Nowadays, you need to be concerned about the security of your data located on online storage more than ever. After all, companies, hackers, and governments are all after your information. The more we store our data online, the more acceptable to data breaches we become. It isn’t easy to find an excellent online service as the most prominent providers claim to offer more protection than you get. We are not immune at home either, with ransomware and phishing attacks putting our data at risk. When we store our data in the cloud, we must ensure that no one can access it without our permission.
Is Online Storage Secure?
Microsoft OneDrive, Google Drive, and DropBox all claim to be secure. But are they? Let’s face the fact that encryption is still the safest way to protect your data. Now Microsoft OneDrive, Google Drive, and Dropbox all offer at-rest and transit encryption as standard for all users and file types. The at-rest and transit encryption standard is known as Transport Layer Security or TLS for short.
What is Transport Layer Security (TLS)?
TLS is a widely adopted security protocol designed to aid privacy and data security for communications over the Internet. Encrypting the communication between web applications and servers, such as web browsers loading a website, is what TLS does. Also, TLS is used to encrypt other communications such as email messaging and voice-over IP (VoIP).
What Does TLS Do For Your Online Storage?
TLS has three main components: Encryption, Authentication, and Integrity.
- Encryption – Does not allow third-parties access to the data.
- Authentication – ensures that the parties exchanging the information are who they claim to be.
- Integrity – Ensures that data is intact and has not been forge or tampered with.
How Does TLS Work For Online Storage?
For TLS to work, the origin server must have a TLS certificate installed. A certificate authority issues a TLS certificate to the person or business that owns the domain. The certificate contains essential information about who owns the domain, along with the server’s public key, both of which are important for validating the server’s identity.
A process called a handshake is used o start a TLS connection. The handshake initiates when a user navigates to a that has TLS. It begins between the user’s device and the webserver:
- Specify which versions of TLS they will use (TLS 1.0, 1.2, 1.3, etc.)
- Decide on which cipher suites to use.
- Authenticate the identity of the server using the server’s TLS certificate.
- Generate session keys for encrypting messages between them after the handshake is complete.
The TLS handshake establishes a cipher suite for each communication session. The cipher suite contains algorithms specifying shared encryption keys or session keys used for this session. Now TLS can set the matching session keys over an unencrypted channel known as public-key cryptography.
Next, the handshake authenticates, usually consisting of the server proving its identity to the client. Public keys accomplished this task. Public keys are encryption keys that use one-way encryption, meaning that anyone with the public key can unscramble the data encrypted with the server’s private key to ensure its authenticity. Still, only the original sender can encrypt data with the private key. The server’s public key is part of the TLS certificate.
Now that the data is encrypted and authenticated, it is signed a message authentication code known as MAC. The recipient can then verify the MAC to ensure the integrity of the message. This process is similar to medicine bottles that have tamper-proof foils. It lets the consumer know that no one has tampered with the medicine because the foil is intact.
TLS and Website Performance
So, how does TLS impact website performance? Well, it does not impact the performance of the website at all. Because of the complex process involved in establishing a TLS connection, it does affect some load time and computational power. After all, the client and the server must repeatedly communicate before any information is transmitted. The load time takes milliseconds for web applications. However, it does slightly increase the memory on both the client and the server.
However, there are technologies in place to limit the potential latency issues created by the TLS handshake. One is known as TLS False Start, which lets the server and client start transmitting before that TLS handshake is complete. The other technology to speed up TLS is TLS Session Resumption which allows clients and servers that have previously communicated to use an abbreviated handshake.
The result is that TLS is a very fact protocol that does not noticeably impact load times. As for the computational costs of TLS, they are almost negligible by today’s standards.
End-To-End Encryption (E2EE)
I am sure that you have heard the phrase “end-to-end encryption,” especially if you are a viewer of my channel. The idea behind E2EE is that no one but you and the intended recipient has access to the information you are sending. End-to-end encryption is the most secure method available to us today.
Now you would think that this would be the standard used on the Internet today. Especially given that the data passes through many nodes and different servers before it reaches its final destination.
Is E2EE a Standard Practice Today?
While E2EE is standard practice, for the most part, it isn’t the case in the world of cloud storage. Prominent online storage providers love to talk about how they care about your data privacy. When you ask these online storage providers why they do not provide end-to-end encryption on their platform, then squirm like a politician during a tough interview.
Let’s face the fact that powerful platforms do not offer end-to-end encryption—for instance, Microsoft OneDrive, Google Drive, and Dropbox. So, while they may encrypt your data, they still have the key. Ultimately, your Online Storage provider can view your data and even use it for their purposes. The biggest question here is, do you trust them?
What is End-To-End Encryption?
End to End encryption is the process of scrambling information from the sender to the receiver so that any unwanted parties cannot understand it. When you send data through a messaging service or the cloud, the information passes onto these third-party servers before being sent to the recipient. Now your data is encrypted until it hits the recipient’s device. Thereby protecting your data from third parties, and anyone who intercepts it cannot read the content. Now, considering how much data is in the cloud and how much we rely on third parties in almost all of our interactions online, shouldn’t end-to-end encryption be an essential part of keeping your data private.
Why Don’t Major Cloud Storage Providers Offer End-To-End Encryption?
So, why don’t major cloud storage providers offer end-to-end encryption? You would think that most major could storage providers would jump at the chance to provide E2EE, especially when E2EE is a significant selling point.
They Need to Move Your Data Around on Their Servers
There are a few explanations for why cloud storage providers do not offer end-to-end encryption. The first is that they need access to your data to move the files around on their servers and make it sharable and accessible from different devices. But they could still do this with your data encrypted.
They sell your data located on their servers
The real reason is that they want to access your data because it is part of their business model. Some of the biggest tech companies make their money by using information about selling advertising or even by selling your data directly. Yes, they take subscription fees, but the real cash comes from exploiting your data. It’s no wonder why they do not want to protect your data, and it is the cornerstone of their business.
Read Their Terms and Conditions
You might be thinking, “Fair enough. That’s how online storage providers their money, and they are providing me with a free service. So, why not?” But a bigger question is why are they not open and transparent about it? After all, significant providers talk about data security and privacy all the time, but once you go into their terms and conditions, it is a different story.
These online storage providers argue that they offer encryption via the HTTPS standard and that your data is SAFE on their systems. But that does not mean that they cannot view it and sell your information. Just take a few minutes to read the privacy policies, and you will find clauses that give them free rein to do what they want with your data.
What Does This Mean For you?
You need to research online storage companies and select only those that use E2EE. There are companies out there that are capitalizing on this opportunity. However, they are not Microsoft OneDrive, Google Drive, or Dropbox. Recently, Google and Microsoft offered ways to encrypt your data, but it is an addon, and you have to activate it. It is not part of the standard package.
Let me know your thoughts in the comments below. For more articles, please click here.