6o8Vnscc5hZJGQITIWVB5UhFc8 Posted November 14, 2013 Report Share Posted November 14, 2013 Is there really no way to enable/force the webui of the linux btsync to use https/ssl? This is a gaping security hole for a software trying to take pride in security and privacy. That might be fine for communication over a private, trusted network but it's wholly unacceptable for communication over the public internet. I have a remote server I've been using for offsite backup and I've now realized that the credentials to the webui and all my 'secrets' have been transmitted in plaintext on the open internet. Great. As a workaround I can change all my secrets, disable the webui, and exclusively do remote configuration on a config file via ssh, but still... wtf? Quote Link to comment Share on other sites More sharing options...
ryanobjc Posted November 17, 2013 Report Share Posted November 17, 2013 I have to vote this up as well. I wanted to run this on a linux vps, but I'm not sure now. The config lets one restrict to listen to 127.0.0.1. Maybe it should ship with this. Quote Link to comment Share on other sites More sharing options...
liefde Posted June 2, 2014 Report Share Posted June 2, 2014 For crying out loud, this is still not fixed? Do we really need to proxy via nginx? Quote Link to comment Share on other sites More sharing options...
6o8Vnscc5hZJGQITIWVB5UhFc8 Posted June 3, 2014 Author Report Share Posted June 3, 2014 Yep, reverse proxy with SSL and a good WAF like mod_security is strictly necessary. There are tons of how-tos out there about 'setting up your own dropbox' with a linux server and btsync. And I cringe every time I see one because I've never seen one mention this. You know there are people out there who just copy/paste the commands without understanding what they're doing and assume it's safe, but it's not. Not reverse proxying (or disabling) the btsync webui is foolish and anyone advocating it is putting people at risk. Sending 'secrets' in plaintext over an untrusted network means they are no longer secrets. This should be plastered in big, bold letters all over any instructional copy regarding btsync and it's not. I could (almost) forgive them for not including this functionality because of the messiness of dealing with SSL certs and not wanting to reinvent the wheel (a good web server), but omitting a prominent warning of a gaping security hole is inexcusable. The fact that everyone seems to want to stick their heads in the sand and pretend this isn't a real issue is very disconcerting and makes me wonder what other security issues are being ignored inside the black box of closed source code. It sure doesn't inspire confidence. Quote Link to comment Share on other sites More sharing options...
frater Posted June 3, 2014 Report Share Posted June 3, 2014 I agree with all the posts in this thread. What really should get fixed is the sharing of the secrets in plain text.Using a reverse proxy is still a good idea. Software like nginx is getting many more reviews by the community and should therefore be more safe against hackers.Having another user (nginx) listen to the big bad world is giving you an extra level of security.Cheers Quote Link to comment Share on other sites More sharing options...
RomanZ Posted June 4, 2014 Report Share Posted June 4, 2014 Hi all, Your comments are heard and going to be addressed. We plan to add SSL for WebUI soon, as well as working on secure way to transfer secrets. Quote Link to comment Share on other sites More sharing options...
ztmdsbt Posted August 7, 2017 Report Share Posted August 7, 2017 Any updates? Quote Link to comment Share on other sites More sharing options...
Moe Posted August 7, 2017 Report Share Posted August 7, 2017 Ugh this has already been implemented. Please check the help section for information on how to setup WebGUI with https cert (if you want to use your own one instead of the self signed that comes with it) Quote Link to comment Share on other sites More sharing options...
ztmdsbt Posted August 8, 2017 Report Share Posted August 8, 2017 14 hours ago, Moe said: Ugh this has already been implemented. Please check the help section for information on how to setup WebGUI with https cert (if you want to use your own one instead of the self signed that comes with it) That's awesome! But I can not find the article, can you give me the link? Thank you! Quote Link to comment Share on other sites More sharing options...
eltopo Posted August 10, 2017 Report Share Posted August 10, 2017 this? https://help.resilio.com/hc/en-us/articles/206178884-Running-Sync-in-configuration-mode Quote Link to comment Share on other sites More sharing options...
ztmdsbt Posted August 11, 2017 Report Share Posted August 11, 2017 Yeah, That it! Thanks a lot. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.