[pudquick]

FYI - they do certificate pinning for their clients and won't let you proxy the HTTPS connections, last I checked.

I'm not saying this as cause for alarm. Obviously if they were sending the files you could measure the volume of traffic if nothing else.

Make a completely random non-compressible file that's of an arbitrarily significant size (say 1M+) and see if that amount of traffic goes out to them.

I do think Dropbox is watching for filesystem events outside of the locations users specify, but I see zero evidence they're uploading information about the files / the files themselves so far.

[icebraining]

Maybe

  sed -i 's/old certificate/new certificate/g' /usr/bin/dropbox

Used to work in some software.

EDIT: Matasano has a nice guide for bypassing OpenSSL cert pinning (for iOS apps, but the techniques should be more broadly applicable): http://chargen.matasano.com/chargen/2015/1/6/bypassing-opens...

[hamstergene]

One can hack Windows HTTPS libs (or OpenSSL, whatever it is) inside Dropbox process and read unencrypted buffers from memory. Standard and well-documented APIs are easy to locate and hook, especially in dynamic libraries.

[kweinber]

If anyone has a lenovo box, they could use its Superfish feature to get around this.

[zwily]

Superfish doesn't get around pinned certificates.

[lucb1e]

Plus, anyone can create a root certificate and install it in their own trust store. You don't need Superfish.

I think kweinber was kidding, though.