[cstross]

Here's my problem with not encrypting metadata:

Suppose we have a determined attacker who is looking to target DropBox accounts. They can attempt to crack username/password pairs, or maybe intercept an entire SSL session and do a brute-force attack on it later. (If there are virgin credit card records in that session stream it may be worth doing this even if the cost is CPU-years.)

Letting this attacker see the names of files in a session gives them a clue as to what's stored in the DropBox account in question, and therefore lets them choose their targets -- if a user is uploading nothing but files with names like Hot-Fuzz-Directors-Cut.h264, they probably don't want to bother: but if the user is updating files like customer-accounts-backup.sql or passwords.txt, there may be money to be made. If the metadata is encrypted it forces attackers to tackle accounts at random in hope of finding something worth money. Which is much less attractive because the attacker has to do a lot more work in order to be assured of a pay-off.

At the very least, it would be best if the decision of whether or not to encrypt metadata was in the customer's hands. (Then maybe I wouldn't need to keep my business-critical files on DropBox inside an encrypted filesystem image, which almost certainly causes a much worse performance hit than an extra SSL roundtrip.)