On Wed, Apr 13, 2011 at 11:39, Ben Scott <mailvor...@gmail.com> wrote: > I'm not clear on what "host_id" actually *is*. > > Muffett's comments[1][2] make it sound like Is it the private key > for an asymmetric cipher. If so, then yes, getting it stolen would of > course compromise your Dropbox storage. That's how practically every > modern cryptosystem works. > > However, the original link[3] gives me the impression "host_id" is > not intended to be a cryptographic secret. It sounds more like it's > just some kind of machine serial number or GUID, and it may appear in > (semi-)public URLs and the like. If all you need to access nominally > private Dropbox storage is that ID number, then that's not good at > all. It would be more like authenticating clients solely on their > login username. > > [1] > http://blogs.computerworlduk.com/unscrewing-security/2011/04/practical-dropbox-security-advice/index.htm > [2] Thanks, ASB. > [3] http://dereknewton.com/2011/04/dropbox-authentication-static-host-ids/
I'm not clear on what the Dropbox host_id is either, but Muffett gives the classic example: ssh keys. Good analogy, I think. I share your concern about the host_id implementation, and carry it a little further - Muffett mentioned the threat but didn't mention the mitigation: Use both keys and passwords. This is what should be happening with Dropbox, at least optionally. If it's not even an option, well, then I can't recommend its use to anyone, for any data they care about. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin