morganizer

Well this could easilly be solved by some form of "acknowledge" a new pair or "lock the token ring down" (by folder). I do not fear anything in regards of the initial secret and how it is setup its very clever. But you have to agree that a feature where you have for example shared the secret with 2-3 machines and then locking it down would be clever. And it could be as simple as adding an encrypted cert to that folder for what I know where the encrypted cert can be A. "Open for business" or B. Tell new clients that this folder is now closed. Then it would be of no need for servers and you are right the initial person that shares a folder should be the folders keeper (the one that can state if its open for sharing or locked to previously shared clients).. Its the last piece of the puzzle I think for a big audience.. Sent from my iPad using Tapatalk

Thanks guys! Great to get the feedback and that the forum is lively. Wonderful. However I see GreatMarko (read all referred links) that you guys in team bitTorrent has taken a "stand" on the security aspect of the sync client however 33 chars is not that much when there is million of users online using the bitTorrent Sync client. The security will dramatically drop with the amount of users "in the future if this becomes a huge success". The point is that it should be rather technically simple to do the following (just an idea): User adds a directory / folder and in the (i) sets a "switch" to open. This switch automatically drops to closed when there has been added a new "client". When or if you want more than 1 pairing to the folder you can "open the switch" or "keep it turned on". Now what would happen is in fact a certificate download. So the first paired "client" will then download an encrypted cert from the host client. And to answer then the "another user can just call their folder or client name the same" it should be a very good practice to force a client ID. This is anonymous and is used "instead of a username". Well just ideas really since I love the concept. I have spent 5 minutes on this thought but are working with partial security related issues and would LOVE for innovative souls like the bitTorrent team to re-think their software strategies ahead of time and not do a y2k blunder like old school banks :-) This idea might be huge and then make it perfect or add "voting possibilities" on your forum so you can see the feedback from the users. Then the users decide (which will make the success of the sw anyhow) Sent from my iPad using Tapatalk

Hi, I love the project of a bitTorrent sync program and have tested it for a couple of days. My main concern is in regards of security. Perhaps I do not understand "all as of yet" or perhaps I have some valid points. Anyhow thanks for enlighting me if needed :-) Today on iOS you can´t make your own unique secret if you want to backup your images. The secret are then predefined based on 33 characters. If I then add this to my computer it of course works but what stops other users from adding random 33 character strings? I mean as of now the chance is slim to finding anything but as users grow without a secondary secret there is a big security issue here (or isn´t it?) The big question is: Can anybody add my secret or is it just on that one remote computer? If anybody can add this secret the only way to "see" if people are sniffing (syncing) is to check your device list I guess? This could all be super safe if there was added a username alias to the secret. Then you would have it safer than any username / password system on the net. However when there is only 1 phrase and when the phrase is as short as 33 characters I agree that its impossible to "find targeted people" in this system but it would be rather simple to just make a script adding random "secrets" checking if a sync starts and then like phising "you see what you get" like other peoples "photos".. My other point is that you can set VERY large secrets on the Mac / Windows clients for full shares but "read only" is left always as 215 characters. Then it doesn´t matter if you want a supersafe share increasing the "secret" to 512 characters because the read only is always based on 215 characters.. So in other words as long as you dont open for "your own secret" also on read only then the "make your own secret" on full shares have no potential "enhanced security value".. I know lots of answer will debate how strong an encryption is but usually encryptions will be super strong if you add two dimensions to the encryption like username + password. Besides when I can´t change the read only password (Mac) then I have to rely on the algorithm made of the makers of the bitTorrent sync client while I tend to use my own algorithms.. I ask this because I see A LOT of potential in the app and hope to have a good forum chat in regards of security. Tried to search for this before I posted so I hope I do not repeat to many answered questions here.. Thanks! In simpler words: Secrets would work great if when someone adds a secret the hosting party are "alerted" with a "This user wants to add this folder - Do you allow this as the hosting party?".. Then the only thing that can happen is like on Skype where you sometimes get random users sending 1 message where you have to "block them".. So to have userName in the app would be a smart move anyhow I guess..