Hi there, I have tried a few things, with the problem I found. This problem could lead to loose your secret keys to everyone. Therefore an attacker could possibly get all your content, which you sync. Here is the exact setup. Server side: I1.1.48 on debian (will Update later) internal IP: 192.168.1.2 config: { "device_name": "serverT", "storage_path" : "/var/lib/btsync", "listening_port" : 4321, "check_for_updates" : false, "use_upnp" : false, "download_limit" : 0, "upload_limit" : 0, "disk_low_priority" : true, "lan_encrypt_data" : true, "lan_use_tcp" : false, "rate_limit_local_peers" : false, "folder_rescan_interval" : 600, "webui" : { "listen" : "0.0.0.0:8888", "login" : "myuser", "password" : "mysecurepassword" } } You can see that my local Port is 8888 and the listing port is 4321. In my router only 4321 is forwarded to this debian box. If you open 192.168.1.2:8888/gui and put in the basic auth everything is working as expected. You get the web GUI and see all the secrets. BUT this is insecure Open 192.168.1.2:4321/gui -->nothing will happen first time (invalid request) Open 192.168.1.2:4321/gui again--> basic authentification is requested (you put it in here) Open 192.168.1.2:4321/gui again --> nothing will happen Open 192.168.1.2:4321/gui again --> Full access This behaviour applies to the external IP too. Therefore your secret content relies only on your choosen login/password. If I can get this right, I see all the secrets and can add your share to my Box (and all your data is tranfered to me). Running basic authentification over HTTP is usually a bad idea, because it is a cleartext protocol. The login/password can be sniffed. Therefore there should be no way to get to the GUI on the listening Port. Or at least give out a advisory, which inform the users that their data might be at risk. As long as this is not fixed the listening port should not be public open to the internet.