Any reason not to use filen

Any reason not to use filen if I don’t care about the slow upload

Not really. I’ve been using it for a while and it has been great. The only thing I can think of is, they are still a very new company therefore, they can’t be compared to larger, more established cloud services.

Despite this, they are growing very well (from my view) and they are planning to offer B2B (Business to Business services), this means that there will be more income therefore, increasing the ability for Filen to grow.

Here is an interesting conversation concerning them. You need to decide for yourself if you’re willing to trust them.

Filen has Poor implementation of cryptography. Bad security.

Could you please provide evidence of this?

Another thing to keep in mind, they have said that they are planning to get an audit in the near future. This audit will reveal any security problems (if any).

I think they have fixed it

I’ve been tempted to write up a blog post considering how many people seem to be promoting Filen. I’ve been extremely busy though, and I hoped they’d disclose the issues publicly. They never did as far as I’m aware.

In summary, they weren’t authenticating ciphertexts when using AES-CBC (an unauthenticated mode), they used an insecure password-based KDF, the way they derived IVs was very weird and may have led to reuse, they weren’t doing client-side password hashing properly, and they used an insecure random number generator. Things like lack of authentication and an insecure random number generator are cryptography 101 type things a developer should know about from doing basic reading (e.g. just library documentation, not even touching blog posts, online courses, or books).

According to this person, assuming he is infact telling the truth, Filen is not transparent about their internal problems with security.

They already had an audit.

They have stated that they are getting another audit in the near future as, the previously audited area has been completely re-written.

“They should have fixed all of those yes” and its from 2021

I would still not trust a new player who have made bad cryptographic decisions and isn’t transparent totally. I would consider it in the future maybe.

Understandable

I would wish I could wait but can’t