security/dropbox-caught-its-finger-in-the-cloud-cookie-jar-179?page=0,0&source=IFWNLE_nlt_blogs_2011-05-17

    Many thanks,
    Wolfgang
  • Fooligan
    Fooligan
    Community Member
    Hi Wolfgang,

    Agile has a blog post on this particular issue:

    http://blog.agile.ws/2011/05/dropbox-security-revisited-plus-ca-change/

    Basically, there is no need for alarm.
  • bswins
    edited May 2011

    Hi Folks,

    just wonder if someone would be able to comment on this article regarding the possible access of third parties to the 1Password database stored with Dropbox.
    http://www.infoworld...logs_2011-05-17

    Many thanks,
    Wolfgang


    Hello Wolfgang and welcome to the Forums!

    I responded to a similar question in another thread: Dropbox Security Questions

    After reading the posts I linked to in my response, I believe that regardless of whether Dropbox decrypts my uploaded files...specifically, the 1Password.agilekeychain...my 1P data file would still be safe.

    Please read the thread and come to your own conclusion, but I believe the encryption afforded by 1Password would render any Dropbox vault decryption moot. They may be able to view my unencrypted files, but good luck decrypting my 1Password.agilekeychain.

    If you have further questions or concerns, please reply. I'm sure some of AB's security experts will be glad to put your mind at ease.

    Cheers!

    Brandt

    P.S. Thanks to Fooligan for posting a link to the newest Blog post discussing the recent Dropbox news. I had not seen it yet. Hope it is as comforting to you as it was to me.
  • sjk
    sjk
    1Password Alumni
    edited May 2011
    Greetings, Wolfgang!

    Just wanted to mention that I've responded with e-mail to your support message about this issue. I surprisingly discovered your topic here while I was composing the e-mail reply. :)

    Thanks, Fooligan and bswins, for your replies here.

    PS: Hope no minds that I've done a bit of related topic merging here.
  • sjk wrote:

    Thanks, Fooligan and bswins, for your replies here.

    PS: Hope no minds that I've done a bit of related topic merging here.


    No problem Scott. There have been a lot of posts concerning with the recent Dropbox revelations, as evidenced by Jeff's recent Blog.

    I suspect there will be several more posts merged in this thread before it's closed.
  • Pazzie
    Pazzie
    Community Member
    http://blog.agile.ws/2011/05/dropbox-security-revisited-plus-ca-change/

    Your sensitive information in your 1Password data is extremely well encrypted and we remain comfortable recommending syncing with Dropbox.


    For some people the names and locations of the websites that are stored in the 1Password keychain are sensitive information as well.

    Maybe it's good for them to know that for instance "typeName", "location" (the url of the website), "title" (the title of the website), "createdAt" (I think that's the unix timestamp of the time the password was created) and "updatedAt" (I think that's the unix timestamp of the last modified time) are stored in plain text.

    Fortunately I read that a new data format which also encrypts this data is currently in beta testing mode (see: http://forum.agile.ws/index.php?/topic/4769-dropbox-insecurity/page__view__findpost__p__27209)
  • khad
    khad
    1Password Alumni
    Maybe it's good for them to know that for instance "typeName", "location" (the url of the website), "title" (the title of the website), "createdAt" (I think that's the unix timestamp of the time the password was created) and "updatedAt" (I think that's the unix timestamp of the last modified time) are stored in plain text.

    Please take a look my post in the thread related to that topic. (It is a long thread, but feel free to go back and read the whole thing if you want.) :-)
  • Pazzie
    Pazzie
    Community Member
    Thank you.

    I read the topic (and made it even longer ;))
  • khad
    khad
    1Password Alumni
    edited June 2011
    I am going to close this topic for now since I don't want people confusing this older, resolved issue with any other security questions in the future. :-)

    The last post on this topic was over a month ago as of this writing.

    Thanks for all your input, folks!
This discussion has been closed.