Dropbox Forums: New Sharing Model(forums.dropbox.com) |
Dropbox Forums: New Sharing Model(forums.dropbox.com) |
Sharing with just people I know is one thing, but creating a web page of some of my data is another.
I don't know, it just doesn't feel right.
Dropbox, remember, you're dealing with private files on our personal computers, and one step too far and you're looking at mass exodus. Learn from Facebook. Use caution with new features.
Maybe it's all perception, but this makes my private files feel dangerously close to the wide open web.
Dropbox, don't make me feel dumb for using your service for stuff that matters. If your service is meant for funny cat pictures and not my tax returns, please tell me now.
I helped build this feature and just wanted to say we're as concerned about privacy and security as you are. A couple specifics that might help:
* No feature is for everyone -- this is opt-in in the strictest sense. (And, since you pick the files/directories, as fine-grained as you want.)
* You can disable a link anytime: from the the sharing tab (https://www.dropbox.com/share), click "Linked Items" to see all your links and disable anything.
* 3 means of sharing (shared folders, a public dir, and sharing links) gives you more control over privacy, not less.
* Similar to etherpad links, the shortened db.tt links are public but unfeasible to guess. We've heard a few concerns about the 6-digit hashes -- well, as more links are shared, don't assume the hash will stay at 6 digits :) can't get into details but we do a few more things to make link fishing near-impossible.
I'm signing my parents up to coordinate pics, music and videos soon.
Or they could just add a "download folder" link, but that sounds boring. It also looks like they want people to use "Copy to my Dropbox" for that, which would lead to more signups.
Hash is 6 characters long, characters are alphanumeric (a-zA-Z0-9). So that makes:
(26 * 2 + 10) ** 6 => 5.6E10
That looks like a big number, but it isn't. Because at the scale of dropbox there will be 10 million links out there in no time. So then the math goes: ( (26 * 2 + 10) ** 6 ) / 10_000_000 => 5680
So you have to make only a few thousand guesses to get a random file from another user. I'd say that's not very secure.Note that the links redirect to a page with a far longer (and presumably far more secure) hash code. Any time when you see short hash -> longer hash alarm bells should go off.
I'm assuming the share links last forever. If the share links would last only 24 hours then system looks pretty safe.
Anyway, this is only my first impression. I might very well be wrong. Either way I think it's pretty silly to give up so much entropy to get a prettier URL. Why not just use the complete 128bit hash?
Anything you give a url to you should consider to be public anyway.
Any file or folder in your Dropbox is now linkable!
But not quite yet, presumably very soon. Apparently appears in the 0.8 beta clients only, didn't see anything specific about the website (though I don't see it on my account).
So, if you feel like "I wanna share this folder to the wild world, now!", just do it! You can change your mind at anytime later and the folder will be no longer accessible. Very intensive, careful design & implementation!
Can you tell us how to change that?
Remove linked items here: https://www.dropbox.com/share#tab:linked-items
"There are currently no hard limits on public bandwidth usage. We do, however, have an automated system for detecting and flagging unusual amounts of bandwidth usage. We will send an email notification whenever an account is flagged. Once flagged, public links will be temporarily disabled and users who use the links will see an error page instead of your file."
So, there's no bandwidth limit, but there's a bandwidth limit. :)
I feel like all that private data is one click away from being public. Anyone passing by my computer can right click and change a folder to a web page, when they get back to their PC, download everything.
At least before there was somewhat of a barrier, though narrow, it was there.
Do the "linked" files at least get a new bold icon with a globe on it or something so I know it's public. Do I get an email when a folder is made public? Something? What if a malicious script is run on my computer that just makes everything public in my Dropbox folder?
I imagine people will be searching Google for them, and later creating programs that just go through all the possibilities (if the hash isn't long enough), download whatever they can find, and then later go through whatever they got to see if there's anything of value.