Secure cloud storage outfit Tresorit posts $10K hacker bounty

Popular cloud storage services such as Dropbox and Google(s goog) Drive are terrifically easy to use, but only boast middling security (hence the existence of third-party client-side encryption services such as BoxCryptor). However, there are many rivals out there that offer much stronger client-side security and anonymity — Lacie’s Wuala, Spideroak and Kim Dotcom’s Mega all spring to mind.

So, if you’re an upstart in this business with serious security chops, how do you set yourself apart? Do what Tresorit is doing, and offer a bounty to any hacker who can breach your cryptography.

Tresorit was founded in 2011, received $1.7 million in funding last year from Euroventures and nine private investors, and is now freshly out of closed beta, with its storage being based on Azure(s msft). The firm has strong security cred as a spinoff of Hungarian security outfit CrySys Lab, which was responsible for identifying the notorious Duqu worm. And Tresorit is so sure of itself that, from April 15th, it will offer a $10,000 reward to any hacker that busts its cryptography.

“We’re positioning ourselves as an enterprise or small and medium business solution, but right now we’re targeting consumers too, because we need to reach credibility,” CEO István Lám explained to me. “That’s why we’re starting this campaign where we offer $10,000 to the first one who can hack this encryption.”

Crypto challenge

One issue with some  Tresorit rivals, such as Mega and Wuala, is that they use something called “convergent encryption”, which essentially means they can deduplicate the stuff their customers are storing on their systems. In the case of Mega, whose customers frequently use the service for storing movie files (entirely legally, of course), this helps avoid a situation where the same multi-gigabyte file is stored thousands of times, thereby keeping down Mega’s costs.

Some security specialists are wary of this approach because they fear it can undermine user privacy.

“If 10,000 people upload the same movie to Mega, they only have to store one file,” Lám said. “That leaks information about who has the same file – you can track one [piece of] information from another. So, from the very beginning, we dropped the idea of convergent crypto because that’s simply unacceptable for us.”

Of course, Tresorit is ultimately going for a somewhat different user base; one that demands secrecy but that isn’t necessarily going to be uploading dozens of bulky movies. As such, while Mega famously offers 50GB of free storage, Tresorit’s free option maxes out at 5GB…

… Although, if you’re reading this before 23:59 GMT on May 20th 2013, you can get a free 50GB Tresorit account for life by signing up here. Just thought I’d mention that. Anyway…

In terms of business-friendly features, Tresorit uses public key cryptography to establish keys between people, so users can share access to files without sharing passwords. There are no master keys for bosses, but Lám said the company will soon introduce a “threshold cryptography” system, where at least two managers will need to be present in order to decrypt and open an employee’s account.

Right now the client is only available for Windows, but OS X(s aapl), iOS and Android versions will arrive before June, as will the first paid-for premium Tresorit accounts. Lám declined to reveal the pricing or capacity for these accounts ahead of that launch.