• 1

Question:How should I choose a secure/private file sharing system?

warren is asking a question about security: Subscribe to answer questions on this topic

warren asked on January 05, 2017 19:21
1 | 1 answers | shortlink


What I want to do

I'd like to share files securely and privately with collaborators in certain scenarios, but it's hard to know what programs or tools are best for this. And it changes as:

  • new tools are released and improved
  • vulnerabilities are discovered in old tools
  • specific needs change

What are the pros and cons of each, so I can make a good decision?



security file-sharing privacy collaborative-tools

question:security question:privacy question:file-sharing


0 Comments

Log in to comment

1 Answers

OK - just answering my own question here, but I did a short research writeup on what I found:

SpiderOak

https://spideroak.com/

Pro: Serious about UI/UX as a security issue. Seemlingly well-thought through and documented "threat-model based" architecture. 2-factor auth and interesting warrant canary program, though only every 6 months.

Con: While SO publishes the mobile app's source code, it's in a compressed "dump" meaning that a much narrower group of people likely interact with it or read through it for problems. And the desktop version's code is not published. As a result, not good at responding to or fixing vulnerabilities.

History: Published on vulnerabilities in related libraries, but not their own -- and they've had some which they didn't fix for months, despite being alerted.

Peerio

https://www.peerio.com/

Pro: User-friendly, open source client (not server, though a thorough set of guarantees and non-guarantees), regularly audited, fairly active development over past year (although quiet the past month). Free. $5k bug bounty program, 2-factor auth.

Con: Not many?

History: The resigned co-founder had been speaking about a theoretical different backdoor-ed version which would be sold to specific clients, not the standard version. No mention of vulnerabilities in their releases, which sounds a little too clean -- I'd prefer to hear that they found and fixed things. But their bug bounty program is a good thing.

Keybase

https://keybase.io/

Pro: Promising model with twitter-based verification, GUI coming soon. Cross platform, 10gb, open source with healthy active development.

Con: in alpha/beta, don't promise not to accidentally delete your data. Currently only command-line, so very limited usability and therefore lots of opportunities for misuse.

History: Good responses to UI-based attack vector reports -- resolved within 1 day. Active bug bounty program with recorded payouts and fixes within 1 day.

This is just my best understanding in an hour or so of research, and could change -- comments, other opinions, corrections welcome!

Also, yay: https://protonmail.com/blog/protonmail-open-source/


Sign up or Login to post an answer to this question.