Introducing the zero knowledge Tresorit Web Access
Today we are introducing a feature that many of our users have requested: Tresorit Web Access is an encrypted, zero-knowledge way to access your files from a browser. It lets you open your files stored in Tresorit without installing the app and makes it easier to safely work remotely.
Read on to how we learn how we ensure that Tresorit Web Access is safe and truly secure. We’d also ll like to also share with you three simple tips that are important to help you protect your data in a browser from malicious attacks in a browser.
An end-to-end encrypted browser access
Tresorit Web Access was created with the same security standards as other Tresorit apps: your files can be accessed in a zero-knowledge environment. Your password and unencrypted data is processed only on your device (‘client-side’), never leaving your browser. No one else – including Tresorit admins – can access it.
Tresorit applies industry standard cryptography protocols in browser. Encryption keys are generated similarly to our desktop and mobile applications. No hacker has ever breached this process, not even when we offered $50,000 for doing so, giving attackers admin rights. We rely on the widely used open-source libraries (OpenSSL or NSS) configured to our security standards.
Tresorit Web Access protects your data much better than other browser-based solutions. See how it works
When you log in to Tresorit, your password doesn’t leave your browser. In other words, it’s not sent to our servers. Achieving this is very difficult. Even other ‘zero-knowledge’ providers (i.e. SpiderOak) admit that their browser access is not ‘zero-knowledge’, as they handle your password. Same goes for the big guys, like Dropbox, Google Drive and Box.
What do we do differently?
- During a challenge-response protocol we gather proof, that you have the correct password and serve you your encrypted profile stored on our servers. Visit our FAQ for a detailed description of how we handle passwords.
- We decrypt your profile on your device with the password you entered. Using that we generate your device certificates – 4096-bit RSA keys. The device certificates are sent for signing (SHA512) to the server.
- The connection to the server is secured by TLS. Unlike other Tresorit platforms, you can’t authenticate yourself by using JavaScript when logging in from a browser. Instead, we set up an encrypted and signed channel within the TLS connection and its protocol matches the authentication features of other Tresorit apps’ TLS. This ensures that accessing your account through a browser offers similar security to other Tresorit platforms.
- This process establishes your authenticated and secured connection to Tresorit servers. Only you have the secret keys required to decrypt your files stored in the cloud. Neither your encryption key, nor decrypted data is revealed to our servers.
Three simple steps for better online security
- Protect your password
Never enter your password on a device you don’t fully trust and don’t log in from a shared or a public device. Otherwise, your password can easily be stolen by attackers – this is what happened recently to Carbanak victims. To circumvent this risk, use native Tresorit apps whenever possible. You can download Tresorit for your device here.
- Protect your account
We recommend setting up 2-Step Verification for your Tresorit account and checking failed login attempts regularly regularly to make sure no suspicious attempts were made to log in to your account. You can access both features through your account portal, available from both native apps and through Web Access.
- Update your browser
Even the most modern browsers need to be updated to their latest versions before you use them. Since browsers change versions often, you need to upgrade them regularly. If you are not sure what to do, please contact your system administrator.
We support only the following browsers from which you can access your Tresorit account: Internet Explorer 11 (and up), Firefox 35.0 (and up), Crome 38 (or higher), Opera 18 (and up) and limited access for Safari 8 (and up). Take it for a spin today!