My Quick Guide to a Less Risky Dropbox

While there are definitely many security-related holes and privacy concerns to be had about the free (but not open-source) Dropbox file sharing service, it has taken the world by storm, including many activist and human rights groups, mostly due to the simplicity and effectiveness of its user experience. As we have seen many times before, software and services that “just work”, will always win out over more secure options with the majority of the population. This post is a quick attempt to share some simple steps you can take to ensure your use of Dropbox, or any similar cloud-based file storage and sharing system, is more properly protected, obscured or otherwise mitigated as a direct threat to the security of your information.

1. Use Dropbox over Tor to stop local network monitors from knowing you are using Dropbox to begin with. This also is a good configuration to use with people who live in places where Dropbox might be blocked, but Tor is not.

Install Tor and use Vidalia (the GUI controller) to connect to the Tor network.

Set Dropbox->Preferences->Network->Proxy Settings to use Tor’s secure SOCKS proxy on localhost, port 9050

2. Set Bandwidth Usage to a low value to avoid creating large spikes in network traffic. This will reduce the likelihood your particular use will be singled out if you are syncing large media files or other transfers.

Set Dropbox->Preferences->Network->Bandwidth Usage to a low value such as 50KB/s for upload and download

3. Use Truecrypt to create encrypted disk volume files inside of Dropbox, and then store your files inside of that. This can still be shared by multiple users, if you use a password based volume.

Download, install and configure the free, open-source TrueCrypt software: http://www.truecrypt.org/

Create a new TrueCrypt volume, stored within a Dropbox folder

All in all, there are more secure ways to share sensitive information, such as using GPG file encryption or another OpenPGP solution, but if you absolutely must use Dropbox, and you are under any sort of threat at all to having the information you store on it used against you, then please follow this advice I have shared.

If you have additional tips, warnings or configurations along these lines, please add them to the comments below.

    13 comments

    1. Hi! I'm Gabriela, an ITP student interested in your social activism class, but I can't find your email anywhere. Can you please email me? You can reach me at gee gee nine six four at nyu.edu. Thanks! 🙂

    2. .@n8fr8 what happens if you decrypt the files while using Dropbox client software? Do the decrypted files get synced to Dropbox servers as a new version?

    3. You might be interested in ownCloud: http://owncloud.org – which is basically a free and open source replacement for Dropbox (and soon MobileMe). It only requires PHP and MySQL/SQLite so you can easily install it on almost any server or your own computer.

      It’s currently in development but we aim to get more and more companys providing the service to make it easy to use. But when self-hosting or using a stationary PC as server is an option, it’s very low risk.

    4. As constructive criticism:

      There are several problems with your methodology.  First, using Dropbox over Tor faces the well known eavesdropping problem.  Any information you want to keep secret, don't send over Tor.  Tor protects your anonymity, but DOES NOT enhance your security.  Exit nodes receive your requests UNENCRYPTED, and therefore can see any information moving over the Tor channel.  They can't see where its coming from, but they can see the contents.  Dan Egerstad, a security consultant and Tor exit node operator, was able to glean email usernames and passwords from people using an unencrypted connection to their webmail.

      Secondly, placing a TrueCrypt file container in your Dropbox is a technologically fine, but highly impractical idea.  Whenever a file is updated locally, it is synced.  So updating a single file in the TC file container will change the composition of the entire TrueCrypt container.  So the whole 4gig file gets updated.  Sending that through Dropbox will be awfully time consuming.

      Anyway, great idea, just a inefficient and insecure in the implementation.

    5. Thanks for the comments, Charles! A quick clarification in response to your thoughtful points.

      Tor is not inherently insecure on the exit, you just only get out what you put in. If your socket connection going in uses SSL, then it will still use SSL on that way out, stopping any eavesdropper from being able to see the contents of your packets. They will only be able to see the destination you are connecting to. In addition, the direct threat I was trying to address with the use of Tor, was network monitoring on the client/in-country end, and not the larger issues of Tor exit eavesdropping. As Dropbox for the desktop does use HTTPS for all API interactions (https://www.dropbox.com/help/2… then using it over Tor for circumvention and anonymity purposes should not cause a problem.
      As for Truecrypt, from what I have read (http://tompurl.com/2011/03/25/… making changes to the contents of a Truecrypt volume only changes some aspects of the actual bits on disk. This means that the binary diffing that Dropbox does results in only the specific changes bits being transfered, not the entire file every time. If for some reason this isn't true, my solution would be either A) use much smaller Truecrypt volumes (a few hundred MB should do for sensitive info) or B) use GPG file encryption for individual files.

      Best,
       Nathan

    Leave a comment