Sync: Security Is Our Highest Priority


kos13

Recommended Posts

 

 

 

At the end of day open source also has to be trusted

 

I would say, at the end of the day, the main difference is that the opensource software can live without some singe company, whereas your software will go down when (not if) you comapany will go down and also government agencies can force you to compromise software, in US they can legally force you to do it and forbid you about telling it to customers. That is the main reason why your software cannot be trusted. Open source is open source. Maybe it is hard for regular joe, but at the end of the day you CAN verify that is is secure, compile it, run it on your own infrastructure, without worrying about some other 3rd party company (Bittorent inc).

 

So even if security is your highest priority, you will never be "most secure and private way to to move data between two or more devices" and you should not say that if you don't want to lie.

Link to comment
Share on other sites

 

So even if security is your highest priority, you will never be "most secure and private way to to move data between two or more devices" and you should not say that if you don't want to lie.

 

 

Urza, no disrespect, but you're not in any position to make that claim. What qualifies your comments? Do you have the legal policies qualifying your claims? Do you understand the inner workings of encryption and cryptography? Have you reversed engineered Sync's executable? 

 

Within the constraints of the law BT have made claims according to the steps they have taken. I'm not claiming I blindly except this, but I'm also not flamboyantly disregarding it. On the other hand what steps if ANY have any of the open sources package you use for file synchronization gone through to also make a similar claim? 

 

My guess is that BT is more than qualified to make the claim. 

 

2d

Link to comment
Share on other sites

BitTorrent Sync remains the most secure and private way to to move data between two or more devices.

 

No it is not. Syncthing [1] is more secure. With syncthing you need to explicitly authorize every peer and allow access to every folder you want to share with them. They need to authorize you as well. It is not convenient but is more secure then BTSync - where all you need is to know the secret and then you have access to files. Secrets can leak e.g. while in transfer - sending by email, chat etc.

 

It is not true starting from version 1.4. Sync v1.4 can generate a link which requires explicit approval from resource owner to actually share the key. You can see this article for more details on how it works. Sync 2.0 has even more advanced protection and no longer operates key, but uses X.509 certificates instead and can revoke access to already existing share.

 

Roman the link requires approval but the secret does not. So if the secret leaks the folder is vulnerable with BitTorrent Sync.

To prove my point (just tested in 1.4):

- create a folder in the desktop app

- share it and select approval required

- share it via QR Code with your phone

(using Google Googles you can verify that the QR contains the full secret key

btsync://A43YJYOLBQZF2KG44Ixxxxxxxxxxxxxxxxx?n=nexus5.download.family)

- add the folder on your phone.

 

The folder will start syncing without any warning or approval notice in the desktop app. 

So if the secret leaks the folder is vulnerable with BitTorrent Sync which it is not the case with Syncthing. 

Link to comment
Share on other sites

Roman the link requires approval but the secret does not. So if the secret leaks the folder is vulnerable with BitTorrent Sync.

To prove my point (just tested in 1.4):

- create a folder in the desktop app

- share it and select approval required

- share it via QR Code with your phone

(using Google Googles you can verify that the QR contains the full secret key

btsync://A43YJYOLBQZF2KG44Ixxxxxxxxxxxxxxxxx?n=nexus5.download.family)

- add the folder on your phone.

 

The folder will start syncing without any warning or approval notice in the desktop app. 

So if the secret leaks the folder is vulnerable with BitTorrent Sync which it is not the case with Syncthing. 

 

Is this still the case under Sync 2.*? 

 

2d

Link to comment
Share on other sites

> the people for whom security is a 100% matter, not a 99% matter, best choose a solution that allows, and can withstand, scrutiny.

 

Oh, please. Just stop.

 

(I apologize in advance because this is me writing when I'm tired and a little more cranky than usual. Please don't take any of this personally.)

 

100% security is a lie. It's a myth. It doesn't exist.

 

You misunderstood me. A 100% matter, meaning a 100% priority. Your interpretation is a truism—of course it is not possible.

Link to comment
Share on other sites

@patwolf

Of course. If the key leaks - the one who got it can access the folder. This concept is known and accepted. It is pretty much basics of cryptography.

Key itself only show in QR codes - as scanning the QR is pretty secure operation. When you copy link or send it over e-mail - you won't see the folder key there. There is a one-time key which is used to transfer the folder key securely in case if owner approves.

 

@2disbetter

Sync 2.0 folders do not rely on keys (secrets) anymore. They rely on certificates, so the access to the folder is confirmed with a digital signature.

Link to comment
Share on other sites

@patwolf

Of course. If the key leaks - the one who got it can access the folder. This concept is known and accepted. It is pretty much basics of cryptography.

This is misleading and its untrue that it was accepted from user side.

A lot of this discussion was how insecure the "secret" is and that new peers needs to be explicilty approved (like SyncThing does).

BitSync always maintained no worries the secret is hard to guess and then BitSync pretended that approval was added so people are safe now. The reality is that the approval was only a surface gimmic while underneath anybody with the key had full access.

With proper approval it doesn't matter if anybody obtains or guesses the key it's just a folder identifier.

It's good that it has been improved in 2.0 but it was badly handled upto 1.4 and the authorization gave users a false sense of security.

Link to comment
Share on other sites

This is misleading and its untrue that it was accepted from user side.

A lot of this discussion was how insecure the "secret" is and that new peers needs to be explicilty approved (like SyncThing does).

BitSync always maintained no worries the secret is hard to guess and then BitSync pretended that approval was added so people are safe now. The reality is that the approval was only a surface gimmic while underneath anybody with the key had full access.

With proper approval it doesn't matter if anybody obtains or guesses the key it's just a folder identifier.

It's good that it has been improved in 2.0 but it was badly handled upto 1.4 and the authorization gave users a false sense of security.

 

Nothing to see here.

 

2d

 

Edit: Corrected as a consequence of ignorance. 

Link to comment
Share on other sites

You do however realize that this thread is explicitly about version 2.0 and onward right? The declaration of security isn't retroactive to versions before that. 

 

This is actually an old thread which was started before 2.0 was available and when 1.4 was the latest version.

Link to comment
Share on other sites

  • GreatMarko changed the title to Sync: Security Is Our Highest Priority
  • 5 years later...
On 11/18/2014 at 4:54 PM, foo said:

Your whole response can be summarized as "trust us," which I don't.  My private data is too important to be left to closed source.  Moved on to syncthing a while back, and I encourage others to do likewise.

I tried syncthing before I moved to Resilio and it was a royal pain in the butt. Resilio works much better and more consistently then syncthing and is much much easier to set up and requires much less maintenance, IMHO

Link to comment
Share on other sites

17 hours ago, flphotog said:

I tried syncthing before I moved to Resilio and it was a royal pain in the butt. Resilio works much better and more consistently then syncthing

In a way what you say is right, Resilio is easier to set up because of the peer orientation, especially since moreover keys can be distributed to share files. This is a feature that would also work in principle in Syncthing, but not from a practical point of view if a connection is to be limited later.

Otherwise, Resilio is just not that technical to use, and since I've been a user of both tools for years, I can say with a fair amount that both tools are good, but both have fairly similar problems when the conditions around are correspondingly unfavorable.

My main points against Resilio at the moment are the update policy and the resource consumption at lower internet bandwidths. Regarding updates, we have reached v2.7.3 after a break of almost 2 years, at least. We'll see if this once again takes care of all the bugs, v2.7.2 still had gaps after its release afterwards. For Android, we are still at v2.6.3 and v2.6.4 in the GooglePlay version.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.