Note: this article is now archived because the security risks described have since been fixed by Box. I’ll leave the article up for historical information only. In the meantime, consider how ransomware encryption highlights the need for good backups.
Box.com (formerly Box.net) are a major online backup service, previously specializing in the enterprise and business arenas.
Last week I reviewed their offer to home users with Android devices – 50GB free storage for life. This copied an earlier offer for iPhone and iPad users so it appears that Box.com are aiming to expand their home user (Personal account) base.
As the Box service is used by 82% of Fortune 500 companies (according to their website), I didn’t look too closely at the security of these free Personal accounts. However, a reader raised two issues about the level and type of security Box offer to Personal customers:
- Your files may not be encrypted via SSL during transfer to/from Box (Files in transit)
- Your files may not be encrypted within Box servers (Files at rest)
It would surprise me if an established online backup company servicing large enterprises did not provide encryption of files (both in transit and at rest) to all users so I reviewed the Box.com website in the hope of confirming either way.
Box offer 3 types of accounts: Personal (free for home users, including 50GB offer), Business (small to medium sized businesses) and Enterprise (large businesses and corporations). The Enhanced Security page (was at https://support.box.net/entries/20365936-enhanced-security) states that data in commercial accounts (i.e. Business and Enterprise) is encrypted with 256-bit SSL on transfer; Enterprise accounts are enabled with 256-bit AES encryption at rest.
The Security Datasheet for Businesses also states that data is encrypted using SSL on transfer whilst data is encrypted on servers (at rest) using 256-bit AES (Enterprise only).
These statements agree with each other and suggest the following is true:
- Files at rest: 256-bit AES encryption – Enterprise only, NOT Business or Personal
- Files in transit: 256bit SSL encryption – Enterprise and Business, NOT Personal
Security Of Free Personal Accounts?
I reviewed the Box Customer Support forum and found a question on this issue asked 1 year ago and answered 5 months ago (a delay of 7 months…) In his reply, a Box.com Product Manager stated “Files in free accounts are encrypted on transfer … while business and enterprise accounts also encrypt at rest”.
This appears to contradict the previous scenario in two ways:
1. It says that free Personal accounts do have files encrypted during file transfer. But, if so, what encryption is used? Presumably not SSL or it would have been included in the website info above.
2. It contradicts the website by claiming that Business accounts benefit from encrypted files at rest – all the previous info from the website states that they do not. I assumed the Manager made a mistake but I subsequently found a picture of the Box Storage Cloud showing ‘Data encrypted at rest Enterprise and Business accounts’ – this supports the Product Manager but also contradicts the rest of the website… Again, which is right?
Since the answer given in the Customer Support forum 5 months ago, several users have asked for clarification of these apparent contradictions but, to date, there has been no further official response from Box.
Last week I contacted the Press Department at Box asking for clarification and an official view of security, but I have not received a reply.
Why Is This Important?
As Box state in their Security Overview – Box provide 256bit SSL security to encrypt the data between the end user and Box. This ensures that all data transferred between Box servers and the internet arrives securely.
In other words, it helps prevent security breaches like ‘man in the middle’ attacks allowing someone to access your files whilst in transit to/from Box. SSL, HTTPS and the ‘padlock’ icon in web browsers are standard security measures found on encrypted sites.
Why are free Personal accounts not offered the same level of protection – or are they? The Pricing page states that Personal, Business and Enterprise accounts benefit from ‘Secure Transfer’ but it is difficult to know whether this is actually true for Personal accounts or not.
Online backup services are a growing business but the market is not yet mature – last week yet another free online backup service announced its closure. Therefore security of files, trust in the service and good customer support should be key concerns for any user looking to store their personal files in the cloud.
Conflicting claims in the Box website and official answers in the customer support forum turned what should have been a simple check of security used for Personal accounts into confusion and contradiction – they raised more questions than they answered.
I offered Box the right of reply to the key queries raised in this article – but received no reply. Without official confirmation, I am still unable to confirm whether Personal accounts have files encrypted in transit or not – and, if so, using what method and level of encryption. There is also a question mark hanging over the security of files at rest for Business accounts as parts of the website differ over whether encryption is used.
Whilst the differences could be genuine mistakes (we all make them!) it is disappointing that Box seem unable to correct them or to answer questions about them. This uncertainty and lack of official comment leave me unable to recommend Box for online backup – regardless of the free 50GB offer.
4 thoughts on “Box.com Security Issues For Personal Accounts”
“… recent successful attacks on cloud storage provider have shown that the security of cloud storage services is often poor. That is also the result of a study “On the Security of Cloud Storage Services” of the Fraunhofer Institute for Secure Information Technology that testet different cloud storage providers. None of the providers testet was able to fully meet all the security requirements.”
The in transit is simple to check.
Free account is using SSL in my testing (29/08/2012) but obviously a public statement whether this would ALWAYS be the case is warranted.
As for whether it is stored encrypted – that is hard to confirm so assume it isn’t until stated in the contract.
Roy, I agree with your conclusion. When there’s this much doubt surrounding an issue, look to the lowest common denominator which in this case is no security. Personally, I don’t subscribe to online backup … period. Maybe I would if I owned and controlled my own servers. As for lifetime, whose lifetime? :)
It’s a shame because the offer itself was a good one (even without synch). The security debacle at DropBox last year should have been a wake up call for all online backup services to tighten security and encryption methods
Comments are closed.