> Tresorit had a game-over vulnerability:
I would still (for now, at least) trust Tresorit over any of the US jurisdiction services. I wouldn't put my data on US jurisdiction servers no matter how much money you gave me.
I am, for now, tempted to say we should get a detailed explanation from Tresorit before jumping to conclusions.
It seems to me the author of the website made many assumptions, it is not clear if they entered into any sort of meaningful dialogue before publishing.
> any attempt to share a directory allows the server to share that directory with itself
Surely this is by definition required ?
If you wish to share a file or a directory with somebody external from your organisation via a simple link. How, exactly, do you envisage that happening without granting the Tresorit server permission to be the intermediary ?
Sure, you could, theoretically, mandate those third-party people to install software on their devices, or to register an account or whatever. But let's face it, in the real world, if you want to share a file or directory as a one-off with someone ? And forcing people to do extra steps for a one-off share is just introducing friction. Also some people can't install random software on their computers due to corporate policies.
I really don't care about this jurisdiction stuff; I'm just here to talk about the cryptography, which, in the case of Tresorit, is not great.
The paper itself seems not to agree with you: “Tresorit’s design is mostly unaffected by our attacks due to a comparably more thoughtful design and an appropriate choice of cryptographic primitives.”
They have a lot of attacks. Most of these systems are completely clownshoes. But Tresorit appears to be vulnerable to their most severe attack.
> I wouldn't put my data on US jurisdiction servers no matter how much money you gave me.
Just to be clear: tresorit's storage provider is American. As of 2024 3 of the geographical locations they offer are part of the five eyes. 3 more have data sharing agreements with the US. which leaves three locations, that aren't the default and you need Business+ to switch to another.
I hope you made sure that your data is indeed stored in Switzerland or the UAE!