Dropbox makes use of Secure Sockets Layer (SSL) 3.3 / Transport Layer Security (TLS), to protect data during transfers to and from their servers.
Also, 256-bit AES encryption is used to ensure the security of files stored in Dropbox.
Customers do not have access to private encryption keys, instead, Dropbox uses its own encryption keys that the Dropbox team has access to.
The Dropbox security team also conducts manual and automated application security testing regularly, to identify and patch potential security vulnerabilities, along with any bugs in Dropbox apps.
In fact, they allow you to report any such vulnerabilities or bugs via a third-party service, such as HackerOne.
Dropbox does not always have encryption done for media files, streamed from its servers, as not all media players can stream encrypted media files.
Some other security features include extending support for perfect forward secrecy, flagging all authentication cookies as secure, and enabling HTTP Strict Transport Security (HSTS).
To ensure the user’s privacy and account security, third-party developers are allowed to create apps for Dropbox, as long as they stick to the guidelines and practices defined.
This cloud service provider thus makes sure it has a unique key for every app created and can revoke an app key, if the guidelines, or terms and conditions are not followed properly.
In order to grant different levels of account access to the apps, without revealing the user account details, Dropbox uses OAuth, which is an industry-standard protocol for authorization.
However, the security on offer is not comprehensive and this was recently made evident, when some Dropbox users were under the attack of a phishing scam.
This phishing attack lured Dropbox users into revealing their usernames and passwords, as they got notified about some shared file being too large to share over email.
The users were thus asked to click on a link, which took users to a site that looked like Dropbox.
Another security glitch was identified at Dropbox, when it was possible for a third-party to search private information on Dropbox.
They managed to resolve this issue quickly, but not before some sensitive information was already leaked.
As mentioned earlier, Sync.com is a cloud service provider based in Canada.
Which means there’s no need to worry about the NSA’s surveillance activities, which the US government uses to access online data, via the Patriot Act.
Sync offers end-to-end encryption, which means that data is encrypted before and while it is on the server, and while it is in transit.
Sync.com also uses 256-bit AES encryption for data files on the server, and SSL / TLS encryption for data files that are being transferred. It makes sure that only the user has private access to their 2048-bit RSA keys.
These will be used by the web browser, or the Sync.com client, to decrypt data when it is downloaded again.
Clearly, the high-end security encryption offered by Sync.com stands up to its claim of not having any access to your data, no wonder it’s labelled a zero-knowledge cloud service provider.
However, this level of encryption does make it time-consuming to view file previews, as every image has to be decrypted before it can be viewed.
For additional account security, you can use:
- Two-factor authentication
- Account notifications
- File audit logs
Also, Sync ensures there are appropriate security audits by KPMG for the SOC-1 certified data centers, which makes it possible for the stored files to be available most of the time.
These data centers enable Sync to offer compliance with various standards, including HIPAA for the US as well as PIPA, FIPPA, PIPEDA, PHIPA and ATIPPA for Canada.
The best part is that Sync.com does not learn your passwords, as they are never transmitted to Sync.
Also, the passwords are hashed and never stored with Sync.
Even if your device is lost or falls into the wrong hands, you can always use the “remote wipe” feature, which is available with the Sync Pro account, to wipe any synced confidential information from your desktop or Mac.
Sync.com is a clear winner in terms of security, with its end-to-end encryption, private keys and hashed passwords.