[twright0]

Dropbox does not have client-side encryption; its servers have full access to the content of synced files. You can verify this yourself by uploading a common image filetype like jpeg and seeing that the website shows you compressed file thumbnails.

(I'm a former Dropbox employee who worked on related things, though not specifically the linked paper)

[pmiller2]

Yep, that makes sense. IIRC, they also have some sort of global deduplication system, don't they? That also implies they have access to your unencrypted files.

Edit: That's what I get for commenting before reading the paper. They literally mention deduplication in there.

[ghayes]

Not necessarily. You could use homomorphic encryption and, for example, encode the file with a hash of the file as the key material for encryption. All such files will encode identically for each user, but it will be opaque to the server what the contents are unless the server already has the plain-text of the original file. This was used by other cloud storage companies (that are now defunct).

[Dylan16807]

Convergent encryption, not homomorphic, is what you use to deduplicate encrypted files.

[rvnx]

https://techcrunch.com/2011/06/20/dropbox-security-bug-made-...

This makes me believe there is no problem for Dropbox to read content in clear.

[TeMPOraL]

> Not necessarily. You could use homomorphic encryption

I think that's still far from being possible in practice. IIRC, the best homomorphic encryption can do now is to run simple queries on very small datasets, on a supercomputer, with performance of a 386?

[londons_explore]

Mega does client side e2e encryption (or at least they claim to), yet their web interface still shows thumbnails...

I'd guess they implement it by having the client upload an encrypted version of both the original image and a thumbnail, and then decrypting the thumbnails on the client at display time. Javascript has reasonably performant crypto primitives now, so it's very doable to download data from a server, decrypt it with a client side key, and display it.

If mega can do this, it's a shame other services don't.