kos13

Sync: Security Is Our Highest Priority

Recommended Posts

 

 

 

At the end of day open source also has to be trusted

 

I would say, at the end of the day, the main difference is that the opensource software can live without some singe company, whereas your software will go down when (not if) you comapany will go down and also government agencies can force you to compromise software, in US they can legally force you to do it and forbid you about telling it to customers. That is the main reason why your software cannot be trusted. Open source is open source. Maybe it is hard for regular joe, but at the end of the day you CAN verify that is is secure, compile it, run it on your own infrastructure, without worrying about some other 3rd party company (Bittorent inc).

 

So even if security is your highest priority, you will never be "most secure and private way to to move data between two or more devices" and you should not say that if you don't want to lie.

Share this post


Link to post
Share on other sites

 

So even if security is your highest priority, you will never be "most secure and private way to to move data between two or more devices" and you should not say that if you don't want to lie.

 

 

Urza, no disrespect, but you're not in any position to make that claim. What qualifies your comments? Do you have the legal policies qualifying your claims? Do you understand the inner workings of encryption and cryptography? Have you reversed engineered Sync's executable? 

 

Within the constraints of the law BT have made claims according to the steps they have taken. I'm not claiming I blindly except this, but I'm also not flamboyantly disregarding it. On the other hand what steps if ANY have any of the open sources package you use for file synchronization gone through to also make a similar claim? 

 

My guess is that BT is more than qualified to make the claim. 

 

2d

Share this post


Link to post
Share on other sites

BitTorrent Sync remains the most secure and private way to to move data between two or more devices.

 

No it is not. Syncthing [1] is more secure. With syncthing you need to explicitly authorize every peer and allow access to every folder you want to share with them. They need to authorize you as well. It is not convenient but is more secure then BTSync - where all you need is to know the secret and then you have access to files. Secrets can leak e.g. while in transfer - sending by email, chat etc.

 

It is not true starting from version 1.4. Sync v1.4 can generate a link which requires explicit approval from resource owner to actually share the key. You can see this article for more details on how it works. Sync 2.0 has even more advanced protection and no longer operates key, but uses X.509 certificates instead and can revoke access to already existing share.

 

Roman the link requires approval but the secret does not. So if the secret leaks the folder is vulnerable with BitTorrent Sync.

To prove my point (just tested in 1.4):

- create a folder in the desktop app

- share it and select approval required

- share it via QR Code with your phone

(using Google Googles you can verify that the QR contains the full secret key

btsync://A43YJYOLBQZF2KG44Ixxxxxxxxxxxxxxxxx?n=nexus5.download.family)

- add the folder on your phone.

 

The folder will start syncing without any warning or approval notice in the desktop app. 

So if the secret leaks the folder is vulnerable with BitTorrent Sync which it is not the case with Syncthing. 

Share this post


Link to post
Share on other sites

Roman the link requires approval but the secret does not. So if the secret leaks the folder is vulnerable with BitTorrent Sync.

To prove my point (just tested in 1.4):

- create a folder in the desktop app

- share it and select approval required

- share it via QR Code with your phone

(using Google Googles you can verify that the QR contains the full secret key

btsync://A43YJYOLBQZF2KG44Ixxxxxxxxxxxxxxxxx?n=nexus5.download.family)

- add the folder on your phone.

 

The folder will start syncing without any warning or approval notice in the desktop app. 

So if the secret leaks the folder is vulnerable with BitTorrent Sync which it is not the case with Syncthing. 

 

Is this still the case under Sync 2.*? 

 

2d

Share this post


Link to post
Share on other sites

> the people for whom security is a 100% matter, not a 99% matter, best choose a solution that allows, and can withstand, scrutiny.

 

Oh, please. Just stop.

 

(I apologize in advance because this is me writing when I'm tired and a little more cranky than usual. Please don't take any of this personally.)

 

100% security is a lie. It's a myth. It doesn't exist.

 

You misunderstood me. A 100% matter, meaning a 100% priority. Your interpretation is a truism—of course it is not possible.

Share this post


Link to post
Share on other sites

@patwolf

Of course. If the key leaks - the one who got it can access the folder. This concept is known and accepted. It is pretty much basics of cryptography.

Key itself only show in QR codes - as scanning the QR is pretty secure operation. When you copy link or send it over e-mail - you won't see the folder key there. There is a one-time key which is used to transfer the folder key securely in case if owner approves.

 

@2disbetter

Sync 2.0 folders do not rely on keys (secrets) anymore. They rely on certificates, so the access to the folder is confirmed with a digital signature.

Share this post


Link to post
Share on other sites

@patwolf

Of course. If the key leaks - the one who got it can access the folder. This concept is known and accepted. It is pretty much basics of cryptography.

This is misleading and its untrue that it was accepted from user side.

A lot of this discussion was how insecure the "secret" is and that new peers needs to be explicilty approved (like SyncThing does).

BitSync always maintained no worries the secret is hard to guess and then BitSync pretended that approval was added so people are safe now. The reality is that the approval was only a surface gimmic while underneath anybody with the key had full access.

With proper approval it doesn't matter if anybody obtains or guesses the key it's just a folder identifier.

It's good that it has been improved in 2.0 but it was badly handled upto 1.4 and the authorization gave users a false sense of security.

Share this post


Link to post
Share on other sites

This is misleading and its untrue that it was accepted from user side.

A lot of this discussion was how insecure the "secret" is and that new peers needs to be explicilty approved (like SyncThing does).

BitSync always maintained no worries the secret is hard to guess and then BitSync pretended that approval was added so people are safe now. The reality is that the approval was only a surface gimmic while underneath anybody with the key had full access.

With proper approval it doesn't matter if anybody obtains or guesses the key it's just a folder identifier.

It's good that it has been improved in 2.0 but it was badly handled upto 1.4 and the authorization gave users a false sense of security.

 

Nothing to see here.

 

2d

 

Edit: Corrected as a consequence of ignorance. 

Share this post


Link to post
Share on other sites

You do however realize that this thread is explicitly about version 2.0 and onward right? The declaration of security isn't retroactive to versions before that. 

 

This is actually an old thread which was started before 2.0 was available and when 1.4 was the latest version.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now