Dropbox Security

Website security

Dropbox is by far the most popular cloud storage solution counting more than 300 million users in May 2014.
This overwhelming popularity comes from the ease of use of the service. Because of this overwhelming popularity we took a closer look at the underlying security of Dropbox and our insights are quite interesting.

Website security

Dropbox is accessible by simply logging in to the website: https://www.dropbox.com. And there is already the very positive impression of a strong SSL certificate in place:

Dropbox security

Let’s take a closer look at this certificate: If you click on the green bar - depending on your browser - you are able to retrieve further details of the certificate itself.
So first the most obvious: The green bar indicates that Dropbox installed an Extended Validation SSL Certificate.
This kind of certificate requires an extensive verification of Dropbox by the certification authority before this certificate is issued.
This means that Dropbox:

  • established a legal entity as well as the operational and physical presence of website owner
  • the legal entity has exclusive control over the domain www.dropbox.com
  • confirmed the identity and authority as website owner by signing legal obligations

Technically the green bar just means that the connection is using SSL just like any other https website. So let’s take a closer look on this too.

Dropbox security

We used the most recent version of Google Chrome (Version 39.0.2171.95 m) and found the following technical details on the used SSL connection to https://www.dropbox.com:

Features Analysis 
Connection uses TLS 1.2 Ok 
Connection is encrypted with 128-bit encryption Ok 
Encryption and authentication using AES 128 GCM and ECDHE_RSA Ok 

To sum the above analysis up: The connection is safe! Whereas there is a everlasting discussion going on focussing on 128-bit vs. 256-bit encryption we just want to mention that brute-force attacks against either 128-bit or 256-bit symmetric keys is not much of a concern.
128-bit encryption - as the connection is making use of - is still safe!
What is really important is the exchange of the symmetric keys itself! And for that Dropbox made a wise decision: To use GCM (Galois/Counter Mode). This kind of encryption can take full advantage of parallel processing and provides an authenticated algorithm designed to provide both data authenticiy and confidentiality.

Let's see if the other parts of the Dropbox ecosystem are as safe as the HTTPS connection.