It’s a service that’s intuitive, fast, and equipped with an excellent set of features built around usability, syncing, and sharing. Dropbox competitors seem to lag behind this giant in quite a few ways.
We really like Dropbox, but if you want the best security around, it’s time to look elsewhere. We have made a list of 10 secure Dropbox alternatives before, but the focus of this article is about the “why,” as much as the “who.”
We’ve picked the three very best Dropbox competitors for 2017 when it comes to secure storage.
Table of Contents:
The Dropbox Phenomenon
Launched in 2007, Dropbox quickly achieved great popularity and grew to become the first significant cloud-storage service. As of now, Dropbox has approximately 500 million users around the world, who collectively upload about 1.2 billion files each day.
Dropbox is a popular service, and for good reason. It’s easy-to-use and can do almost everything you need it to.
But, is it secure? One word, military-grade security.
If you’ve been shopping for cloud storage with an eye towards data protection, it’s a phrase you’ve probably read once, twice or even a few dozen times. It’s a great marketing pitch, after all, we trust the military to protect us from threats.
If a cloud-storage provider is “military-grade,” they’re probably pretty good, right? The problem is that currently, the military is severely worried about data breaches, putting the lie to the term “military-grade security.”
Not that private organizations are doing any better:
| Year | Company | Records compromised |
|---|---|---|
| 2009 | Heartland | 130 million |
| 2012 | 117 million | |
| 2013 | Adobe, Inc. | 152 million |
| 2014 | eBay | 145 million |
| 2014 | Yahoo | 500 million |
| 2015 | U.S. voter database | 191 million |
| 2016 | MySpace | 427 million |
What’s most striking about this list isn’t the number of records stolen, rather, it’s that most of the thefts have taken place in recent years.
While data security is becoming more advanced, so are cyber criminals — military-grade safety or not. If you want an example of how good criminals are getting, look no further than the 2012 breach, which cost 68 million Dropbox users their privacy.
What Dropbox Gets Right
Before I discuss how Dropbox comes up short in the security department, let’s take a look at what they do right. It’s not like your data is left sitting in the open for all to take, so let’s start with two terms: in-transit encryption and at-rest encryption.
1. In-Transit Encryption
In-transit refers to data getting transmitted over the Internet.
Encrypting data while it’s flying around the web is pretty important; it prevents people from eavesdropping on your activity.
Such intrusions are known as Man-in-the-Middle (MiTM) attacks.
The most common way to encrypt in-transit data is the TLS (Transport Layer Security) protocol. Sometimes, TLS is referred to as SSL (Security Socket Layer), its predecessor, or TLS/SSL.
Dropbox uses TLS to protect data getting transmitted via:
Desktop
Mobile device
Web interface
To its data centers, and vice versa.
Dropbox also incorporates Perfect Forward Secrecy (PFS) into its transfer protocol, which is a way of generating new encryption keys for each communication session. That way, should the keys for one session be compromised, it won’t open the doors to future MiTM attacks.
2. At-Rest Encryption
Once a user’s content arrives at a data center, it usually gets decrypted.
Many online services do not re-encrypt data before storage.
This fact applies to OneDrive users not on its business plans. Before August 2013, it was also true of Google Drive. Why is that a problem? It means that anybody with access to that data can read it.
That includes:
Government agencies
Internet thieves
Dishonest employees
Encrypting stored data is called “at-rest” encryption and Dropbox provides it. Data received from consumers is decrypted and split into blocks.
Each block is then encoded separately using the Advanced Encryption Standard (AES).
AES is the most common cipher used today and typically uses a 256-bit encryption key. To give you an idea of how secure that is, it would take today’s most advanced supercomputer 3.31 x 10^56 years to crack a file encrypted in this way.
What Dropbox Gets Wrong
3.31 x 10^56 years is a pretty long time.
It’s probably enough to convince most consumers that their data is perfectly secure in the hands of Dropbox. However, there are a couple of problems with this line of thinking.
The first has to do with how meta-data is stored:
Basic information about user data (including file names and types), called meta-data, is kept in its own discrete storage service separate from file blocks. This meta-data acts as an index for data in users’ accounts, and is sharded and replicated as needed to meet performance and high availability requirements.
The above quote was pulled from Dropbox’s own description of their security architecture, which also includes a handy graph.
The issue with this setup is that their processing service, where at-rest encryption takes place, doesn’t touch the meta-data.
That means file names, types, sizes, upload/download dates and who knows what else, are left for anyone to see. This scenario may not seem too bad, but there is little you can’t tell about someone using just meta-data.
Case in point, the NSA surveillance program, PRISM, was built around tracking meta-data.
However, the biggest issue with how Dropbox handles its data security is that they can read it in the first place, because they have a copy of the keys used to scramble your data.
According to Dropbox:
Dropbox’s key management infrastructure is designed with operational, technical, and procedural security controls with very limited direct access to keys. Encryption key generation, exchange, and storage is distributed for decentralized processing.
The “limited access” clause should raise a few eyebrows, as they don’t need to keep a copy of those keys at all.
Zero-Knowledge Architecture
Privacy advocates talk a lot about zero-knowledge architecture.
In a nutshell, zero-knowledge architecture is a security setup in which one person, and that person alone, has access to their encryption key (in this case it’s you).
Services that offer zero-knowledge services encrypt all data locally before sending it. Once it’s arrived at the data center, your content and meta-data remain encrypted, because the service doesn’t have the encryption key.
Since they don’t have the key; it means those who breach the service won’t be able to get it, either.
So if they were to acquire your encrypted files, the only way to break in would be a billion-year-long brute force attack executed by a supercomputer.
Dropbox Competitors for Security
Now that you’re hopefully convinced Dropbox is no longer the way to go for the security-conscious, let’s take a look at providers that offer a “Dropbox experience,” but make use of zero-knowledge architecture.
What makes Dropbox great? Here are a few features:
Attractive and intuitive interface
Strong cross-platform support
Ability to sync content across devices
Ability to share content with others
You want a provider that offers these features, but has better security, so let’s meet three Dropbox competitors that do exactly that.
Best Secure Dropbox Competitor #1: Sync.com
Founded in 2011 by the creators of Netfirms, a web-hosting service, Sync.com’s primary mission is to offer a cloud storage service that keeps user data out of the hands of third-parties.
Sync.com is about more than just privacy. Despite being a skeptic initially, I was quickly won over by the user experience.
Here’s why:
Zero-knowledge architecture
Transmitted data protected by TLS/SSL
5GB of free cloud storage (three more than Dropbox)
1GB of additional free storage for each referral
Stores unlimited file versions indefinitely
Keeps deleted file versions indefinitely
A side benefit to using Sync.com, when it comes to user privacy, is the fact that it’s based out of Ontario, Canada.
Why is this important? With an operational headquarters and all data centers outside of the United States, Sync.com users aren’t subject to U.S. privacy laws.
Granted, with zero-knowledge architecture, privacy law isn’t as big a concern.
Since the NSA can’t read your data anyway, but it is an excellent added security blanket and the primary reason why among the three Dropbox competitors mentioned in this article, Sync.com rates first.
Best Secure Dropbox Competitor #2: pCloud
Headquartered in Switzerland, but with their primary data centers in Dallas, Texas, pCloud is a forward-thinking Dropbox competitor that’s definitely worth a try.
Central to their business, is the creation of a technically sophisticated solution that’s still user-friendly. They’ve already built a user base of five million users, despite having been founded in 2013.
Also, starting users off with 10GB of free cloud storage probably doesn’t hurt when trying for such numbers.
Here’s what to like:
Offers zero-knowledge security
File content is encrypted at rest
Transmitted data is secured with TLS/SSL
10GB of free cloud storage (eight more than Dropbox)
File versions are kept for up to 30 days (180 days for subscribers)
Deleted files are kept for up to 30 days (180 for subscribers)
My complaints:
Having to pay extra for zero-knowledge security
Without pCloud crypto, meta-data can be read
No password protection for shared folders
Best Secure Dropbox Competitor #3: SpiderOak
SpiderOak is one of the few US-based cloud storage companies, that not only talks about supporting user privacy, and security, but implements it with zero-knowledge architecture.
One of the things that makes SpiderOak stand out compared to Dropbox, Sync and pCloud, is that it works like a traditional online backup tool, in addition to being designed for file syncing and sharing purposes.
The service also offers a nice desktop tool to facilitate backups of your hard drive.
Unfortunately, SpiderOak doesn’t offer any free storage outside of a 21-day trial (comes with 250GB). However, not only is its original plan reasonably priced at $5 per month, users get a generous 100GB of storage with it.
They also have $9 (250GB) and $12 (1TB) plans.
Beyond that, SpiderOak gets a lot right:
Zero-knowledge architecture
In-transit data is TLS/SSL secured
Integrated zero-knowledge messaging service, called Semaphor
Functions as both a cloud storage and online backup solution
Keeps unlimited file versions indefinitely
Stores deleted files indefinitely
SpiderOaks’ shortcomings:
Lacks a free plan
Located in the United States
Vulnerable to NSA spying
The Verdict
Compared to Dropbox’s huge following, the user base of these three competitors isn’t much of a threat to the giant cloud storage service, but I have a sneaking suspicion all of that is about to change in the future.
As security and privacy issues continue to capture headlines, zero-knowledge solutions are going to become more and more familiar.
Sign up for our newsletter to get the latest on new releases and more.
Getting onboard now is a great way to see what these services are all about. With free plans available for both Sync.com and pCloud, as well as a trial for SpiderOak, there’s zero risk in doing so.
Thank you for reading; which service do you think will provide the best secure alternative to Dropbox?
Let us know in the comments below.