Compromising the public infrastructure cannot impact the security of Sync. The public infrastructure is there to enable better connectivity and more user-friendly folder sharing experience. Sync security is completely dependent on client-side implementation.This is not an issue with Sync, but basic security protocol. Once an attacker has root access or physical access to the machine, it can modify any element of the attacked system. Like with any other solution, the user needs to secure access to their machines using proper passwords, proper firewall configuration, and the like.As mentioned earlier, the hashes cannot be used to obtain access to a folder. We host a tracker server for peer discovery the tracker is only there to enable peers to find each other.On top of that, a few additional features were implemented to further secure the key exchange using links, including (1) the links automatically expire within three days (set as default) and (2) explicit approval is required by the inviting peer before any key exchange takes place (also set as a default). In addition, the public key and the folder hash appear after the # sign in the URL, which means that all modern browsers won't even send this to the server. The link itself cannot be used for decrypting the communication.Īfter direct connection is established (user can verify that by comparing certificate fingerprint for both peers) Sync will pass folder key over encrypted channel for other peer. The link does not contain any folder encryption keys it only contains the public keys of the machines involved in the exchange. Links make use of standard public key cryptography to enable direct and secure key exchange between peers.Hashes also cannot be guessed it is a 160 bit number, which means that it is cryptographically impossible to guess the hash of a specific folder. The hashes cannot be used to obtain access to the folder it is just a way to discover the IP addresses of devices with the same folder. Folder hashes are not the folder key (secret) and are used to discover other peers with the same folder.On the next screen, tap Choose folder, then select where you. BitTorrent Sync on Android, taken on a Nexus 7. For your reference, we address the main points made in the posts conclusion: Now, open BTSync on the tablet and tap the Add folder icon in the top right corner.We've gone through the claims made by Hackito and after reviewing it in full, we do not feel there is any cause for concern. But we take questions about Sync's security very seriously.Rigorous third-party security audits have been conducted to verify the product's security architecture. And for good reason, we've built it that way. BitTorrent Sync remains the most secure and private way to to move data between two or more devices.Update BitTorrent comms director Christian Averill told Vulture South the group remains confident of the security of Sync, dubbing the claims "pretty wild" derived from a "pretty loose" methodology. Readers could follow the technical analysis, or community commentary. Seven security issues marked high severity were reported including some in a web admin interface and various leaks.įive medium vectors were found including dependence on possibly insecure architecture and leaking of IP addressees to trackers.
0 Comments
Leave a Reply. |