Open Source does not mean 100% secure (See `bash` and `openssl` for recent examples.). Please don't take any of this personally.)ġ00% security is a lie. (I apologize in advance because this is me writing when I'm tired and a little more cranky than usual. > the people for whom security is a 100% matter, not a 99% matter, best choose a solution that allows, and can withstand, scrutiny. Therefore, the people for whom security is a 100% matter, not a 99% matter, best choose a solution that allows, and can withstand, scrutiny. As long as the implementation details remain unpublished, it's impossible to verify your claims. I love BT Sync, and will most likely continue to use it, but the author has a point. I think they're still compatible with each other at the moment. I figure it's relevant to this thread.ĮDIT: ef4 mentioned Syncthing in his comment. I haven't tried using it, but Pulse appears to be an open source replacement for BitTorrent Sync. (Even the protocol isn't publicly documented, last I checked.) I'm not an open-source purist, but the way they always promote as being the most secure, private option out there while completely ignoring that fact is frustrating. That very first sentence will always be false as long as it isn't open source. > BitTorrent Sync remains the most secure and private way to to move data between two or more devices. As always, we welcome and appreciate a responsible discussion on security. We’re sure they had the best of intentions with this exercise, but as they have stated, their review was not a professional assessment. We’ve been talking with the folks who posted on Hackito to clarify these issues. This is not an issue with Sync, but basic security protocol. Should an attacker gain root or physical access to the machine, it can modify any element of the attacked system. Like with any other solution, the user needs to secure access to their machines using proper passwords, proper firewall configuration, and the like. Compromising the public infrastructure cannot impact the security of Sync The public infrastructure is there to enable better connectivity and a more user-friendly folder sharing experience. Sync security is completely dependent on client-side implementation. As mentioned earlier, the hashes cannot be used to obtain access to a folder. We host a tracker server for peer discovery the tracker is only there to enable peers to find each other. Additional features have been implemented to further secure the key exchange using links, including (1) the links automatically expire within 3 days (set as default) and (2) explicit approval is required by the inviting peer before any key exchange takes place (also set as a default). In addition, the public key and the folder hash appear after the # sign in the URL, which means that all modern browsers won’t even send this to the server. After a direct connection is established (the user can verify that by comparing the certificate fingerprint for both peers) Sync will pass the folder key over an encrypted channel for the other peer. The link itself cannot be used for decrypting the communication as it only contains the public keys of the machines involved in the exchange. Links make use of standard public key cryptography to enable direct and secure key exchange between peers. Hashes also cannot be guessed it is a 160 bit number, which means that it is cryptographically impossible to guess the hash of a specific folder. The hashes cannot be used to obtain access to the folder it is just a way to discover the IP addresses of devices with the same folder. They are used to discover other peers with the same folder. Folder hashes are not the folder key (secret). To address the main points made in the study’s conclusion: We’ve gone through the claims made on Hackito and after reviewing it in full, we do not feel there is any cause for concern. Recently a post on Hackito from a group of tech enthusiasts speculated on possible security implementation for Sync. Rigorous third-party security audits have been conducted to verify the product’s security architecture, validated by the attached report.īut we take questions about Sync’s security very seriously. And for good reason, we’ve built it that way. BitTorrent Sync remains the most secure and private way to to move data between two or more devices.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |