Boxcryptor security audit or cryptanalysis

cooperq

Does anyone know if there has been a security audit or cryptanalysis done or published anywhere for boxcryptor?

Christian

Hello cooperq,

While an audit is without any doubt useful, it is not viable for a software that is constantly updated, due to the fact that after every small change, a new audit would have to be performed. For this reason, we decided to focus our resources on new features and a short response time to bugs and problems.

We have, however, described our encryption mechanism in detail at https://www.boxcryptor.com/en/technical-overview/. So security specialists in the community can feel free to verify the security of our product.

Best regards,
Christian

Bobuscho

Christian, while i agree with you on the update frequency, an audit would at least prove that you guys are capable of designing a piece of software that worked well and securely *in the past*.

This - at least - would reassure, that you would be able to develop a good piece of encryption software in the future.

Without an audit, no one will know if your code and your security setup a) really matches the technical overwiev (as bc is closed source) and b) has been secure enough in the past.

An audit would furthermore be a sign of confidence in your own software.

So far, Boxcryptor has not been audited, is not open source, has unresolved flaws (just look at this forum!) and is quite expensive in the premium version...i strongly suggest spending the money you earn from us to get a strong security audit.

Without an audit or a FOSS client, i don't trust your software enough but to use it for some unimportant files...which prevented be from renewing my premium subscription.

Today, you are only able to do successfull business because the competitors are either dead (cloudfogger), possibly flawed by NSA (viivo etc...) or not mature enough (Cryptomator).

Once Cryptomator is mature enough, you are running into serious problems. At least my own company will switch immediately to a FOSS product...

Christian

Well I've got an update and some good news on this: We actually do have an audit of our Boxcryptor Windows App in cooperation with Kudelski Security now! Head over to https://www.boxcryptor.com/en/blog/post/security-audit/ for a detailed analysis and a link to the complete report.

homer_2424

Kudos to you guys. While this audit does not prove the non-existence of any security flaws (as no audit or assessment does), it shows that you do have the intention to develop a secure solution and to improve it continuously.