Is SpiderOak secure?

SpiderOak is a well-established provider and along with the now defunct Wuala, it has focused on offering a secure cloud storage solution. When Wuala was shut down in 2015, many users started looking for alternatives and SpiderOak is one of the best ones, thanks to the fact that it is a zero-knowledge cloud. They offer end-to-end encryption, which means that users encrypt and decrypt their data on their own devices. This makes SpiderOak an appealing solution for security conscious users because it implies that the provider doesn’t have access to their passwords or encryption keys and would not be able to check their data. We’ll take a closer look at the security offered by SpiderOak.

Encryption

SpiderOak uses its own encryption method so unlike the case of open source technology, the code can’t be inspected by independent parties. As such, users will need to trust that SpiderOak’s proprietary solution is truly safe as it is not possible to confirm that there are no back-doors installed into the code. You’ll just have to take their word when they say that their service is secure. However, if you don’t want to take any chances, it is important to consider additional steps to ensure that your data is protected. Before uploading your files to the cloud, it is advisable to encrypt them using an open source tool like TrueCrypt.

Still, it should be mentioned that SpiderOak offers practical functionality that TrueCrypt doesn’t support. For instance, you can encrypt and decrypt files individually. SpiderOak also supports easy syncing across multiple devices, as well as file versioning. This are convenient features that you don’t get if you only use TrueCrypt. One thing to keep in mind is that when it comes to zero-knowledge services, it is your responsibility to look after your password and encryption keys since only you have access to them. If you lose them, SpiderOak can’t help you to recover them.

The provider uses 256-bit AES in CFB mode with HMAC-SHA256 encryption. All the keys are encrypted with 256-bit AES using a key created from your password by PBKDF”, a key derivation/strengthening algorithm using sha256. A 3072-but RSA key pair is included with every account and SpiderOak has plans to use it for multi-user private collaborative and sharing functionality in the future.

SpiderOak overview

Although SpiderOak is a relatively small provider, it has gained recognition thanks to its secure online storage service. However, since the company is based in the United States, it is more vulnerable to surveillance by the NSA. This government organization is known for targeting internet services that operate in the US and many companies are forced to hand over data, or do it willingly. As previously mentioned in our review, SpiderOak has proprietary software, meaning that it can’t be independently audited to confirm that it hasn’t been compromised by the NSA or other organization. However, it should be noted that the provider has shared many of its own tools and resources with the open source community and it even aims to making its client code open source at some stage.

What are the downsides?

Although SpiderOak offers many advantages, there are some issues that should be considered. The first thing to keep in mind is that only the SpiderOak client is zero knowledge and if you access your account via the web interface, your password is provided to the SpiderOak servers. However, the company has acknowledge this as an issue and it states that the data is never written to a disk. If you access your files outside the SpiderOak app, your password has to be provided to their servers for authentication and in order to be directed to the data. Still, many people won’t consider this as a major deal, particularly since being able to access files on the go and from any location is very convenient. Although SpiderOak supported Bitcoin as a method of payment for a while, it doesn’t offer this option anymore.

Conclusion

In spite of some minor flaws, SpiderOak is an excellent service that supports convenient features. Although it uses proprietary code and it is based in the US, the company has a solid reputation as a reliable solution and so far, there hasn’t been any evidence showing that it has been compromised by the NSA. Although when you access your data remotely from outside the SpiderOak client, your password is provided to the servers, the convenience of being able to access your files from anywhere may be more important than the small security risk involved.

Leave a Reply