Insecure By Default Configuration, No Way To Change New Folders To Be Secure By Default

[syncingpossum]

It's been asked many times for a LAN syncing mode, and every time people are referred to the hack that is clicking on each folder and manually deselecting relay, tracker, and DHT.

 

This is horrible design from a security point of view. Lack of security is the default - if someone misses a single checkbox or forgets to set a single folder, they are now insecure. Furthermore, when a new folder is added to sync, because it defaults to broadcast to the world, before a user even has a chance to change the settings, a broadcast will go out announcing the files.

 

I realize that the developers claim that this all BitTorrent Sync communications on the Internet are private, and promise that we can trust them not to read our files. However, this is really not good enough for a lot of sensitive information (and presumably they understand that, which is why it's possible to disable relay, tracker, and DHT in the first place). The app is closed source, so we just need to take promises on faith, and even assuming everyone is honest, the data is only one security bug in the code away from the prying eyes of bad guys. For a lot of sensitive data, given that we can't read the BitTorrent Sync source code, the only security that is good enough is being able to ensure by monitoring the network that Sync never, ever communicates outside of the LAN.

 

This is all in addition to the fact that it's incredibly obtuse and burdensome for a user to go through each folder individually clicking options, to the point where this needs to be a question on the FAQ.

 

Now I can appreciate for the average user, you want things to be as simple as possible and just work. However, for an app that claims to be serious about security and privacy, based on best practices in security design, there really needs to be a global option to limit all communications to LAN rather than this current folder-by-folder approach.

[Firon]

So, you know it doesn't broadcast your sync keys to the world, right? Or to anyone?

All disabling those features does is make it harder for one of your own clients to connect for syncing.

The tracker and DHT are there only for peer discovery, and the relay is there if you're behind two NATs. It never gets used if you have a proper firewall setup.

[syncingpossum]

So, you know it doesn't broadcast your sync keys to the world, right? Or to anyone?

All disabling those features does is make it harder for one of your own clients to connect for syncing.

The tracker and DHT are there only for peer discovery, and the relay is there if you're behind two NATs. It never gets used if you have a proper firewall setup.

It's a little disappointing reading this response from an administrator, and I hope others there take security more seriously.

 

Like I already outlined in the third paragraph of my post, disabling all external connections does do a number of things besides just making things harder (seriously, if this is reflective of the team's thought process behind BitTorrent Sync, why are these options to disable external connections even present):

 

* Prevents a bug in the design or implementation of the security of BitTorrent Sync from compromising the data

* Prevents anyone outside the LAN from being able to track usage of BitTorrent Sync

* Prevents soft information about the inside of the LAN from being leaked such as when computers are on or how often they are restarted

* Lastly, BitTorrent Sync is closed-source, and users are supposed to take it on faith on what information is being sent to external servers. Disabling all external connections means there is no need to take it on faith, as if any outbound traffic whatsoever still appears, then it would easy to find and publicize.

 

Right now, these features already exist. However, they are implemented in a way that is not right-thinking about security. Security-related settings shouldn't be blacklists, where each item has to be selected and added individually to not connect externally. Instead, they should be whitelists, where once a user has indicated they are security-sensitive and wish to limit transfers to their own LAN, each item should have to be selected and added individually to be an exception and allowed to connect externally.

[RomanZ]

Hi syncingpossum,

 

Thanks for the feedback. We'll consider changing default settings for LAN and will definitely take care of configuring some "default" folder settings so they would be:

1) applied on folder creation, not later,

2) applied automatically to avoid possible manual reconfiguration mistakes.

 

Roman.

[syncingpossum]

Wonderful, I'm glad to hear it!