I’ve been reading a lot of blogs and stories related to the dropbox security issue and am surprised at the amount of energy being spent on a different topic, file encrpytion.
A post at wired stated:
The bug was made possible because of the security architecture choice that Dropbox made, where encryption and decryption happen on Dropbox’s servers, rather than on individual’s computers.
Wuala’s blog states:
…problems like these wouldn’t be possible if the files were encrypted already on the client, like Wuala does.
The issue is not encryption, the issue is poor programming and even worse QA.
It is more likely that your computer is infected by spyware that has a keylogger builtin than for your SAAS host to get hacked. Yes, if the SAAS storage host is hacked or broke their authentication it is a major widespread issue. However, if your computer is hacked (again, more common) even that precious client-side security is broken.
Something else to think about, if you rely solely on client-side encryption then you will lose some great benefits like web-based access to files in the cloud, device sync (phones/tablets), collaboration, integration with a business network (active directory), etc.
Don’t get confused on the main issue that dropbox had. The issue with dropbox was a lack of mature protections on code updates.