I tried to use sync.com for it's advertised zero knowledge. But I'm skeptical. If I create a link without a password and share it with a text message, my friend who gets this link is able to download the document and view the content. However my friend doesn't know my password. Therefore, i conclude that once i create a link, it means sync.com creates an unencrypted copy of my document on their cloud (COMPLETELY UNENCRYPTED). Therefore creating links (without passwords) essentially defeats the purpose of zero knowledge. Is this correct? So sync.com cannot claim zero knowledge for links and should explicitly state so
Asked
Active
Viewed 231 times
2
-
Related question [here](https://security.stackexchange.com/q/229477/3365) – gowenfawr May 10 '20 at 18:49
1 Answers
3
I've only looked at this briefly, but a sync link looks like this:
https://ln2.sync.com/dl/84d6f6440#4m2d2kjd-5gvmbx6i-zb4ersxn-d585kpiw
^
The characters after the hash (the fragment) are not sent to the server. I expect the server uses the ID in the path to fetch the encrypted file, and the fragment is used as a key for client-side decryption.
paj28
- 32,906
- 8
- 93
- 130
-
I don't know about sync.com, but I am pretty sure Firefox Send (send.firefox.com) works this way, so it certainly sounds plausible. In fact until I read about the innards of Firefox Send it never occurred to me that the browser does not (need to) send the anchor (fragment?) string to the server. – May 11 '20 at 00:51
-
1