the_simple_computer

Behind the Curtain of Encrypted Cloud Storage

Page 1

This site is no longer being maintained and this page has not been updated since December 2012.


Bitcasa Comodo Cloud Cubby CX.com Cyphertite Dropbox ElephantDrive iDrive Memopal Mozy MyOtherDrive OwnCloud Senditonthenet SpiderOak SugarSync Symform Syncplicity TeamDrive TitanFile Wuala ZenOK

Bitcasa

https://www.bitcasa.com

Account activation by emailed link: No

At-rest encryption: 256-bit AES, client-side.

Can view recent account activity from web interface: No

Client automatically updates:No

Client proxy support: No

File name and metadata encryption: No

File size limit: No

Free account expiration due to inactivity: 90 days.

Free account storage size: Unlimited

Info present in public links: Email address (user name), file name & size.

Location: Offices in Mountain View, California. United States.

Platforms: Android, ChromeOS, iOS, OS X, Linux, Windows.

Two-factor authentication: No

Software version used: 0.9.14.1692

Extras of interest: Uses Amazon S3 servers, incentive program, free version will cap at 10 GB starting early 2013.


Bitcasa was launched in January of 2012 and instantly drew attention to its claim of infinite storage. Some scrutiny eventually moved to their use of file-level convergent encryption and while not ideal, it's certainly preferable to plaintext storage.


Bitcasa's client does all the encryption on the user's computer with AES-256 and SHA-256 hashing but remember, Bitcasa has the keys. Their legal info (click the security tab) states that data "may" be encrypted server-side when using mobile devices. That same page also says that when streaming media, some mobile players may be doing so outside the SSL connection.


That's unfortunately all I can tell you about Bitcasa's encryption. They informed me that anything further would be compromising their "secret sauce". No info on account authentication, either. Bitcasa's Twitter page shows a tweet from August 1, 2012 that a 3rd party security review is "on our radar" and they told me they are waiting to get the mobile clients released before submitting all platforms for analysis. They said to expect the audit early 2013 and that it will be made available to users.


* * * * *

So no crypto info, but I did play with the software further. On Dec 17, Bitcasa released a completely redesigned client program so what follows is an update. In its revised form, the client program is actually impressive and that's a huge reversal of my outlook on the previous version. First of all, my main criticisms were resolved and Bitcasa's client is now 100% a file system plugin similar to Dropbox or Google Drive. Gone is the annoyance of going back and forth from Windows Explorer to the Bitcasa client to accomplish ordinary tasks like file sharing.


Bitcasa's four context menu entries have also been condensed into one which expands to show further options, you can now share files in addition to folders and you can right-click the Bitcasa taskbar icon to see upload progress. To seal the deal, the whole experience feels much lighter and more responsive than their old client.


I found it noteworthy that Bitcasa's terms of service state they will not share your "content" with anyone, including law enforcement. That's a rare thing for an American company to admit outright. Bitcasa is not immune to US court orders or subpoenas but any choice of non-compliance would be theirs to make. To close a Bitcasa account, you must submit a support ticket asking them to do so. Bitcasa's forums contained comments about using Boxcryptor with the client and I also used EncFS with no problems. Truecrypt should work fine, too.


*Update Dec 19* Bitcasa has a known issue where shared links are not terminated when a shared file is deleted from the account. There's nothing the user can do about it because it's a problem with the versioning system. Bitcasa said they're working on a fix but with no release date. I've written more about this here.




Comodo Cloud

https://www.ccloud.com

Account activation by emailed link: No

At-rest encryption: Unknown

Can view recent account activity from web interface: No

Client automatically updates: Yes

Client proxy support: No

File name and metadata encryption: Unknown

File size limit: Unknown

Free account expiration due to inactivity: Unknown

Free account storage size: 5 GB

Info present in public links: Unknown

Location: Offices in New Jersey, United States.

Platforms: Android, iOS, Windows.

Two-factor authentication: No

Software version used: 2.1.8.0

Extras of interest: 200 MB per referral.


Comodo Cloud was a monumental disappointment and there's no way to sugar coat anything here. I half expected Comodo to have one of the best services on this list but instead, it was so problematic that Windows Explorer would just lock up. ANY action in the Comodo storage folder, even a simple right click, took anywhere from about 5 seconds to over a minute. This was on perfectly respectable, all OEM hardware too: a 2.5 Ghz Core 2 Duo with over 2.5 gigs of available RAM and a 7200 RPM Seagate Momentus hard drive.


Knowing that some software just doesn't agree with some hardware, I then installed Comodo Cloud onto a laptop with an i5-580M (a top spec Intel Arrandale CPU), 4 GB of RAM, a Momentus XT and even used a totally different network. I had the same vile slowness. I also found the web interface nowhere near as fluid and responsive as Comodo's presentation vid depicts. Ccloud was officially released in October 2011 with version 2.0.6 and it seems this response problem has persisted since even then. Comodo says it will be fixed in the next release but it's mind-numbing to ponder how this can be accepted in any stable release for any length of time, especially for paying customers in an already saturated market, and by a company like Comodo.


* * * * *

Moving on, Comodo Cloud mounts as a separate drive in My Computer. There are no right-click menu entries, instead it has a drag & drop window for uploading which is actually pretty neat. When you start dragging something, the window appears and the opacity fills in the closer you drag and reaches 100% when you drop something on it. It's called the Drop Zone. You can toggle it on or off and position it wherever you like on the screen. The client opens directly into the file manager but to do anything other than adding or removing files or folders, you need to log into the website manager. There is also no upload/download progress readout, which again, how can that be overlooked?


I found one more point of amusement. When logging in to the web interface, you have to do it the long way with a bookmark or typing in the address bar. This is because the software's taskbar menu has no option to open your account in the browser. To delete your Comodo Cloud account, you need to let it sit for 90 days without logging in, so says this forum thread. Ccloud's website is nearly vacant of product information and Comodo did not respond to any inquiries.




Cubby

https://www.cubby.com

Account activation by emailed link: No

At-rest encryption: 256-bit AES, server-side.

Can view recent account activity from web interface: No

Client automatically updates: Yes

Client proxy support: Yes

File name and metadata encryption: No

File size limit: No

Free account expiration due to inactivity: No

Free account storage size: 5 Gb

Info present in public links: File name, size, date.

Location: Offices and servers in Woburn, Massachusetts. United States.

Platforms: Android, iOS, OS X, Windows.

Two-factor authentication: No

Software version used: 1.0.0.10881

Extras of interest: Personal key management in development, support WebDav via HTTPS.


Let's define this unconventional word. A cubby is what the company (LogMeIn) calls a folder which you have synced with their service's cloud. Cubby (the software) adds a right-click menu entry for public links and for turning any folder on your computer into a cubby (a synced folder). You can then share contents or even whole cubbies for group projects, you can selectively sync cubbies across multiple devices and between group collaborators and you get file versioning, too. Cubby's client and web portal were very smooth and responsive. I actually enjoyed using Cubby's program and explaining this in words doesn't do their software justice. It's ridiculously efficient and easy to use and with a 1 GB per referral incentive, Cubby is looking very positive.


Cubby's product release blog entry explains that every cubby has its own encryption key which is then encrypted with your password. Cubby was helpful in their support replies, but did not want to elaborate on security matters beyond what's included in the above link. Cubby doesn't have a definite timeline for when the High Security Mode will be available. When it is, the client software will encrypt file and metadata on your computer before uploading, and allow users to manage their own encryption keys completely separate from Cubby's servers. For now, we get the standard server-side AES and Cubby has no current plans for a Linux client. :(


* * * * *

Cubby's web interface lets you fully manage your account and its contents, with exception to giving users a way to close the account. When creating a new one, you get an email for confirmation but this doesn't activate anything. The account is immediately usable. I noticed that the EasyList Privacy filter for ad blocking extensions does not like the gray bar at the top right of the Cubby account page. This is supposed to open a dropdown menu for account options, but instead it duplicated the page in a new tab. If you use that blocklist, disable the ad blocker for Cubby.com and then the site works fine.

One other thing with Cubby's website was that in Xubuntu, I could not upload because nothing would hook into Thunar and launch the file browser. There was no way to manually enter a file location into the popup window, either. Nautilus in Mint Maya worked fine.


Minor grievances but at this point, I have many good things to say about Cubby. While I'd not store sensitive data on anyone's servers without my own encryption, Cubby would integrate well into casual home and small business use and it's ease of use is on par, if not above that of Dropbox. I'll be keeping an eye out for their release with the higher security options. If done right, a Cubby account with personal keys could be one of those combinations which raises the bar in its field.




CX.com

https://www.cx.com

Account activation by emailed link: No

At-rest encryption: 256-bit AES, server-side.

Can view recent account activity from web interface: Files uploaded & shared.

Client automatically updates: Yes

Client proxy support: No

File name and metadata encryption: No

File size limit: No

Free account expiration due to inactivity: No

Free account storage size: 10 GB

Info present in public links: File name & size.

Location: Offices in Palo Alto, California. United States.

Platforms: Android, iOS, OS X, Windows.

Two-factor authentication: No

Software version used: 6.0.0

Extras of interest: Media streaming, PCI and HIPAA compliant, 300 MB per referral.


CX gives you server-side AES for at-rest data, a generous storage size for the free account and client software for the major platforms. However, CX needs improvement in the usability area. CX's client is the file manager plugin type (which I personally prefer) but it has no right-click menu entries.


You can password protect shared links but to share anything, you must log into your account through CX's website and create the link. Inconvenient +1 because page loading was slow, though individual actions within each page were fine. Through CX's website, you can view all files your account is sharing and discontinue the links. CX does not deduplicate user data and the Windows client requires Microsoft .NET 4.0.


CX's support left a lot to be desired. The representative omitted my technical questions from initial replies and did not comment on matters of cryptography and account authentication beyond these two points: 1. Everything is encrypted and 2. "Encryption keys are generated by user and group. So each user, as well as each group has a different encryption key."


Section 3 of CX's privacy policy states that they will decrypt user data for law enforcement so CX obviously has access to all keys. After I pressed further for answers, this representative offered to set me up with a phone interview with one of their developers but it never happened. Despite follow-up inquiries, I've not heard anything more from CX.




Cyphertite

https://www.cyphertite.com

Account activation by emailed link: Yes

At-rest encryption: 256-bit AES, client-side.

Can view recent account activity from web interface: n/a

Client automatically updates: Yes

Client proxy support: No

File name and metadata encryption: Yes

File size limit: No

Free account expiration due to inactivity: No

Free account storage size: 1 GB

Info present in public links: n/a

Location: Offices and servers in Chicago, Illinois. United States.

Platforms: Linux, OS X, Unix, Windows.

Two-factor authentication: No

Software version used: 1.4.2-1

Extras of interest: Open source client software, Zero-Knowledge storage, supports IPv6.


Cyphertite is a product by Conformal Systems, an open source software developing firm in Chicago. Cyphertite is ripest for Linux and at an alpha stage for OS X and Windows, both of which have a fully functioning GUI which operates through the browser. This is different than logging into your account through Cyphertite's website (see the pic below) and no special extensions or plugins are needed, the browser is just used as a shell environment.


The GUI, however, is closed code and the back end which it operates is the open part. If you wanted, you can bypass the GUI and run the backend by CLI and/or a scheduled process. Cyphertite on Linux only gives you access by terminal but regardless of platform, it's easy to handle by command line and then there are manpages and this site to help.


* * * * *

Cyphertite was one of two services examined (Senditonthenet being the other) whose security info is outlined entirely in a single, accessible place on their website. Cyphertite's cryptography white paper very thoroughly explains their processes for crypto, authentication and transport. I could not ask for more. Here is a quick overview, see the link for more depth.


Your Cyphertite account will have an encryption passphrase as well as the usual account password. There are four main encryption keys. Three are created from a random 1024 bit string and applying 256,000 rounds of PBKDF2 with AES-256-XTS. The fourth key takes that same process and applies it to your encryption passphrase. The three randomly generated keys are stored in what's called the Secret File, which is encrypted with with the passphrase key.


When you create your account, an SHA-256 digest of the account passphrase is derived and sent to Cyphertite's servers. Login to an account with the client is authenticated by creating that digest again, which is compared with the server's copy. The server also receives for comparison your username, the locally stored Cyphertite TLS certificate and the client identification certificate. When the client accesses your account, it decrypts the secret file which contains two checksums for integrity, and the randomly generated file decryption keys mentioned above.


Files are divided into chunks up to 256 KB, then each chunk is encrypted with the chunk and tweak keys. This encrypted chunk is then SHA1 hashed and that digest is stored either locally (unencrypted) or server-side (encrypted), depending on settings you choose on setup. Cyphertite does not perform cross-user deduplication but they dedupe each file chunk within an account.


* * * * *

Cyphertite is backup only, there is no sharing and you can only access your data through the client. In the web browser, you can change your account password and close the account. One gigabyte of storage is the least of anyone else on this list and unfortunately there is no referral program to increase that size. Cyphertite's threat model white paper describes how its authentication credentials can be stored on an external drive which would be useful in a situation where the physical machine could be compromised.


Cyphertite is an exceptionally worthy offsite backup service. Its documentation is superb, it uses strong and well established crypto processes and the simplicity of their program lends to a smooth user experience. There's a Reddit topic from a Cyphertite rep if you want further reading. Cyphertite is part of a very small group of services on this list created with security as a priority which is a great reflection of their philosophies. Can you feel it..? There is much win here.




Dropbox

https://www.dropbox.com/

Account activation by emailed link: No

At-rest encryption: 256-bit AES, server-side.

Can view recent account activity from web interface: Synced devices

Client automatically updates: Yes

Client proxy support: Yes

File name and metadata encryption: No

File size limit: Client no, website 300 MB.

Free account expiration due to inactivity: 12 months

Free account storage size: 2 GB

Info present in public links: User name and file name & size.

Location: Offices in San Francisco, California. United States.

Platforms: Android, Blackberry, iOS, Kindle, Linux, OS X, Windows.

Two-factor authentication: Yes

Software version used: 1.4.20

Extras of interest: Uses Amazon S3 server space, 500 MB per referral.


While competitors have had ample time to learn from Dropbox's mistakes, so has Dropbox. For all the anti-luv this cloud storage posterchild gets from the security & privacy circles, you have to admit that they have considerably cleaned up their act. They also have usability down exceptionally well and the Dropbox client is one of the best here. It's responsive and perfectly integrated into the file system. You get a tidy but useful right-click context menu and you can manage your files and sharing entirely through the client. Previous authentication issues have been improved upon and Dropbox's client now uses an identifier stored in an encrypted local SQLite database file.


And now, the unsavory bits you probably know already. Yes, Dropbox encrypts all your files in AES when they reach the server and they deduplicate with convergent encryption. Accounts use the Dropbox company key, not one which is confidential to you. Thing is, many other cloud companies who use encryption work the same way so it's short sighted to single out Dropbox for this. Searching Dropbox's forums for Truecrypt will show experiences of others successfully combining the two, same for EncFS.


The EADS Group is a French aerospace company whose IT department recently conducted a study on Dropbox's local security and presented these results at the 2011 HACK.LU conference in Luxembourg. The paper gives a very technical analysis of the client's network protocols and how python is used for local database encryption.




Elephantdrive

https://www.elephantdrive.com

Account activation by emailed link: No

At-rest encryption: 256-bit AES, client-side.

Can view recent account activity from web interface: Usage stat reports, shared linkactivity.

Client automatically updates: Yes

Client proxy support: Yes

File name and metadata encryption: No

File size limit: 100 MB

Free account expiration due to inactivity: No

Free account storage size: 2 GB

Info present in public links: File name & size.

Location: Offices in Santa Monica, California. United States.

Platforms: Android, Linux, NAS, OS X, Windows.

Two-factor authentication: No

Software version used: 5.1.0

Extras of interest: Manage your personal key, requires Java SE, HIPAA compliant, uses a combination of Amazon S3 and their own data servers.


ElephantDrive is an established but relatively undiscovered little gem which surprised and exceeded my expectations. ElephantDrive does synced storage and full backups; their Lite account is what I tried. You can either use ElephantDrive's own key, or have their software create a personal key for your account which is stored only on your computer. Your personal key is an AES output of your account password. Each file you upload is encrypted once with a random key by the client, then that file's encrypted output is encrypted again with either your personal key, or ElephantDrive's key, depending on which you chose. In addition to that, they're working on a way for users to import their own keys, and they've recently released a beta Linux client.


* * * * *

To create the private key, the plaintext password is MD5 hashed and then manipulated by a proprietary algorithm. This was all ElephantDrive chose to say about key derivation. When logging in to the client, the user's password is hashed and then compared to one which ElephantDrive has for the account. If you do not allow the client to remember your password, the account password is rehashed on each login, not stored. Otherwise, this digest will reside on your computer encrypted with an ElephantDrive key.


When logging in through ElephantDrive's website, the local Java applet performs the hashing process through the web browser, so you do need Java's browser plugins activated. Neither your password, nor your encryption key are sent to ElephantDrive and downloaded files are decrypted only on your computer using Java's browser plugins.


ElephantDrive's client is the file system plugin type. It's responsive and you get one clean entry in the right-click menu which expands for more options. ElephantDrive has link sharing down exceptionally. You get the choice to password protect shared links and when you log in to the web interface, you can see a link's activity history, set expiration dates and unshare active links.


ElephantDrive's web interface can fully manage your account and files within a web browser. Its backup choices give you control over scheduling, versioning and archiving timespans. You can also set inclusion and exclusion rules for backup by location and/or file extension.


* * * * *

The only dislikes I had was with ElephantDrive's use of convergent encryption and a proprietary file encryption algorithm. A proprietary cipher could mean several things and while it isn't necessarily bad, it's not ideal. The 100 MB file upload limit for Lite (free) accounts is weak but usable. I also took annoyance to what passes as a file upload/download status. ElephantDrive's taskbar entry doesn't give a progress readout. Instead, there are activity indicators which appear on the individual file or folder icons you're syncing. Seems very backwards and far less useful than a percentage popup from the taskbar.


ElephantDrive installed Java 6 update 23, but at the time of this writing, Java 6 is currently on update 37. While Java will eventually prompt to be updated, this is a full system-wide Java SE install including browser plugins, not a specific library set exclusively used by ElephantDrive. Install ElephantDrive, run a Java update, then keep both updated. If you are using Windows, set Java up to run in EMET and Linux users should confine Java with AppArmor.


ElephantDrive's support was excellent. All correspondences were answered thoroughly (within their tolerances), even if the representative had to forward my questions to developers.




iDrive

http://www.idrive.com

Account activation by emailed link: No

At-rest encryption: 256-bit AES, client side.

Can view recent account activity from web interface: Yes, see below.

Client automatically updates: Unknown

Client proxy support: Yes

File name and metadata encryption: No

File size limit: 10 GB

Free account expiration due to inactivity: 90 days

Free account storage size: 5 GB

Info present in public links: Unknown

Location: Calabasas, California. United States.

Platforms: Android, Blackberry, iOS, Linux, OS X, Windows.

Two-factor authentication: No

Software version used: 5.0.1

Extras of interest: Can create your own private key, HIPAA certified (other regulations).


Let us not confuse iDrive for its sibling, iDrive Sync. iDrive is for backups and iDrive Sync is...well, for device syncing but both allow sharing by public links...sort of. See, iDrive allows public links if you use their encryption key. If you create your own entirely separate of their servers, then you cannot create links. iDrive Sync only encrypts server-side with the company key, but it does give you more storage (10 GB instead of 5).


I stuck with iDrive (non-Sync) for the extra security of personal key generation. The Windows client was straightforward to use. Though you create your account through iDrive's website before you download the client, your encryption keys are created when installing the software. You can set inclusion/exclusion rules by full or partial paths and names. You can back up multiple devices to an account and set bandwidth limits. It gives you file versioning from 30 days prior and a single right-click entry to add any file or folder to your backup sets. iDrive for Linux is all CLI but I can't comment on it because I only used the Windows program.


When accessing your account through iDrive's website, you log in with your user name & password and then you can view your account. To access any of your files from in the browser, you must then enter your encryption key. iDrive's account logging was one of the most extensive in this list. You select a date range which shows you a layout containing the method of login (web or client), IP address, actions made and to what locations, date and time.


iDrive gave an absolute minimum for answers to my questions, saying only that the encryption key and "details" for client authentication are stored encrypted locally. Further attempts for more information produced no response.




Memopal

https://www.memopal.com

Account activation by emailed link: No

At-rest encryption: Unknown, client side.

Can view recent account activity from web interface: Shared file info.

Client automatically updates: Yes

Client proxy support: Yes

File name and metadata encryption: Unknown

File size limit: 200 MB through client, 50 MB through browser, 5 GB for backups.

Free account expiration due to inactivity: No

Free account storage size: 3 GB

Info present in public links: User name and file name & size.

Location: Offices in Rome, Italy. Servers in Rome and two other unnamed continents.

Platforms: Android, Blackberry, iOS, Linux, OS X, Windows.

Two-factor authentication: No

Software version used: 3.0.1 Build 3223

Extras of interest: Supports WebDav over HTTPS, 500 MB per referral.


Memopal is one of few services listed which is not based in the United States. Memopal is a private Italian company with datacenters in Italy and two other continents they chose not to name. From their FAQ, "Memopal guarantees the anonymity of the data recorded on the servers." That is an exceedingly bold and daring claim to make.


Memopal wasn't willing to discuss anything about cryptography. They just said all "available" information is on their website. The site info is abysmally minimal, not even naming the algorithm used for file encryption. From Memopal's description of TurboUpload (deduplication), it seems that a checksum identifier is derived from certain file attributes, rather than using the file itself as an input for the hash function like most other services do. I wouldn't say that's necessarily good or bad, it's just a different way.


* * * * *

Memopal created what they call the Memopal Global File System which breaks up and distributes all files on all accounts among three different data centers. As the encryption link above explains, files are encrypted by the client, then chunked, then distributed to Memopal's servers where they are encrypted again.

It's not specified how a user's file chunks are (supposed to be) distributed to their datacenters be it randomly, geographically or otherwise. Wireshark showed me that from the U.S., all my uploads went to the servers in Rome and that my large upload (a zipped LibreOffice installer with a text file to throw off the deduplication) was broken into 7.5 MB chunks.


Memopal's software is not a client program like we've seen so far. Its main interface is called a Control Panel, used to set preferences like bandwidth throttling, backup scheduling, locations, etc. If you want to manage files and folders, the control panel (or right-clicking on it in the taskbar) will open your Memopal account in the web browser. You also get a Memopal system drive for WebDav located in My Computer.


I liked Memopal's flexibility with file sharing. You get a convenient right-click entry for creating links and uploading folders to your Memopal cloud. Choosing to share a folder from the context menu opens the web browser and gives you an HTML link with option for a recipient's email address. You can log into Memopal's web interface to set link expiration and password protection while it also shows your shared files and their recipients (if the link was sent in an email). Shared links can also stream media.


* * * * *

Memopal has several good ingredients. They certainly seem a decent choice for casual use with non-critical files, but their refusal to even name their encryption cipher casts serious doubt on their trustworthiness. For me, this was Memopal's biggest letdown and an instant dealbreaker.


Additionally, the prognosis for anonymity doesn't look good...and I'm being conservative, phrasing it that way. We know virtually nothing about how the service's security works. Their descriptions are vague and the most important term, "data recorded", is undefined. It may simply mean that encrypted chunked data alone is not identifiable (entirely reasonable and possible) but, how easily can that encrypted chunk be linked to an IP address by server logs?


True anonymity on the internet is not nearly as straightforward as it sounds and becomes even more problematic when you introduce file sharing scenarios. Memopal's client has proxy support, but there is no redirection used by default. There's nothing special about Memopal's software which would grant anonymity, much less guarantee it so the anonymizing would need to be entirely server-side. Server logs, client identifiers, encryption processes, account authentication and how this data distribution is intended to work—these are just some things to take into consideration before even beginning to talk about anonymity. C'mon Memopal, give a little...




Mozy

https://www.mozy.com

Account activation by emailed link: Yes

At-rest encryption: 448-bit Blowfish or 256-bit AES, both client-side.

Can view recent account activity from web interface: Download & backup history, synced devices.

Client automatically updates: Yes

Client proxy support: Yes

File name and metadata encryption: No

File size limit: No

Free account expiration due to inactivity: 30 days

Free account storage size: 2 GB

Info present in public links: n/a

Location: Headquarters in Seattle, United States. Offices worldwide.

Platforms: Android, iOS, NAS, OS X, Windows.

Two-factor authentication: No

Software version used: 2.16.0.215

Extras of interest: Can create or import a personal key, 1 GB per referral.


Mozy is for cloud backups only, you can't share files or make public links. Mozy requires the standard email/username and password to create an account, but also your postal code, gender, year of birth and even some general employment information. Nothing you enter needs to be true or verifiable.


Mozy makes up for the this very low hurdle by allowing users to create or import their own encryption keys. If you do this, it must be in AES-256 and your key is stored on your computer, not Mozy's servers. The standard Mozy keys (there are numerous company keys) use 448-bit Blowfish and do allow for your account to be deduplicated cross-user. With your own keys, Mozy's client dedupes only within your account.


When you do a data restore using the Mozy keys, the client will download and then decrypt your data. With a custom key, the restore requires using Mozy's decryption utility (a separate program from the client) to decrypt your data once it's retrieved. Regardless of the key method used, file names are not encrypted but the downloads are through SSL.


Mozy's client creates a system folder in My Computer and gives you bandwidth throttling, backup scheduling and backup location options (Mozy's servers and/or a local drive). You can select which folders you want to upload or use predefined backup sets, or both. You cannot manage files from an internet browser so your keys never play a part in web access. Through the web interface, you can view account devices, backup histories, restore backup versions and generated referral links. Mozy was unresponsive to all inquiries.




MyOtherDrive

https://www.myotherdrive.com

Account activation by emailed link: Yes

At-rest encryption: 128-bit AES, client side.

Can view recent account activity from web interface: No

Client automatically updates: n/a

Client proxy support: n/a

File name and metadata encryption: No

File size limit: No

Free account expiration due to inactivity: No

Free account storage size: 2 GB

Info present in public links:s User name, file name & size.

Location: Offices and servers in Dayton, Ohio. United States.

Platforms: Web only

Two-factor authentication: No

Software version used: n/a

Extras of interest: Requires Java SE, does not deduplicate user data.


MyOtherDrive is almost entirely Java-based. It's also entirely web-based, there is no client software. When you log into your account, you can view contents, download files and see some other minor account info. Anything else is done through MyOtherDrive's file manager which is a Java Web Start applet you launch through their website. It's here that you can upload, share files or folders, set your encryption password and set backup times and locations. To close a MyOtherDrive account, you must delete all its contents and write to the company explaining you want it deactivated. Their pricing page says that free accounts will receive ads but I didn't see any.


MyOtherDrive stores the account's encryption key on the user's computer and an account's plain text password authenticates the login to their account. For "security reasons", this is all MyOtherDrive would disclose about their processes.


* * * * *

MyOtherDrive suffers from episodes of user-unfriendliness regarding its encryption and this comes from the fact that MyOtherDrive does not encrypt at-rest data by default. You must tell the program which folders you want encrypted and you get one encryption key per account, not per file. So if you upload to a folder and then ‘encrypt' that folder, it's contents are not actually encrypted. What happens is, the folder is now marked for encryption for future file uploads only, and you must re-upload all the folder's contents prior to when it was selected for encryption.


This actually makes sense because if MyOtherDrive does not have your encryption keys then obviously, folder contents would need to be re-encrypted on your computer by the locally running Java applet. Still, other secure services encrypt everything by default, saving users the hassle and bandwidth of re-uploading. I see this selectable encryption idiosyncrasy as a resource-saving measure taken by the service provider, but again, MyOtherDrive's competition has the upper hand here.


Another issue is with the encryption password. Though you can change your encryption password as many times as you like, the applet will not decrypt everything previously encrypted with the old password and then re-encrypt everything with the new one. Remember, there's just one encryption key per account. If you encrypt some files, then change your password, then encrypt some more files, you will need to revert to the previous password to decrypt the first group of encrypted files. Furthermore, you can share folders containing encrypted files but the recipient needs your encryption password and a Java SE install for decryption. You can not directly link to files for sharing with a free account.


* * * * *

I was thoroughly unimpressed with MyOtherDrive. Their product seems alright at face value, but it's 5 years behind everyone else. The encryption integration is clunky, limited and overly inconvenient. The Java applet took significantly more time to load than any other service's client needed to start and connect. Every other service listed here felt easier and more fluid to use. Add to that the lack of public sharing and smaller AES key size (128-bit instead of 256), and MyOtherDrive's free account looses a lot of appeal when compared to its peers.


Take a breath. You're only half way through.

Page II: Cloud Services O Through Z