[Security Spotlight] The worst idea in a brave new world: The all-new Boxcryptor 2.0

Some things make life easier. Think about your data. And the way you used to share it. USB Sticks, DVD, CD-Rom, Harddisks - are a thing of the past. Many people use services like Dropbox, Google Drive, Box and similar on a daily routine. Some of those did not think about data security - and just dropped everything into the cloud: From bank data to keys and passwords and such... Others did think about those problems and tried to secure their important files via means as encryption like TrueCrypt. But that did come at a cost: Loss of usability: You just cannot open a file on your Android Smartphone on the fly. And occasionally, somehow the TrueCrypt drive would be uploaded as copy a second time to the Dropbox. Really nasty.

But then, Secomba came up with their product: BoxCryptor. A neat little piece of software, mounting an "Cloud Folder" as local harddrive and enc- and decrypting files on the fly, while you are accessing these files via the mentioned local mount. Secomba was not reinventing the wheel at that time, they were just using EncFS, already known in the Unix World. And that was really good, as you could just use the BoxCryptor files in Unix via the means of EncFS. The Apps, developed for iPhone, Android and the Chrome Browser did work perfectly. All in all: I would recommend these tools and am using them on a daily base. And I would recommend you the same.

BUT:

Use the old, deprecated BoxCryptor CLASSIC stuff.

Hu? Yeah! You read right. Use old, deprecated, soon-to-be stuff. Or use the new BoxCryptor without the cool features... Ok. Well I should explain why I distrust Secomba, the corporation which earned Awards from Golem, heise, Forbes, c't and so on and on: Secomba, as every corporation tries to make a living from their software, and that is absolutly fine with me. Secomba did create BoxCryptor a new, labelling the "old" Version BoxCryptor Classic, creating the new one with corporations and secure file sharing, i.e. Teamworking in mind. And by doing that, they had to introduce a new feature: Centralized Storage of your BoxCryptor Keys. On their own server. Yes, that is right. You upload the keys to your files, bound to your Secomba Account to their servers, if you choose to use the new mode. You can, however, disagree with that and use it like in classic mode - BUT the new BoxCryptor seems to be incompatible with EncFS, and - even better: You cannot use new BoxCryptor on more than 2 Devices - you have to pay for more... Well, that was another feature that did work on the classic free version - but not anymore.

These are all reasons why I would recommend using BoxCryptor Classic for your cloud files security - but discourage the use of the new BoxCryptor 2.0 - even without using the "Save-my-Keys-to-the-Cloud" function - because in my opinion, it is just a devolution of an excellent tool.

And one last word to the "Share Secure Online Function": If you really would like to share a file securely via the net: Send a TrueCrypt drive or host your own local server. Seriously, if you are a CIO, could you advise your people to upload encrypted data - and the passwords - to a server or service - not under your control? If you would answer this rhetorical question with "Yes" - then beg my pardon - but I do not want to work with you and your corporation anymore.

 

As the link to the (still security patched and updated!) BoxCryptor Classic is a bit hidden under the new and shiny BoxCrytor 2.0 stuff... There you go: https://www.boxcryptor.com/de/boxcryptor-classic