Share

Tresorit review

This is a review of Tresorit’s secure encrypted cloud storage form a user’s point of view. I argue that Tresorit cannot (yet) replace Dropbox. However, Sync.com can.

In short:

  1. Dropbox and Google Drive: do not offer end-to-end encryption. See below.
  2. Tresorit: offers end-to-end encryption, but has a number of security problems in its current version. See below
  3. Sync.com: offers end-to-end encryption, and has only minor security problems. See below.
This text is part of my broader guideline on Internet security.

Dropbox and Google Drive

The Problem

Many of us use and love Dropbox. The software lets users back up their data to the cloud, and share it with other Dropbox users.

However, since 2013, it is clear that any data stored there can be read by secret services. In fact, maybe the most worrying argument against Dropbox comes from the government data request principles from Dropbox itself. Dropbox outlines its demands to the US government:

Dropbox says it will “work hard to reform these laws”. All of this basically tells us that our data is not safe there, and that this is not the fault of Dropbox.

Similar arguments apply to Google Drive.

Encrypted Cloud Storages

Enter encrypted cloud storages. Mind you, basically every cloud service encrypts the data on their servers. But here we talk about services that encrypt the data with a key that only the user knows. This means that even the service staff cannot access your data — even if they wanted to, and even if the government obliged them.

That sounds great, to be sure. But in all the hype about encryption, be aware what this entails: If you forget your password, there is no way to reset your password. This is because even the service staff does not know it, and without it the data is useless.

This so-called zero-knowledge policy also makes a number of other handy features of Dropbox very hard to implement:

Only very few services that advertise zero-knowledge cloud storage actually provide these features. The much-famed SpiderOak service, for example, provides a Web interface, but then the zero-knowledge model breaks.

Another goodie that you may want is two-factor authentication. With this enabled, you are asked not only for your password, but also for an additional security token — such as a number sent by SMS or a code generated by an app. Two-factor authentication is essential to protect your data. Here is the the list of services that offer two-factor authentication.

Another thing you may want is infinite history of file versions. This is because if a malware should ever overwrite your data, you want to be able to go back to the originals. A finite number of versions is not sufficient, because if the cloud service stores the last n versions of files, the malware can simply overwrite the file n+1 times. A history of several days (as Dropbox provides) is acceptable for this scenario.

If you want two-factor authentication and client-side encryption, you find that Tresorit and Sync.com are nearly your only choices. We will now look at each of them.

Tresorit

The Company

Tresorit is a Swiss company that offers encrypted cloud storage. The servers and the data are physically in Europe, which means that European privacy laws apply, which are much stronger than the US laws. In addition, Tresorit offers all of the above desiderata, which is no mean achievement.

The following plans are available: the free plan (called Reader plan) is 1GB, other personal plans are €10 per month (100GB) and €25 (1TB) per month (with 20% discount when billed annually). There are also business plans available based on team size.

Issues with Tresorit

In its current version (2017-02-14), Tresorit leaves some things to be wished for:
  1. You cannot undelete files
    If you delete a file locally on your hard drive, it will be deleted from the cloud as well. If you have unlimited versioning if files, then all the previous versions will be deleted as well. This makes Tresorit useless for people who use the cloud storage mainly to protect them against accidental deletion of files.
    There are two options, though: If you have several devices connected to the cloud, and you delete the file on one of them, then the files will be removed from that device and from the cloud, but not from the other devices. They will be moved to a hidden folder there. If you do not have several devices connected, you can still opt to synchronize your ~/.Trash folder to the cloud. Then every file that gets deleted to the trash on the device is copied to the cloud. If you wish, you can then disable the button that allows emptying the trash. Similar options should be available on Windows.
    It is clear that these options are only work-arounds. They will not protect you if you have only one connected device, and if your files get deleted by software, in which case they may not go to the trash bin.

    Tresorit has contacted me on 2017-02-14, and has stated that “The file recovery feature is in active development, and will be released this year”

  2. You are not protected against Cryptolocker
    Cryptolocker is ransomware, i.e., it is malicious software that installs itself on your computer, encrypts all files, and requires you to pay a sum of money in order to decrypt your files. If you do not pay, then your files remain unusable. You may think that you are protected against this malware if you have a file version history, because you could simply go back in history and restore then original files. However, Cryptolocker creates a new file for each file it treats, and deletes the original file. This means that the problem Number 1 applies: since you cannot undelete with Tresorit, your data is gone.

    When the file recovery feature is implemented, this problem will go away.

  3. A hacker can erase your account
    If you lose your password, you have no way to recover your data from the cloud. This is an unavoidable problem in a zero-knowledge system. Tresorit offers you to reset your account in case you forgot your password: You log in with a wrong password, Tresorit asks if you want to erase your account, sends you a verification email, and if you click on that link, your account is erased. You can then make a new password and upload your data again.
    This is a good idea in principle. However, emails are like postcards: a hacker can easily intercept an email. Thus, if someone wants to harm you, he can just sign in with your login email address and a wrong password, say he wants to delete your account, intercept the verification email, and click on the link there — your data is erased from the cloud. If you did not have a copy on a device, it’s gone forever. Even if you did have a copy, your file version histories will be gone, and your safety net, too.
    Tresorit should ask for two factor authentication before erasing the data.

    Tresorit has told me on 2017-02-14 that “the feature of requiring 2fa for account deletion is in active development and will be released this year”.

I have brought these issues repeatedly to the attention of Tresorit. In 2017, the company reached out to me as described above. I will update my review when I receive new information.

Dropbox does not suffer from these issues. Neither does Sync.com, the encrypted service that I review below.

My view

Tresorit

Tresorit offers encrypted cloud storage and calls itself “the safest place in the cloud”.

My verdict: 3 / 5
In its current version, Tresorit fails to protect against accidental deletion of files, ransomware, and hackers intercepting reset emails.
As far as I can see, Tresorit is one of the most easy to use encrypted cloud services that are out there. It certainly protects your data against the threats in the cloud.

At the same time, Tresorit fails to protect your data from yourself — at least in the current version. If you delete a file, it’s gone. All the unlimited history that you are paying for is gone as well. As a side-effect, you are also not protected against ransomware such as Cryptolocker. Tresorit also does not offer all-around two-factor authentication. Your account can be erased by a simple email.

So I asked myself: What is more likely

or For me, it was clear that the second scenario is way more likely.

Hence, I stayed with Dropbox — until I discovered Sync.com. Read on!

Sync.com

The Company

Sync.com is a Canadian company with around 100,000 clients. Like Tresorit, it offers end-to-end encrypted cloud storage. Like Tresorit, it provides all of the above desiderata. The servers are located in Canada.

The plans currently (2017-02-14) offer 5 GB for free, and 500GB for 50 USD per year. Thus, the service is among the cheapest on the market.

Privacy and the State

Sync.com is located in Canada. This exempts the company from the US Patriot Act. However, Canada is still a member of the Five Eyes. As in nearly all countries, a Canadian company might be forced to hand over customer data by law. One may think that the encrypted data is safe. However, Sync.com could (be forced to) dish out a customized client software that sends the password back to the server. Then the server can decrypt all data. Something comparable has happened in the case of the Canadian email provider Hushmail, which provides encrypted email services.

I have brought this issue up with Sync.com's support, and they have replied in detail. Here are the main points:

  1. Different from the US, Canada requires a court order before law enforcement can force a company to hand over data.
  2. Different from the US, there are no National Security Letters in Canada. That means that the cloud storage company can inform the client if law enforcement requested the client’s data.
  3. As for installing a backdoor in the software: Sync.com does not automatically update the client. As for the Web panel, it’s 100% open source. The Open Source principle is traditionally seen as the best (only?) protection against backdoors, because you could find the backdoor at least in principle.
  4. The EU recently revoked the Safe Harbour agreement with the US, meaning that companies can no longer transfer client data easily to the US. This revocation did not concern Canada, where the privacy laws are stronger.

Security

Sync.com offers all bells and whistles of an end-to-end encrypted cloud storage provider. Two-factor authentication is done by the Google Authenticator App.

At the same time, Sync.com does not suffer from Tresorit’s problems:

  1. Sync.com allows undeleting a file
  2. by help of the undelete feature, Sync.com protects better against the effects of ransomware
  3. Sync.com does not allow changing the password right from the desktop (the change password option can be disabled, and enabling it requires the second factor)
  4. resetting the password in Sync.com can be done only from a computer where the app is installed. Resetting requires the second factor if 2FA is enabled.

As an additional goodie, Sync.com allows changing the password without re-encrypting the entire hard drive (which is what happens in Tresorit). Furthermore, permanent deletion of files is only possible in the Web interface — which requires two factors to access. This configuration is even better than Dropbox, where access to the computer allows permanent deletion of files in the cloud simply by a click on the Dropbox icon.

Issues with Sync.com

Hackers can access the data without two-factor authentication
The following issues remain:
  1. No real two-factor authentication
    The mobile app can access the data with only the password (no second factor needed). The computer client has the same problem. Thus, we essentially have one-factor authentication only.
    The workaround is as follows: You have to give up using the Web interface, except for emergency access. Then you change your password to something really long and random. Use the password to connect your mobile device, and then store the password on paper in a safe place. Erase it from your hard drive and mails. This way, the password acts much like the app-specific passwords of Google: a password that has full access, but that you almost never type. Fastmail uses this technique.
  2. Thief can lock you out
    If someone steals your computer, he can click on the Sync.com icon on your desktop, change your password, and lock you out of your account. Even if you have disabled password change on your computer, he can click on the Sync.com icon on your desktop, go to the Sync.com Web panel, and enable the password change there. If you have two factor authentication, he can circumvent it by switching the two-factor authentication to email (by calling Sync.com, saying he lost his phone), and then receive the email with the second factor on your computer. This way, he can lock you out of your account. Thus, if you lost your computer, chances are that you also lose the backup.
    The workaround is to go to the Web page of your email provider, and set a rule that forwards all mails from Sync.com to (1) another email account of yours that is not synchronized to your computer or (2) to the email account of a friend. This way, the second factor gets caught before it reaches your computer.
    Hackers can lock you out of your account
  3. No fallback policy
    Dropbox (like Google) has a very good fallback policy: each login factor (the password and the second factor) can be reset independently. For example, you can reset your password through a fallback email account, and you can reset your second factor by getting a voice message to your landline. This way, if you ever lose one or both of the factors, you are safe. Sync.com has no such policy. It can’t, because it does not know your password.
    The workaround is as follows: For the password, proceed as in Item 1, and store it in several copies in several safe places. Thus, if you forget it or if one of the safe places burns down, you still have the password somewhere else. As for the second factor, it can be sent upon request also to your email address. This has the disadvantage described in Item 2. More convenient is maybe to set up the Google Authenticator on two phones: When you set up the second factor, Sync.com shows you a barcode. Scan this barcode not just with your own mobile, but also with the mobile of a trusted friend. Then, both mobiles will generate the same codes. This way, you have a convenient backup for the second factor. (It is even possible to just save the barcode to a USB stick, and to scan it with anybody’s phone should no friend’s phone be around.)

I have brought these issues to the attention of Sync.com, and the support said that they were passed on to the engineering team. I have also visited Sync.com in person in December 2016 to this end, and my concerns were taken seriously.

If you would like to see a scientific publication on these types of issues, see Discovering Vulnerabilities of Internet Accounts.

My view

Despite its little drawbacks, Sync.com has convinced me. I am mirroring my hard drive to Sync.com, I have my phone upload the pictures to it, and I synchronize two computers with it. Everything works fine. I am also impressed by the precise, informative, and fast support service.

If you plan to try it out, please use the button below. It gives you and me each 1 extra GB for free (in addition to the 5 GB that are included for free). Thanks!

Try out Sync.com

Legal issues

This page discusses the personal opinion of the author Fabian M. Suchanek. He has no connection with Dropbox, Sync.com, or Tresorit whatsoever other than being a client. The page is available under a Creative Commons Attribution-Noncommercial License. This means in particular that the author does not guarantee the correctness or completeness of this page. The page is made available “as is”, and is for your inspiration only. The page is free of Javascript, of cookies, and counters. The share-button does not transmit information unless clicked.