Dropbox Mobile Less Secure Than Desktop
Mike Cardwell found that, even though Dropbox’s FAQ said:
All transmission of file data and metadata occurs over an encrypted channel (SSL).
the metadata was, in fact, not encrypted from the Android and iPhone clients. Indeed, for mobile clients:
some limited file metadata (name of file, etc) are transmitted over HTTP for performance reasons.
This should either be changed or clearly disclosed and made a preference. The FAQ has since been changed to say:
All transmission of file data occurs over an encrypted channel (SSL).
Although, presumably, metadata from desktop clients is still encrypted, it would be nice to have this spelled out clearly.
The Dropbox API seems to use https, so it looks as though third-party clients, such as the iPhone text editors I compared, are not affected.
Update (2011-03-14): Here’s the Votebox thread for this issue.