Bittorrent Sync Security -- Ip Address

[rowebil]

Questions,

 

I am wondering which is the best way to secure Sync?

 

Let's say, I want people to be able to download my files remotely... they will download the program, paste my key, and select a folder to put the files.

 

Would they be able to see the server IP address, even if they snooped around?

Or would it come up as 'peer-to-peer traffic'?

 

And if by default, the IP address is revealed, is there a way to hide that, by maybe increasing level of encryption or disabling something? 

Edited January 7, 2014 by rowebil

[Harold Feit]

It's typically a direct connection, no amount of encryption will hide the IP address.

[rowebil]

Yeah haha that was pretty dumb of me to ask about hiding the IP address lol I know better than that. 

 

So, if running Wireshark or such, IP will be revealed? It is direct, but I wasn't sure if it was peer-to-peer traffic or not. 

[lolcat]

To secure Sync I would recommend you encrypt the files yourself, the Bittorrent Sync team has earlier changed the encryption scheme without warning the users (as long as it is a beta that could happen).

Everyone downloading the file will see your IP-address, as will Bittorent Inc as they host the tracker.

You can hide your IP by using a VPN or a proxy.

 

[Harold Feit]

Everyone downloading the file will see your IP-address, as will Bittorent Inc as they host the tracker.

Except if you turn the use of the tracker server off, then BT inc won't see it.

[lolcat]

Yeah haha that was pretty dumb of me to ask about hiding the IP address lol I know better than that. 

 

So, if running Wireshark or such, IP will be revealed? It is direct, but I wasn't sure if it was peer-to-peer traffic or not. 

 

Wireshark where? The person receiving the files can see the connections to you. Anyone inbetween can see traffic between you. Bittorrent Sync is completly unsuitable for anonymity or confidentiallity. You could set up a server with the encrypted key, and then connect to it not using DHT, the tracker or peer exchange. Then the downloaders will only see the IP of the server. Obviously you have no guarantee the application doesn't leak info to Bittorrent Inc or others.

Except if you turn the use of the tracker server off, then BT inc won't see it.

 

Sure, if you completly trust that setting, and assume the IP won't be transmitted through any other feature.

[rowebil]

Ah okay, I understand how it works now! I did turn the tracker off, just to test it out. 

 

I have just heard about this being the most secure thing ever, and wanted to know how it all worked. From what everyone is saying, I assumed that nothing could be leaked?

[lolcat]

Ah okay, I understand how it works now! I did turn the tracker off, just to test it out. 

 

I have just heard about this being the most secure thing ever, and wanted to know how it all worked. From what everyone is saying, I assumed that nothing could be leaked?

 

This statement made me lose faith in humanity. Please excuse me while I shove a rusty tablespoon into my brain.

This is by far not "the most secure thing ever". I wouldn't even call it secure.

I would assume everything is leaked. The encryption scheme isn't documented, or reviewed, so it offers no security. The program is not made for anonymity, so it has no advantadge there. The only difference from storing it on DropBox and using this is that the files is not stored on third party severers with intent. Ofcourse if you worry about the NSA they will likley be able to download the datastream, ofcourse if you assume the encryption implementation is sound (and that is a pretty fragile assumption, almost like assuming Titanic can't sink because the creators said so) then they can not decrypt the data. But they could retain the data forever, so if you use the same secret for different stuff, then they can decrypt everything you shared before. Using the tracker adds extra vunerabilities, then the NSA can get the IP of every node connected, they only need one person with a read-only secret to decrypt everything sent with that secret, and to decrypt everything that will be sent with it in the future.

So to sum it up: BTSync offers worthless encryption, no anonymity, and the files are easily intercepted between the nodes. In addition it offers no forward secrecy.

If you want something secure I would recommend you to encrypt the files using AES256-CBC, using different keys for each file, and then setup a SSL Torrent using LibTorrent. Then you can be assured the keys are properly generated, ensure access control, and you will have forward secrecy.