Latest Sync Build: 1.1.70


Recommended Posts

This is correct.

Full Access secrets begin with an A

Read Only secrets begin with a B

One Time secrets begin with a C

Hi, what happens if I am generating my own (longer) secrets on the linux command line - can I just add an A/B/C to make it full/read only/one time?

I have been generating random secrets this way without prepending the A, B or C for a while and it seems to work ok for full access.

P.S. Love the software, it's exactly what I have been looking for for a long time. :)

Link to comment
Share on other sites

Hi there,

i have running BT Sync on my Debian Box and forwarded the specific port through my router e.g. 4321.

As far as I know, this port is used for connecting devices (like a own BT server). I have forwarded the port 4321, and not 8888.

In my local network I can access the WebGUI through my internal IP. Lets say 192.168.1.2:8888. There I have to put in my account name/password. Thats OK so far.

BUT:

Why is the WebGUI listening on the external port? If you open a connection to your externalIP and the given Port (4321 in my setup) you get:

invalid request

If you enter the externalIP, the given Port and the directory "gui" you can reach the webfrontend. This one is only protected by the given basic authentification, which should only be reachable from the local network. Sure you dont see your shared folders, because its displays only a empty list. But this could potentialy expose your secret share codes?

Furthermore running basic auth over a non SSL connection (for external use) isnt the best way, because an attacker could sniff the data.

Inside my local network I am not concerned about Basic authentification, because I know every participant.

In my opinion there should be no WebGui on the choosen BT Sync port.

Edited by tavoc
Link to comment
Share on other sites

Surely the first letter does not control the secret's function.

It doesn't control it, but it does designate the type of key. Changing A to B will not change the function as it will invalidate the rest of the key. You can see this by comparing the full key for a folder you already have to the read-only key that it gives you if you ask for it. It's just a human-readable thing. They do the same thing with credit cards. Visas always start with 4 (MC with 5, AmEx 3 Discover 6). Changing the first number doesn't change the card type. It invalidates the number because there is a built-in checksum.

Link to comment
Share on other sites

Why is the WebGUI listening on the external port? If you open a connection to your externalIP and the given Port (4321 in my setup) you get:

invalid request

If you enter the externalIP, the given Port and the directory "gui" you can reach the webfrontend. This one is only protected by the given basic authentification, which should only be reachable from the local network. Sure you dont see your shared folders, because its displays only a empty list. But this could potentialy expose your secret share codes?

You can have more than one http servers in your box, and 80 is the default port number for the service.

http://yourdomain/ == http://yourdomain:80/

If you have the second http server, then you need to use different port number, say 8888, to distinguash it from the first one. BTSync has a http server in itself, and it uses port 8888. This is nothing to do with the external accessibility.

So what you have to do is to close port 8888 at your router / firewall.

Link to comment
Share on other sites

Letter convention is wrong, I have several shared folders between my works and my house networks (domain and working group), so using LAN and internet connections:

Full Access secrets begin with an A, J, 7, Y and Z

Read Only secrets begin with a B and R

One time is not in use in my case.

I use Windows version in version 1.1.48.

Link to comment
Share on other sites

You can have more than one http servers in your box, and 80 is the default port number for the service.

http://yourdomain/ == http://yourdomain:80/

If you have the second http server, then you need to use different port number, say 8888, to distinguash it from the first one. BTSync has a http server in itself, and it uses port 8888. This is nothing to do with the external accessibility.

So what you have to do is to close port 8888 at your router / firewall.

I know that I can have multiple Web Servers on my Box. But this is not the point.

All ports are disabled in my router, except 4321.

It is ok to connect to port 8888 from inside my network, because this is how it should work.

But it is wrong that a BT Sync Webserver is listening on the BT Sync Port (the one for tracker and so on). Try it yourself. On this specific port, which you have to forward through the firewall, should be no GUI, but there is.


This one here is OK:
internal Webserver: 192.168.1.2:8888


This one is not:
Port for BT Sync: 4321

external Webserver: externalIP:4321/gui
internal Webserver: 192.168.1.2:4321/gui

Link to comment
Share on other sites

Letter convention is wrong

Full Access secrets begin with an A, J, 7, Y and Z

Read Only secrets begin with a B and R

No, the lettering convention I indicated in my previous post is NOT wrong!

...you are simply seeing the backwards compatibility that is still present in Sync to allow Secrets from earlier versions (before one-time secrets were introduced) to still be valid!

Generated secrets in early versions of Sync (before one-time secrets were introduced):

Full Access: 20 bytes in base32

Read Only: R + 20 bytes in base32

Generated secrets in more recent versions of Sync:

Full Access: A + 20 bytes in base32

Read Only: B + 20 bytes in base32

One Time: C + 20 bytes in base32

...which is why your read-only secrets that begin with R are still valid, and your full access secrets starting with J, 7, Y, and Z, etc are still valid - check the length of your secrets to confirm! - you are simply using older secrets!

The current lettering convention I outlined in my last post is the convention that is in use in current Sync builds.

Link to comment
Share on other sites

It doesn't control it, but it does designate the type of key.

Right. So the letter scheme only relates to secrets generated by BTSync itself, and generating secrets by some other means and then just adding letters to it in the hope of making them read-only-secrets (as Shagaroo suggested) won't work and is not necessary either, which was my point.

Link to comment
Share on other sites

Hi there,

I have tried a few things, with the problem I found.

This problem could lead to loose your secret keys to everyone. Therefore an attacker could possibly get all your content, which you sync.

Here is the exact setup.

Server side: I1.1.48 on debian (will Update later)

internal IP: 192.168.1.2

config:


{
"device_name": "serverT",
"storage_path" : "/var/lib/btsync",
"listening_port" : 4321,
"check_for_updates" : false,
"use_upnp" : false,
"download_limit" : 0,
"upload_limit" : 0,
"disk_low_priority" : true,
"lan_encrypt_data" : true,
"lan_use_tcp" : false,
"rate_limit_local_peers" : false,
"folder_rescan_interval" : 600,
"webui" :
{
"listen" : "0.0.0.0:8888",
"login" : "myuser",
"password" : "mysecurepassword"
}
}

You can see that my local Port is 8888 and the listing port is 4321.

In my router only 4321 is forwarded to this debian box.

If you open 192.168.1.2:8888/gui and put in the basic auth everything is working as expected. You get the web GUI and see all the secrets.

BUT this is insecure

Open 192.168.1.2:4321/gui -->nothing will happen first time (invalid request)

Open 192.168.1.2:4321/gui again--> basic authentification is requested (you put it in here)

Open 192.168.1.2:4321/gui again --> nothing will happen

Open 192.168.1.2:4321/gui again --> Full access

This behaviour applies to the external IP too.

Therefore your secret content relies only on your choosen login/password. If I can get this right, I see all the secrets and can add your share to my Box (and all your data is tranfered to me).

Running basic authentification over HTTP is usually a bad idea, because it is a cleartext protocol. The login/password can be sniffed.

Therefore there should be no way to get to the GUI on the listening Port. Or at least give out a advisory, which inform the users that their data might be at risk.

As long as this is not fixed the listening port should not be public open to the internet.

Link to comment
Share on other sites

Ok,

but then the default package has the wrong settings (for SSL).

For the WebGUI:

If I bind it on localhost (listen=127.0.0.1:8888) it wont be really usefull on a headless server or NAS, because you cant access it. The only way would be by some SSH Port forwarding with putty.

If i bind it to an local IP (192.168.1.2) it would not fix the problem if i forward the port 4321 from my router to the box. Because then you can still open externalIP:4321/gui

But why is the GUI running on the listen Port anyway? I dont see the need for this.

For Security:

Enabling SSL and having a very strong Basic Authentification key would help a little. But this is only a workaround.

Edited by tavoc
Link to comment
Share on other sites

I misunderstood which port you're talking about. This is a big sechole indeed.

I disabled authentication on the webui (bound to localhost) thinking I'm safe behind a secure proxy... :mellow:

This puts it in perspective how a lot of people are complaining about the "possibility" of key collision and brute forcing when there's basically a built-in backdoor, at least in my case.

Link to comment
Share on other sites

This is only a backdoor, if your choosen credentials are weak. e.g. admin/admin or root/root and so on. But yes, this should be fixed, because a bruteforce attack on your credentials is more likely.

Maybe a system like denialhosts would be good. After 3-4 bad login requests the port goes down for this ip.

Edited by tavoc
Link to comment
Share on other sites

Guest idef1x

@Tavoc: thanks for notifying this imho big issue. I agree btsync shouldn't be used out in the open before this is fixed. Yes you can have all kinds of workarounds to cripple the idea behind btsync (firewalling etc), but I don't like crippling features.

Still I am wondering why in the first place the listening port for the syncing is interconnected with the webgui in the first place. What's the use of that?

I don't use passwords on my LAN for the webgui and only the non webgui port WAS accessable from the outside.

Might be better to turn of relay server option as well then.

Is there also a way to have configfile to put settings in for Android? I can't find it and so it used default config. On android I'll try later if you can access it as well like tavoc described, but then needs to find the port my phone is listening on first (and I am not at home now to test).

Link to comment
Share on other sites

You can, for the moment, circumvent access to your webui by only letting the Internet connect to UDP to your btsync instances. This means NO UPNP or NAT-PMP, but manual control over the ports you forward to your host from the internet.

There are tricks to get through this, but at least you have a more fine grained control.

(Trick: http://code.google.com/p/udp-tcp-bridge/)

It should be fixed though, suspending here too.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.