I just noticed that NetDrive 3 does an automatic (user-account) synchronisation of all stored connections between desktops.
Now we know this way of Cloud synchronisation from so called secure Password Managers like the unfamous LastPass.
https://www.hackread.com/lastpass-hacked-this-time-for-good/
How are our server details / passwords - protected on the BDrive servers?
What if somebody hacks your servers and steals all customer server access data
The server details of 2 Million peoples would be instantly hacked ?
This turns BDrive in a massive hacker target.
How can BDrive guarantee that our customer data are safe?
How do you encrypt the data, which algorithms do you use?
Do you offer additional security, like user-only stored SSH keys, or is the Bdrive user account password the only protection, I guess some people use stoopid passwords, so you would need a password policy to ensure high-grade passwords.
1Password uses advanced security schemes to guarantee that the user data is safe : https://1password.com/security/
Do you offer the same security scheme ?
In NetDrive2 all my data was stored on my machine only, so using NetDrive3 could be dangerous?
Let me explain current status and where we plan to go.
Currently all user data is encrypted and stored in Amazon RDS server. Please refer to Security section of RDS product details page: https://aws.amazon.com/rds/details/
RDS provides it’s own security mechanism but we also encrypt data before sending to RDS server using securely stored key. We uses AES-256 for encryption.
For customers who do not trust our back-end system (including AWS) and want end-to-end encryption, we have plan to support Public Key based encryption. To use this scheme users generate their own public/private key and upload only public key to our server. All data is encrypted using the public key and it’s decryptable only by user’s private key. All of user’s devices must have same private key installed.
To prevent access using stolen user id and password we will send a confirm email when an attempt detected to access our server from new device. To login from the new device user must open the email and confirm by click a link we provided. Enforcing strong password policy can help but if you are concerned about login credential please use social login rather than id / password. When you use social login like Google OAuth we just stores access token and you can revoke the access token on Google Security Page any time you feel somethings wrong.
Hope this answers some of your questions.
Thanks for your interest in the security of NetDrive 3.
1 Like
I really appreciate the clear description!
Perhaps you consider to publish up a security summary page on the sales (marketing) website, so that potential “new customers” will find answers.
1 Like
Users could trust RDS, but definitely not to some key, generated for the whole database
That’s right. So we plan to provide encryption using customer’s key. User’s data will be encrypted on the client side.
Is there a timewindow for this client-side security?
I there no way to install netdrive as normal windows client without online activation?
What happens wenn your server is down?
Can I use netdrive without a connection to your server?
Here in Germany we have strict personal data rights
We plan to add client-side security before end of this year.
NetDrive 3 works only with online activation and we do not have plan to develop standalone version. For business and enterprise plans we are talking about options to include our backend servers in those plans.
Thanks for your interest in client-side security.
I just posted a topic about this but found but found this topic as well after that.
https://support.bdrive.com/t/why-is-everything-is-saved-in-my-account/40271
I for one will not agree to this kind none scene, that you have an on-line activation, I can understand,
that you save a fingerprint of the installed machine to your servers i am also OK on that.
But that all my data might be reached from an 3d party without my consent, even not with an notification if some is trying to reach my data. No two way authentication.
Who the hell you are thinking you are?? God??
This topic is from okt 2017 you say you wanted to add “We plan to add client-side security before end of this year.” well we are almost 3 months in to the new year.
Sorry for the delays. There have been stability issue we should address before the encryption. Two-way authentication will be considered too.