At first glance, Tresorit’s end-to-end file sharing service looks like it might be able to overcome its proprietary nature and win favor with some Linux users. Unfortunately, the service comes with another issue that might be an insurmountable deal breaker for some.
The FOSS Force Review
On Thursday I received an email from Eszter Szilva, a PR manager at Tresorit, which is an “end-to-end encrypted file sharing service.” She was offering an invitation to take a peek at the company’s just released client for GNU/Linux. I must admit I was a little excited by this, despite the fact that I already figured the service was also end-to-end proprietary. I was willing to ignore that, thinking it’s about time for companies to start treating Linux users with the same respect given to users of other operating systems.
A quick gander at the company website told me the service encrypts files client-side before uploading using AES, the Advanced Encryption Standard established by the U.S. National Institute of Standards and Technology. The company uses servers located in Ireland and the Netherlands, which is an important plus for those trying to stay out of the long reach of the US government. The company is headquartered in Switzerland and user data is protected under Swiss privacy laws, which offer more protection than in the US or even the EU.
The company has gone to great lengths to keep their service as unhackable as possible. In 2013 and 2014, Tresorit sponsored a hacking contest, at first offering $10,000 to anyone who could hack its data encryption system and gain access to the servers. The amount of the award was incrementally raised to a final figure of $50,000, with hackers from institutions such as Harvard, Stanford and MIT competing for the prize. After 468 days the contest was ended with no hackers breaking Tresorit’s encryption.
Users of the service can access their “tresors” (German for “vaults”) through web browsers or by client apps that are available for both desktop and mobile operating systems. Since the company recommends installing and using the client instead of a browser on the “home” computer, I wondered if there was a difference in the security levels between the two, and asked Szilva by email, “What is the advantage of using the desktop client rather than accessing through a browser?”
Her reply was that the client added functionality, but that both methods were equally as secure.
“The most important advantage of the desktop client to the browser is that it allows you to sync your files automatically to your local computer (although you can switch this off, and you can also restrict which folders you want to sync automatically within a tresor). …the browser version needs manual uploads to make updates for files available. …the desktop client has several usability advantages,like drag and drop file usage, which makes the usage more native and easy. It is important though that the desktop client and web version both have the highest standard of security, based on zero-knowledge end-to-end encryption.”
The Linux client is downloaded from Tresorit’s website and installs without needing root privileges (in fact, for security reasons, the user is cautioned not to install as root). After installation, I found the interface to be simple and easy to understand, with files uploading and downloading quickly. As expected, uploaded files were immediately available on other computers logged on to my account and connected via a browser. Files can, of course, be shared, even with people having no Tresorit account.
Pricing is okay, but not particularly cheap. A small business account for 2-9 users will set you back $25 per user a month, or $15 per user for ten or more users. Single user accounts are $30 monthly. Those interested in trying the service on for size can sign up for a fourteen day free trial.
Besides price, there are two deal breakers for many Linux users. The first is the proprietary nature of the software. Personally, I don’t have much of a problem with that, although I’d prefer an open source solution. The second, however, kills the deal for me, and I imagine will also be problematic for most FOSS advocates. Tresorit is served by way of Microsoft Azure servers.
I asked Szilva about this. “I notice you’re using Microsoft Azure, which might be a deal breaker for many open source users for a variety of reasons. Do you have any plans to move away from Microsoft’s service or to offer your service on servers not connected to Microsoft?”
As expected, the answer was negative to both questions, although she tried to put the best face possible on her answer. “Yes, we are using Microsoft Azure and changing to another provider is not on our road map at the moment. Our service uses strictly EU-based data centers (Ireland, Netherlands) that comply with the highest security standards (ISO27001, ISO27018). For enterprise clients though, we are open to support custom server setups.”
That’s too bad. I think the service the company offers would be useful to some Linux users, and I find the fact that it’s offering a Linux client refreshing. But I can’t get beyond the fact that a few pennies out of every dime I would spend with them would go into Redmond’s coffers. Maybe they’ll give me a call if and when they spin their service up on Red Hat’s cloud. I’ll give them a thumbs-up when they do. Until then, I don’t like the company they’re keeping.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
Yah. it’s too bad that. On the one hand, opensourcing their unhackable software seems like it would set them up to be hacked for sure so i get that point. And then on the other hand, they bow in obeisance to redmond and they are about as unpopular as they come. But truly the 30$ single user price tag is what puts it out of my price range as well.
August 3, 2016 at 4:44 pm
>>On the one hand, opensourcing their unhackable software seems like >>it would set them up to be hacked for sure so i get that point.
Since when did Open Source Software become more likely to be “hacked” in the sense you just used?
When, in the article, was it even suggested that was a reason for being proprietary?
So what was your point?
If they are proprietary and they use Microsoft’s Azure, as a Linux user I feel doubly insulted. Won’t be touching their service.
I already use a proprietary service for sharing files publicly, where encryption isn’t an issue, so I really don’t need another proprietary one for any reason.
> “On the one hand, opensourcing their unhackable software seems like it would set them up to be hacked for sure so i get that point.”
That’s complete BS. Proprietary software is LESS secure than open source software.
– It can’t be audited.
– It can’t be fixed except by a single corporate entity.
– It is subject to financial and legal pressures that open source is not vulnerable to.
I really wouldn’t care where it was hosted if the code were open and RUNNING LOCALLY. Running in the cloud is a HUGE NON-STARTER for true security, privacy, and anonymity.
A big no thanks…
One thing I don’t quite understand is why FOSS Force does so many stories on proprietary software just because it happens to be available for Linux. If we all root for Linux but cheer for proprietary software packages on top of it, then we have gained nothing over Windows, OS X, Chrome, or iOS.
I don’t trust the EU either.
Why should be obvious to anyone who watches the news.
I used to use Copy for some stuff I wanted backed up off site. But I never trusted their client side encryption. I always encrypted the data before adding it to the Copy folder.
This sounds too dogmatic to me. If the company delivers an optional to use, secure service, that works on Linux without requiring installation of proprietary bits, it is okay by me.
Applying a strict purity test to every service and site would negatively affect my productivity and quality of life.
> “If the company delivers an optional to use, secure service, that works on Linux without requiring installation of proprietary bits, it is okay by me.”
Security through any centrally controlled proprietary technology is no security at all.
I would prefer a system where every bit and packet is guaranteed to only go through free and open software on free and open hardware, and which is always open to audit and inspection by users. Still looking for one.
Oh gee, lookay’all here bickering over proprietary or open. Really, it’s time for all you Foss folks to get a grip. If it works and does its job, most of us don’t care whether it’s closed, open, or split down the middle. As for EU vs USA. Perhaps you should watch more carefully your own domestic issues and worry about those.
August 5, 2016 at 3:18 am
>>>Really, it’s time for all you Foss folks to get a grip. If it works
And you can tell it works because it encrypts your files and stores them on a remote server, from which you can recover those files.
>>>and does its job,
It’s job being to keep your data private and secure. So how do you know it’s doing it’s job, when no trusted 3rd party can validate the code, or in any other way determine if there are are, or, are not back doors.
You have only the word of the corporate entity that owns the code.
>>>most of us don’t care whether it’s closed, open,
And that is your prerogative, the choice you are free to make. But what you can never know – and why us FOSS folks get our knickers in a twist about it – is what is really going on in the code.
> ” If it works and does its job, most of us don’t care whether it’s closed, open, or split down the middle.”
…and that’s your loss. You have no idea if it works at all.
Just because you are oblivious and naive doesn’t mean we all have to be.
Only open source can be validated.
Closed source is just a blind gamble on the goodwill of a corporate entity and the governments in whatever regions it is subject to.
Guys, if somebody you’ve never seen before shows up on a site with “FOSS” in its name to immediately heckle the readership for preferring FOSS, and closes his post with a vaguely xenophobic, vaguely political comment, he’s a troll. Don’t feed him.
Not repudiating ignorant comments from trolls can lead to people thinking their statements are valid.
Case in point: Donald Trump.
The article only says “runs on Azure”. It could still be running on Linux, which is supported on the Azure platform.
@nightflier Doesn’t matter. Azure is still a Microsoft owned company. I, for one, don’t want my money to be going to Microsoft. I’m sure I’m not alone with that thought.
Comments are closed.