Dropbox Business security A Dropbox whitepaper
ceuH305Fj7t
ceuH305Fj7t
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Dropbox</strong> <strong>Business</strong> <strong>security</strong><br />
Discovery engine<br />
Each machine on the LAN periodically sends and listens for UDP broadcast packets over port 17500 (which is<br />
reserved by IANA for LAN sync). These packets contain the version of the protocol used by that computer; the<br />
personal and shared <strong>Dropbox</strong> folders supported; the TCP port that’s being used to run the server (which may be<br />
different from 17500 if that port is unavailable); and a random identifier for the machine. When a packet is seen, the IP<br />
address of the machine is added to a list for each personal or shared folder, indicating a potential target.<br />
Protocol<br />
The actual file block transfer is done over HTTPS. Each computer runs an HTTPS server with endpoints. A client will<br />
poll multiple peers to see if they have the blocks, but only download blocks from one server.<br />
To keep all of your data safe, we make sure that only clients authenticated for a given folder can request file blocks.<br />
We also make sure that computers cannot pretend to be servers for folders that they do not control. To solve for<br />
this, we generate SSL key/certificate pairs for every personal <strong>Dropbox</strong> or shared folder. These are distributed from<br />
<strong>Dropbox</strong> servers to the user’s computers that are authenticated for the folder. The key/certificate pairs are rotated any<br />
time membership changes (for example, when someone is removed from a shared folder). We require both ends of<br />
the HTTPS connection to authenticate with the same certificate (the certificate for the <strong>Dropbox</strong> or shared folder). This<br />
proves that both ends of the connection are authenticated.<br />
When making a connection, we tell the server which personal <strong>Dropbox</strong> or folder we are trying to connect for by using<br />
Server Name Indication (SNI) so that the server knows which certificate to use.<br />
Server/client<br />
With the protocol described above, the server just needs to know which blocks are present and where to find them.<br />
Based on the results of the discovery engine, the client maintains a list of peers for each personal <strong>Dropbox</strong> folder<br />
and shared folder. When the LAN sync system gets a request to download a file block, it sends a request to a random<br />
sample of the peers that it has discovered for the personal <strong>Dropbox</strong> or shared folder, and then requests the block<br />
from the first one that responds that it has the block.<br />
6