Think Encrypted Cloud Storage is Secure? Think Again, Researchers Say


Academic researchers from Johns Hopkins University have found vulnerabilities in a number of cloud storage providers that claim to have 100-percent user data confidentiality when users store and share files.

The report “‘To Share or Not to Share’ in Client-Side Encrypted Clouds” (PDF) examines Spider Oak, Wuala, and Tresorit as a sampling of cloud storage providers that use client-side encryption, a well-regarded practice that theoretically keeps data encrypted even to the cloud provider that’s hosting it.

What researchers found, however, was that each cloud provider was also operating as a Certificate Authority. So, they were both certificate issuer and certificate authorizer, which presents security risks that could allow a cloud provider to – in some circumstances – create a Public Key to stand in for a trusted third-party and authorize it to allow the service provider to see customer data.

For instance, you could decide to share a folder with a friend, and instead of examining and approving the friend’s key, the cloud provider approves its own key and is granted access to the folder.

This weakness, however, only seems to be apparent when sharing folders and groups in the cloud. It is still safe when a single person is accessing their personal data that is not shared with others.

Still this falls short for the typical boasts of these cloud storage providers, such as, “No one unauthorized not even the cloud storage provider can access the files,” as Wuala claims.

A potential solution to this implementation problem, according to the researchers, is to use best practices such as requiring certificates to be signed by a Trusted Third Party for verification purposes.

Still, researchers found no evidence of customer accounts being hacked, or any suspicious behaviour on the part of vendors. With the Heartbleed OpenSSL vulnerability in very recent memory and rallying any service providers to protect their users, it is perhaps a relief that this cloud storage vulnerability was found at the best time – before damage has been done.

Add Your Comments

  • (will not be published)


  1. George Kaplan

    Have you ever looked into hybrid cloud services? I use a personal cloud server called CloudLocker that offers all the functionality of the typical cloud providers but with the security of the files being on this device on my desk as opposed to a random online server. This is something you should look into I think.

  2. I've been using DriveHQ (I linked it to my name) and they support client-side encryption which I use. Would you recommend I stop storing data this way, or do you estimate that companies will fix this issue? Thanks.