ChrisH Posted May 2, 2014 Report Share Posted May 2, 2014 I think most of the security concerns about BTSync (apart from it not being open source) could be addressed with a little better control over peer devices, especially new ones. 1. You should be able to set folder options the first time you create the folder. As it is now, you have to create the folder first, it is created will all the default options (which means the BTSync tracker knows the secret) and then you can switch to known devices or LAN sync only. 2. As an per-folder-option, you should choose whether you have to approve new peer devices accessing that folder. This is not perfect because device names can be spoofed and you have no control over what happens at other nodes, but it is a first step. Later there could be fingerprints or something, if needed. 3. The "known" peer devices for a folder (i.e. all devices that have ever synced something) should be recorded and displayed in the GUI somewhere. Maybe the type of secret the device used (RW, RO, ERO) could also be displayed. These are all GUI requirements and can be done without changes to the protocol. Nice-to-have but requiring a protocol change would be:4. The known peer devices from #3 are distributed to other nodes as part of the share. So each device knows every other device that has ever accessed the share. This would be great for distributing networks. Quote Link to comment Share on other sites More sharing options...
patwolf Posted December 7, 2014 Report Share Posted December 7, 2014 Totally agreed Chris. Not having proper approval for when a peer is added to a network is the single biggest drawback of BTSync and the new "link approval" doesn't solve it. The more people write tools around the BTSync API the more we'll have to provide our keys which makes them easy to harvest and without any access control the data is vulnerable.ie on some NAS devices they are unofficial compiles for BTSync. How super easy would it be to keep track of all the master keys users enter and then access their data. So again I agree that your points are needed +1This topic has some good implementation ideas for points 2,3,4http://forum.bittorrent.com/topic/30679-now-implemented-interactive-pairing/ Quote Link to comment Share on other sites More sharing options...
patwolf Posted December 23, 2014 Report Share Posted December 23, 2014 Would be very interested for comment from BTS staff on this! Quote Link to comment Share on other sites More sharing options...
kos13 Posted December 24, 2014 Report Share Posted December 24, 2014 I hope you saw a Sync 2.0. You could now granularly control user access for a folder. Some of the ideas are already implemented, but not all of them. I also want to point out, that Sync uses X509 based PKI security to achieve that. Cost of that - there are no keys for new folders. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.