tenjaa Posted August 11, 2013 Report Share Posted August 11, 2013 Every secret I create on my raspberry pi starts with "A". Someone can verify this and explain it?` On my Windows 8 PC too... Link to comment Share on other sites More sharing options...
GreatMarko Posted August 11, 2013 Report Share Posted August 11, 2013 Every secret I create on my raspberry pi starts with "A". Someone can verify this and explain it?` On my Windows 8 PC too... This is correct.Full Access secrets begin with an ARead Only secrets begin with a BOne Time secrets begin with a C Link to comment Share on other sites More sharing options...
Shagaroo Posted August 12, 2013 Report Share Posted August 12, 2013 This is correct.Full Access secrets begin with an ARead Only secrets begin with a BOne Time secrets begin with a CHi, what happens if I am generating my own (longer) secrets on the linux command line - can I just add an A/B/C to make it full/read only/one time?I have been generating random secrets this way without prepending the A, B or C for a while and it seems to work ok for full access.P.S. Love the software, it's exactly what I have been looking for for a long time. Link to comment Share on other sites More sharing options...
ChrisH Posted August 12, 2013 Report Share Posted August 12, 2013 Surely the first letter does not control the secret's function. Link to comment Share on other sites More sharing options...
tavoc Posted August 12, 2013 Report Share Posted August 12, 2013 (edited) Hi there,i have running BT Sync on my Debian Box and forwarded the specific port through my router e.g. 4321.As far as I know, this port is used for connecting devices (like a own BT server). I have forwarded the port 4321, and not 8888.In my local network I can access the WebGUI through my internal IP. Lets say 192.168.1.2:8888. There I have to put in my account name/password. Thats OK so far.BUT:Why is the WebGUI listening on the external port? If you open a connection to your externalIP and the given Port (4321 in my setup) you get: invalid requestIf you enter the externalIP, the given Port and the directory "gui" you can reach the webfrontend. This one is only protected by the given basic authentification, which should only be reachable from the local network. Sure you dont see your shared folders, because its displays only a empty list. But this could potentialy expose your secret share codes?Furthermore running basic auth over a non SSL connection (for external use) isnt the best way, because an attacker could sniff the data.Inside my local network I am not concerned about Basic authentification, because I know every participant.In my opinion there should be no WebGui on the choosen BT Sync port. Edited August 12, 2013 by tavoc Link to comment Share on other sites More sharing options...
bradmurray Posted August 12, 2013 Report Share Posted August 12, 2013 Surely the first letter does not control the secret's function.It doesn't control it, but it does designate the type of key. Changing A to B will not change the function as it will invalidate the rest of the key. You can see this by comparing the full key for a folder you already have to the read-only key that it gives you if you ask for it. It's just a human-readable thing. They do the same thing with credit cards. Visas always start with 4 (MC with 5, AmEx 3 Discover 6). Changing the first number doesn't change the card type. It invalidates the number because there is a built-in checksum. Link to comment Share on other sites More sharing options...
wmb Posted August 12, 2013 Report Share Posted August 12, 2013 Thanks for german language support and easy setup of admin password in the linux client (using ARM). But still..Where's the iOS version? Link to comment Share on other sites More sharing options...
Mozart Posted August 13, 2013 Report Share Posted August 13, 2013 Why is the WebGUI listening on the external port? If you open a connection to your externalIP and the given Port (4321 in my setup) you get: invalid requestIf you enter the externalIP, the given Port and the directory "gui" you can reach the webfrontend. This one is only protected by the given basic authentification, which should only be reachable from the local network. Sure you dont see your shared folders, because its displays only a empty list. But this could potentialy expose your secret share codes?You can have more than one http servers in your box, and 80 is the default port number for the service. http://yourdomain/ == http://yourdomain:80/If you have the second http server, then you need to use different port number, say 8888, to distinguash it from the first one. BTSync has a http server in itself, and it uses port 8888. This is nothing to do with the external accessibility.So what you have to do is to close port 8888 at your router / firewall. Link to comment Share on other sites More sharing options...
sicamm Posted August 13, 2013 Report Share Posted August 13, 2013 Letter convention is wrong, I have several shared folders between my works and my house networks (domain and working group), so using LAN and internet connections:Full Access secrets begin with an A, J, 7, Y and ZRead Only secrets begin with a B and ROne time is not in use in my case.I use Windows version in version 1.1.48. Link to comment Share on other sites More sharing options...
tavoc Posted August 13, 2013 Report Share Posted August 13, 2013 You can have more than one http servers in your box, and 80 is the default port number for the service. http://yourdomain/ == http://yourdomain:80/If you have the second http server, then you need to use different port number, say 8888, to distinguash it from the first one. BTSync has a http server in itself, and it uses port 8888. This is nothing to do with the external accessibility.So what you have to do is to close port 8888 at your router / firewall.I know that I can have multiple Web Servers on my Box. But this is not the point.All ports are disabled in my router, except 4321.It is ok to connect to port 8888 from inside my network, because this is how it should work.But it is wrong that a BT Sync Webserver is listening on the BT Sync Port (the one for tracker and so on). Try it yourself. On this specific port, which you have to forward through the firewall, should be no GUI, but there is.This one here is OK:internal Webserver: 192.168.1.2:8888This one is not:Port for BT Sync: 4321external Webserver: externalIP:4321/guiinternal Webserver: 192.168.1.2:4321/gui Link to comment Share on other sites More sharing options...
GreatMarko Posted August 13, 2013 Report Share Posted August 13, 2013 Letter convention is wrongFull Access secrets begin with an A, J, 7, Y and ZRead Only secrets begin with a B and RNo, the lettering convention I indicated in my previous post is NOT wrong!...you are simply seeing the backwards compatibility that is still present in Sync to allow Secrets from earlier versions (before one-time secrets were introduced) to still be valid!Generated secrets in early versions of Sync (before one-time secrets were introduced):Full Access: 20 bytes in base32Read Only: R + 20 bytes in base32Generated secrets in more recent versions of Sync:Full Access: A + 20 bytes in base32Read Only: B + 20 bytes in base32One Time: C + 20 bytes in base32...which is why your read-only secrets that begin with R are still valid, and your full access secrets starting with J, 7, Y, and Z, etc are still valid - check the length of your secrets to confirm! - you are simply using older secrets!The current lettering convention I outlined in my last post is the convention that is in use in current Sync builds. Link to comment Share on other sites More sharing options...
bradmurray Posted August 13, 2013 Report Share Posted August 13, 2013 I can't wait until 10 years from now and I show off my geek credit by giving out a read-only password to my sync folder that begins with a 4. I'll send it from my ICQ acct 101294. Link to comment Share on other sites More sharing options...
ChrisH Posted August 13, 2013 Report Share Posted August 13, 2013 It doesn't control it, but it does designate the type of key. Right. So the letter scheme only relates to secrets generated by BTSync itself, and generating secrets by some other means and then just adding letters to it in the hope of making them read-only-secrets (as Shagaroo suggested) won't work and is not necessary either, which was my point. Link to comment Share on other sites More sharing options...
tavoc Posted August 13, 2013 Report Share Posted August 13, 2013 Hi there,I have tried a few things, with the problem I found.This problem could lead to loose your secret keys to everyone. Therefore an attacker could possibly get all your content, which you sync.Here is the exact setup.Server side: I1.1.48 on debian (will Update later)internal IP: 192.168.1.2config:{"device_name": "serverT","storage_path" : "/var/lib/btsync","listening_port" : 4321,"check_for_updates" : false,"use_upnp" : false,"download_limit" : 0,"upload_limit" : 0,"disk_low_priority" : true,"lan_encrypt_data" : true,"lan_use_tcp" : false,"rate_limit_local_peers" : false,"folder_rescan_interval" : 600,"webui" :{"listen" : "0.0.0.0:8888","login" : "myuser","password" : "mysecurepassword"}}You can see that my local Port is 8888 and the listing port is 4321.In my router only 4321 is forwarded to this debian box.If you open 192.168.1.2:8888/gui and put in the basic auth everything is working as expected. You get the web GUI and see all the secrets.BUT this is insecureOpen 192.168.1.2:4321/gui -->nothing will happen first time (invalid request)Open 192.168.1.2:4321/gui again--> basic authentification is requested (you put it in here)Open 192.168.1.2:4321/gui again --> nothing will happenOpen 192.168.1.2:4321/gui again --> Full accessThis behaviour applies to the external IP too.Therefore your secret content relies only on your choosen login/password. If I can get this right, I see all the secrets and can add your share to my Box (and all your data is tranfered to me).Running basic authentification over HTTP is usually a bad idea, because it is a cleartext protocol. The login/password can be sniffed.Therefore there should be no way to get to the GUI on the listening Port. Or at least give out a advisory, which inform the users that their data might be at risk.As long as this is not fixed the listening port should not be public open to the internet. Link to comment Share on other sites More sharing options...
Disappointed Cat Posted August 13, 2013 Report Share Posted August 13, 2013 Bind it to a local IP address. Even better if you bind it to localhost and set up a reverse proxy. I recommend this whenever it comes up because it's the most secure way and you get freedom over authentication, SSL ciphers, fail2ban, etc.BTW, the webui backend supports https as well. Indeed it should be default. Link to comment Share on other sites More sharing options...
tavoc Posted August 13, 2013 Report Share Posted August 13, 2013 (edited) Ok,but then the default package has the wrong settings (for SSL).For the WebGUI:If I bind it on localhost (listen=127.0.0.1:8888) it wont be really usefull on a headless server or NAS, because you cant access it. The only way would be by some SSH Port forwarding with putty.If i bind it to an local IP (192.168.1.2) it would not fix the problem if i forward the port 4321 from my router to the box. Because then you can still open externalIP:4321/guiBut why is the GUI running on the listen Port anyway? I dont see the need for this.For Security:Enabling SSL and having a very strong Basic Authentification key would help a little. But this is only a workaround. Edited August 13, 2013 by tavoc Link to comment Share on other sites More sharing options...
kos13 Posted August 13, 2013 Author Report Share Posted August 13, 2013 Thank for reporting we are on it, and I will update you soon. Link to comment Share on other sites More sharing options...
tavoc Posted August 13, 2013 Report Share Posted August 13, 2013 Thanks,btw: with 1.1.69 it is the same. Link to comment Share on other sites More sharing options...
Disappointed Cat Posted August 13, 2013 Report Share Posted August 13, 2013 I misunderstood which port you're talking about. This is a big sechole indeed.I disabled authentication on the webui (bound to localhost) thinking I'm safe behind a secure proxy... This puts it in perspective how a lot of people are complaining about the "possibility" of key collision and brute forcing when there's basically a built-in backdoor, at least in my case. Link to comment Share on other sites More sharing options...
tavoc Posted August 13, 2013 Report Share Posted August 13, 2013 (edited) This is only a backdoor, if your choosen credentials are weak. e.g. admin/admin or root/root and so on. But yes, this should be fixed, because a bruteforce attack on your credentials is more likely.Maybe a system like denialhosts would be good. After 3-4 bad login requests the port goes down for this ip. Edited August 13, 2013 by tavoc Link to comment Share on other sites More sharing options...
Guest idef1x Posted August 14, 2013 Report Share Posted August 14, 2013 "only a backdoor"??? Right why using secrets and encypting the datastreams when there's a backdoor like this in it? Link to comment Share on other sites More sharing options...
Guest idef1x Posted August 14, 2013 Report Share Posted August 14, 2013 @Tavoc: thanks for notifying this imho big issue. I agree btsync shouldn't be used out in the open before this is fixed. Yes you can have all kinds of workarounds to cripple the idea behind btsync (firewalling etc), but I don't like crippling features.Still I am wondering why in the first place the listening port for the syncing is interconnected with the webgui in the first place. What's the use of that?I don't use passwords on my LAN for the webgui and only the non webgui port WAS accessable from the outside.Might be better to turn of relay server option as well then.Is there also a way to have configfile to put settings in for Android? I can't find it and so it used default config. On android I'll try later if you can access it as well like tavoc described, but then needs to find the port my phone is listening on first (and I am not at home now to test). Link to comment Share on other sites More sharing options...
Guest idef1x Posted August 14, 2013 Report Share Posted August 14, 2013 edit : can't delete a posting apparently and this one was double Link to comment Share on other sites More sharing options...
sagdusmir Posted August 14, 2013 Report Share Posted August 14, 2013 After trying it for myself: Not cool.Suspended btsync and waiting for a fixed version. Link to comment Share on other sites More sharing options...
PeterVerhees Posted August 14, 2013 Report Share Posted August 14, 2013 You can, for the moment, circumvent access to your webui by only letting the Internet connect to UDP to your btsync instances. This means NO UPNP or NAT-PMP, but manual control over the ports you forward to your host from the internet.There are tricks to get through this, but at least you have a more fine grained control.(Trick: http://code.google.com/p/udp-tcp-bridge/)It should be fixed though, suspending here too. Link to comment Share on other sites More sharing options...
Recommended Posts