Peer Approval On Keys?

[benguild]

I don't understand what the different between the new sharing features are and the older key exchange.

 

For example, I'd like to have to approve new machines to sync with mine ... and be able to revoke that approval later. Is this only on the new "sharing" system? Is this through a centralized server or authority? How does it work? (with Linux machines, etc.)

[12345lamacun]

You can share the new "link" (difference: if you share it with your mother-in-law she is kind of guided through the installation of btsync) with somebody, have more control over the expiration date, if someone posts the link into your facebook-timeline you have the ability to denie the requests of those friends of yours you dont want to have your secret.

 

after you permitted somebodys request, they have the secret and can use it like they created it.

 

the "centralized server" is just a website, checking if the recipient has btsync already installed, and then forwards the secret to btsync.

[piotrnik]

If I understand right, once the share is approved, you can't remove access to the folder (except by changing the secrets on the other computer(s) in the share, as with BTSync previously); the expiration date only controls when the link itself expires, not the resulting access. 

 

 

One question that I do have - if there are multiple computers on a share, is it only the computer that generated the link that has to approve it, or do all computers on the share have to approve it?

[capi]

From my understanding it is this way:

 

The certificate and approval only kick in when you use the new link sharing feature, which replaces the old "one-time secrets". It is only used to secure the exchange of the main secret. Once the secret is shared, there is no more approval of the peers required.

 

This is based on the fact, that if you enter a secret directly, no approval is required.

 

So I assume, that only one peer needs to approve and once the secret has been exchanged the peer will communicate with all the other peers without further approval.

[shahar]

You can always remove a shared folder from Sync and it will stop syncing with other devices, or even better, open Folder Preferences and choose Update key (hides under View key), then choose Create new key (warning: this will disconnect all connected devices). Later you can use the new key you got to update it on other devices.

[capi]

Yes, but this is besides the point: with the secret, any new peer can join the network without prior approval from any existing peer. The approval process only kicks in when using the new Link feature.

[shahar]

Yeah, you're right.

[RomanZ]

@benguild

 

To make long things short: Link allows to get the Key securely. If someone steals / sniffs the Link - he will stuck with the approval and you can reject him. If someone steals / sniffs the Key - he'll get access to your data. Here and here more details.

 

 

If I understand right, once the share is approved, you can't remove access to the folder (except by changing the secrets on the other computer(s) in the share, as with BTSync previously);

Absolutely right.

 

One question that I do have - if there are multiple computers on a share, is it only the computer that generated the link that has to approve it, or do all computers on the share have to approve it?

Only one who produced the link must (and actually can) approve.

[kramb0l]

Why can't there be the same approval option for adding keys directly? I would always like to approve new seeds/clients, no matter how they are added.

[kramb0l]

Another great feature would be the option to disable new peers at all. I have setup Sync the way I want and I won't need to add other peers at all. Then it would be nice to close/disable the option to add new peers. This way you won't even need to bother if someone gets your key.

[RomanZ]

@kramb0l

 

Why can't there be the same approval option for adding keys directly? I would always like to approve new seeds/clients, no matter how they are added.

Because of the nature of the key. Once you've got it - you don't need any approvals - you can access the data. That's why the Links were created - they do not store the key directly, therefore the approval is possible. 

 

Another great feature would be the option to disable new peers at all. I have setup Sync the way I want and I won't need to add other peers at all. Then it would be nice to close/disable the option to add new peers. This way you won't even need to bother if someone gets your key.

We'll consider it for future releases. Though, in future - please post such proposals to Feature Requests forum to make sure it is not lost.

[gl00mer]

@benguild

 

To make long things short: Link allows to get the Key securely. If someone steals / sniffs the Link - he will stuck with the approval and you can reject him. If someone steals / sniffs the Key - he'll get access to your data. Here and here more details.

 

Absolutely right.

 

Only one who produced the link must (and actually can) approve.

 

is this still a fact in btsync 2.2.x??

[RomanZ]

@gl00mer

Yes. Though note, that under "only one" we mean "user" here. I.e. if user has several computers linked with My Devices, request will come to all of them, and can be approved / rejected by any ot them.

[gl00mer]

What a pity..

so when i'm using btsync as free version and I reinstall my OS, all generated syncs are completely useless?!

Why can't every owner approve new peers?

[RomanZ]

@gl00mer

Is approval step necessary here? If no - you can simply share the key itself, not a link.

[gl00mer]

ok, maybe i'm too stupid.

but i've made the following experience: sharing a folder like this (see attached screenshot) still needs the approval by the creator of the folder  (not the one who produced the link!!) by appearing online - no interaction by the user in front of the pc (the one who created the folder-sync) is necessary. What do you mean with "share the key itself"

[RomanZ]

@gl00mer

I'll drop a bit of helpcenter info here to stop confusing you

There are 2 types of folders in Sync 2.2 - standard and advanced. 

 

If you are sharing advanced folder, approval comes to the folder Owner, who produced the link (there could be several owners). Folder sharing is only available via link. Also, even if you uncheck the demand of an approval, at least one of owner's peers must be online to grant you access

 

If you are sharing standard folder, it also can be shared via key. Key does not require approval. Key never expires, key does not belong to anyone (and cannot be revoked). Once someone has a key, he can access the data stored wit this key by other users. Here is how standard folder sharing looks like: 

 

 

There is no way to convert folders between standard and advanced - they use totally different cryptographic background. You have to choose folder type when you add it to Sync.

 

Let me know if you got further questions.