Share With Unauthorized Peers

[btsnewbie]

Hi Everyone,

 

I downloaded the newest version of Beta. I like it, very easy to use,but found one major issue.

 

I sent a link to an approved peer, they downloaded what they needed and I approved them. All good. However, in their interface they were able to share a read only version of my documents, without me knowing. They created a link, approved the person and the person was able to access the folder on another computer. I eventually found out because I noticed the peers went from 1 to 2 in the interface (it was just luck that I noticed this).

 

My questions:

 

I have looked everywhere and can't find anyway to stop this from happening. Did I miss something?

 

With the new paid version, will I be able to lock this down to just one user? I don't remember having the same issue with the previous version of BTS (I used it a couple of times), as a key was sent to the person and they couldn't generate their own key for another person.

 

Am I missing something or is this the new normal

 

Thanks everyone, appreciate the help!

 

Cheers

 

Laurie

 

 

Oh and I thought this forum was the right place for this, not Troubleshooting...but please let me know if I am wrong!

[trevellyan]

Anyone with a valid key for a folder can share that key with someone else and thus grant the same (or less) access they have to that other person. It's been this way since I began using Sync, which was late 1.2.x if I remember correctly.

[btsnewbie]

Thanks so much. I was going on memory, and I seem to remember the key was one use only (or one could set it that way)? This would have been version 1.3.109....was I incorrect?

[RomanZ]

@btsnewbie

 

The one-time secret in 1.2 and 1.3 was like a Link in 1.4. It served to safely deliver the key - that's it. At the end of day the client ends with either RO or RW key in 1.2-1.3.

 

Managing access to your folders is planned in upcoming Sync Pro - see here and here for details.

[btsnewbie]

Thanks RomanZ. I read those links, but still can't work out whether any more security will be added. I guess I don't get why the key can't lock things to one machine at least...in terms of allowing that folder only to be shared with people you give access to-which isn't the case now. Would be a great new feature!

[piotrnik]

Unfortunately for your situation, until the pro version with more granular permissions, sync treats all peers as being on the same level  - everyone with r/o is the same, and everyone with r/w is the same.  

Thus if you give r/w access to someone, they have all the same rights as you - in other words, they can also give the key (r/w or r/o) on to others, change any file, etc, just like you can.  As the system works, they are now indistinguishable from you.

If you give r/o access, the same concept applies, but on a lower level.  They likewise have access to all the files, but changes made don't sync back to the r/w peers. Like the r/w peers can share either the r/o or r/w keys, the r/o peers can share the r/o key as desired (they can't share the r/w key because they don't know it). 

 

As mentioned by RomanZ, the link/one-time key/approval only serve to secure the transmission of the core r/o or r/w key; they have fulfilled their purpose once the new peer has access and have no further effect. 

Currently, the only way to revoke any access for unwanted peers is to change the folder key on all computers that you want to retain access.  The peer with the old key will still have all the files they downloaded/synced (and connections with anyone still using the old key, such as by sharing the key on their side), but no new changes will sync with other peers on the new key.

 

 

Pro will apparently add another level (the owner) on top of the r/o and r/w tiers, and they will have the ability to revoke access already granted (though it's not currently clear if only the owner has to be pro and the users can be free version, or if they all have to be pro; nor is it clear if revoking access will also come with an option to delete the data on the revoked peer). 

 

 

 

Hopefully this will help explain things a bit

[btsnewbie]

Hi piotrnik,

 

Thanks so much, that gave me a bit more to go on, appreciate it!

 

Cheers