EncFS security audit

benutzer1

https://defuse.ca/audits/encfs.htm

" In conclusion, while EncFS is a useful tool, it ignores many standard
best-practices in cryptography. This is most likely due to it's old age
(originally developed before 2005), however, it is still being used today, and
needs to be updated.

The EncFS author says that a 2.0 version is being developed [3]. This would be
a good time to fix the old problems.

As it is now, EncFS is not suitable for protecting mission-critical data."

Should we be worried?

jazzl0ver

I asked the same in my letter to support@boxcryptor.com on Jan 17. Here is the answer:

Hello Alexander,

We're currently working on a blog article about Taylor's security audit of EncFS which we will publish within the next days. In general, as Boxcryptor Classic is compatible with EncFS, his audit basically also applies to Boxcryptor Classic (for features which are supported in Boxcryptor Classic).

Best regards,
Robert Freudenreich

By April 15th there's still no a blog entry that would cover the issue (at least, I could not find it).

I'm an official customer (bought the Classic version long time ago) and this kind of support is inappropriate.

Robert

Hi,

I have been in extensive contact with Taylor regarding his security audit which was not correct on some parts in my opinion. The result was that Taylor agreed to edit his audit report and also the conclusion.

The updated version is here:
https://defuse.ca/audits/encfs.htm

The original version is here:
https://defuse.ca/audits/encfs-old.htm

Based on Taylor's will to update the report, I did not feel the need to publicly respond to his report in our blog anymore. This thread here must have slipped through my fingers.

Should we be worried? No, not at all. Regardless of the quality of a 10-hour security audit - which is better then nothing, but not enough to fully understand the inners of EncFS or any other encryption software - 5 out of 7 issues identified are related to the authenticity features in EncFS which Boxcryptor Classic does not have. Boxcryptor Classic guarantees confidentiality but it makes not assumptions about the authenticity of the encrypted data. (An attacker could modify your encrypted data without you noticing it - but he would still not be able to decrypt it.)

So only 2 out of 7 issues (2.2 and 2.3) could actually be applied to Boxcryptor Classic. I agree that these are valid issues but no real attack vector has been found and their real-world impact is not clear, e.g. "EncFS's stream encryption is unorthodox [..] This should be removed and replaced with something more standard.".

Best regards,
Robert