A Defensive Computing Checklist    by Michael Horowitz
HOME | About | Domain Names | VPNs | Rules of the Road | DC Presentation | ChangeLog | Stats |

SECURE FILE SHARING AND STORAGE

To me, the one thing makes a file storage and file sharing system secure, is whether the employees of the company providing the service can read your files.

The official buzzword that indicates secure file storage is end-to-end encryption. In an October 2024 review of Cloud Backup Services for Wirecutter, Max Eddy used the term "Private-key encryption". This page has included Backblaze for a long time (see below) with the warning that they use three different terms for this: "Private Key", "Private Encryption Key" and "user-selected passphrase". IDrive uses "Private Key". Proton calls it "zero-access encryption". Apple uses the term "Advanced Data Protection". And, end-to-end encryption itself, is also known as E2EE. Lingo is frequently a problem with computing.

When language fails, one indication that a system is using end-to-end encryption is when the provider warns you that if you lose your password (aka key or private key or encryption key) you lose access to your files. That is good.

Quoting the Eddy review: "Any service that manages your encryption keys for you can potentially read your files or hand them over to law enforcement. Using a private key that only you know ensures that only you can access your files. All of our picks allow you to set a private key, but some are more encouraging than others in that regard". He recommended IDrive, Backblaze and Arq.

Another big issue is software - some services require the use of their software, others are available with a web based interface. There will always be features that require installing customized software, but there is a lot to say for a service that is available using just a web browser.

ALWAYS READ YOUR FILES

These file storage companies can read your files

  1. Google Drive
  2. Microsoft OneDrive
  3. Dropbox

READ THIS SECURITY WARNING FIRST

October 20, 2024: Severe flaws in E2EE cloud storage platforms used by millions by Bill Toulas for Bleeping Computer. Several presumably secure cloud storage providers were found to be vulnerable to assorted cryptographic issues that could expose user data. The cryptographic details are beyond me. The research was done by Jonas Hofmann and Kien Tuong Turong from ETH Zurich and they created a website for it: brokencloudstorage.info. They examined five storage providers and found issues with each one. They also note that previous analyses of MEGA and NextCloud showed they too has some security issues. Tresorit came out the best of the five, their flaws were relatively minor. More serious flaws were found in Sync, pCloud, Icedrive and Seafile.

Even without a detailed understanding of the cryptography issues, we can judge the companies by their responses when contacted by the researchers and, then again, when contacted by Bleeping Computer for this article.

  1. pCloud did not respond to either the researchers or to Bleeping Computer. Wow.
  2. Seafile told the original researchers, in April 2024, that they will patch the protocol downgrade issue. But they did not repeat this claim when contacted by Bleeping Computer in October 2024. Instead they said "We don't have anything to comment at the moment.". It would appear that they did not fix anything in the intervening months.
  3. When contacted by the researchers in April 2024, Icedrive decided not to address the issues. When contacted by Bleeping Computer, in October 2024, they said: "We are constantly improving our apps and services, fixing issues and adding new features. We will carefully review our encryption methods and update them to comply with current industry standards."
  4. Sync was first contacted by the researchers on April 23, 2024. As of October 10, 2024, they had not responded to "to multiple attempts to contact them through different channels." They did however, respond to Bleeping Computer with (in part): "Our security team became aware of these issues last week, and we've since taken swift action to address them. We've also reached out to the research team to share findings and collaborate on next steps. The potential data leak issue on links (as reported) has already been fixed, and we are fast-tracking fixes for the remaining potential issues right now."
  5. Tresorit was contacted by the researchers on Sept 27, 2024. They acknowledged the email 3 days later, then nothing for the next 10 days. The gave a long response to Bleeping Computer that is best read in the article.

Taking a step back, the researchers write:

... we show that various products fail in similar ways, indicating that the challenges in this setting are non-trivial. Compare this to more mature fields such as secure channels, where protocols like TLS, SSH, and the Noise framework have been developed and analyzed for decades, or to secure messaging, where the most of the main products are based on the Signal protocol. In contrast, in the field of E2EE cloud storage there are many products that fail at a trivial level, cryptographically speaking. This is a strong indication that more foundational work is required in order to provide more secure products.

NEVER READ YOUR FILES

These file storage companies can not read your files:

  1. Tresorit has no free tier but there is a free 14 day trial that requires both an email address and a credit card. As of October 2024, the cheapest plan is $4.75/month (billed yearly). It is called Personal Lite and it offers 50GB of storage which can be used on 2 devices, a max file size of 2GB and 5 previous versions of files. This plan is new, when I checked in August 2024, the cheapest personal plan was $12/month (billed yearly) for a terrabyte of storage. That plan still exists and it offers 10 previous versions of files, a max file size of 10GB, access from 10 devices and more security around file sharing. The cheapest business plan is $19 month (billed yearly) and offers 6 terrabytes of storage with a maximum file size of 15GB. Tresorit is available on Windows, macOS, Linux, iOS, Android and via the web.
  2. Proton Drive As of March 2024 the free tier offers 5GB of storage (in September 2023, it was only 1GB). The cheapest paid option is $4 US/month for 200GB of storage. Pricing can be confusing because Proton offers many different services and they bundle them. If you pay for Proton Drive, you also get a ProtonMail email address, the same type as they offer for free.
    NOTE: There is an annoyance with Proton Drive. When using the website and downloading a single PDF file (for example) rather than download the file to your computer, I have found that it displays the file in a new browser tab. From this new tab, it has to be downloaded, as a second step, to the computer. If downloading more than one file, this does not happen, as the multiple files are bundled into a .zip file and downloaded normally.
  3. sync.com
    • As of September 2023, a free account comes with 5GB of storage. The cheapest paid account for individual use (they also have team accounts) is $8/month for 2 terrabytes of storage space. In the old days, they offered 200GB for $5/month.
    • Yes, of course, they sync your files across multiple devices but they also have a Vault feature which does not sync. That is, the Vault is just for backup.
    • Steve Gibson uses sync.com and is happy with it
    • Sync.com review: Superb, simple online device sync and backup by Jon Jacobi for PC World March 2, 2023. Surprisingly, this review says nothing about the end-to-end encryption.
  4. FileN lets you keep as many previous versions of a file as you want. The only way to lose an old version of a file is if you delete it manually. There is no file size limit. Free accounts offer 10GB of storage space, the cheapest paid option is 12 Euros/year (as of March 2023 about $13 US dollars/year) for 100GB of space.
  5. pCloud: see the Security Warning section above
  6. Icedrive: see the Security Warning section above
  7. Seafile: see the Security Warning section above
  8. Mega As of March 2023, the free tier offers 20GB of storage. The cheapest paid option is $10.65 US/month for 2 Terrabytes of storage.
  9. Spider Oak was mentioned in this February 2023 article in Ars Technica: Top cloud backup services worth your money by Jim Salter. Quoting from the article: "Although Spideroak makes a big deal of its supposedly ... end-to-end encryption ... we do not recommend taking those claims at face value. Spideroak derives the encryption key from your account password, and if you ever log in to the company's website, you've broken that 'no knowledge' guarantee."

As of October 24, 2024, the website Privacy Guides recommends Tresorit and Proton Drive.

MAYBE READ YOUR FILES. MAYBE NOT.

These file storage companies swing both ways. Depending on how you configure things, they either can or can not read your files.

  1. Backblaze is a major player in the field, with many options, including end-to-end encryption. If you want the best security with Backblaze, you have to pay attention and enable that feature. Their terminology for end-to-end encryption is sloppy. I have seen them call it "Private Key" and "Private Encryption Key" and "user-selected passphrase". Ugh. See their page on encryption and this other page of theirs: Why does the Backblaze website need my private encryption key to restore? (May 2, 2022)
  2. In their own words, iDrive says: "You can also set your privacy to the highest level by creating a private key for your account during signup. That means no one but you will have access to your data. You don't get this privacy with iCloud or Google Drive. We put your privacy in your hands." As of September 2023, they offer 10GB of storage for free, 100GB for $3/year, 500GB for $10/year and up.
  3. Apple could read files stored in iCloud for years and years. However, as of iOS version 16.3 some (not all) files can be stored in iCloud in a way that Apple can not read them. For details on this see: How to: Encrypt Your iPhone from the EFF (Last reviewed: Feb 12, 2024). When Apple can read your files it is called "Standard Data Protection". When they can not, it is called "Advanced Data Protection". Some data Apple can always read are your Contacts, Calendar and iCloud Mail. Some data you can store such that Apple can not read: Health data, iCloud Drive, Messages in iCloud and Photos. The article also has details on how to enable the more secure type of file storage.

 

 This page: 7 views per day (over 744 days)   Total views: 5,306   Created: January 31, 2023
This Page
Last Updated

November 21, 2024
Site Page
Views TOTAL

 1,097,422
Site Page
Views TODAY

  53
Website by
Michael Horowitz
@defensivecomput
top
Copyright 2019 - 2025