Security researchers: don’t use Bittorrent Sync for sensitive data

vbimport

#1

We’ve just posted the following news: Security researchers: don’t use Bittorrent Sync for sensitive data[newsimage]http://static.myce.com//images_posts/2013/07/BitTorrent-Sync-choose-a-folder-95x75.png[/newsimage]

BitTorrent Sync users should not use the service to share sensitive data, according to security researchers.

            Read the full article here: [http://www.myce.com/news/security-researchers-dont-use-bittorrent-sync-for-sensitive-data-73497](http://www.myce.com/news/security-researchers-dont-use-bittorrent-sync-for-sensitive-data-73497)

            Please note that the reactions from the complete site will be synched below.

#2

Great, that’s just what we need… more data being leaked to big brother. As usual, this leave sensitive data completely open to non-government trafficers.

Once again, I strongly recommend everyone refuse to send anything to any remote computers without encrypting it before using any transmission methods. There are many file compression programs which can add passwords to your compressed files.

Also, there are only two ways to be sure the programs on your computer aren’t spying on you: refuse to connect to the internet, or to use free (as in freedom) software exclusively.


#3

BitTorrent responded:

To address the main points made in the study’s conclusion:

  • Folder hashes are not the folder key (secret). They are used to discover other peers with the same folder. The hashes cannot be used to obtain access to the folder; it is just a way to discover the IP addresses of devices with the same folder. Hashes also cannot be guessed; it is a 160 bit number, which means that it is cryptographically impossible to guess the hash of a specific folder.

-Links make use of standard public key cryptography to enable direct and secure key exchange between peers. The link itself cannot be used for decrypting the communication as it only contains the public keys of the machines involved in the exchange. After a direct connection is established (the user can verify that by comparing the certificate fingerprint for both peers) Sync will pass the folder key over an encrypted channel for the other peer. In addition, the public key and the folder hash appear after the # sign in the URL, which means that all modern browsers won’t even send this to the server. Additional features have been implemented to further secure the key exchange using links, including (1) the links automatically expire within 3 days (set as default) and (2) explicit approval is required by the inviting peer before any key exchange takes place (also set as a default).

  • We host a tracker server for peer discovery; the tracker is only there to enable peers to find each other. It is not a part of the folder exchange. As mentioned earlier, the hashes cannot be used to obtain access to a folder.

  • Sync security is completely dependent on client-side implementation. The public infrastructure is there to enable better connectivity and a more user-friendly folder sharing experience. Compromising the public infrastructure cannot impact the security of Sync

  • Like with any other solution, the user needs to secure access to their machines using proper passwords, proper firewall configuration, and the like. Should an attacker gain root or physical access to the machine, it can modify any element of the attacked system. This is not an issue with Sync, but basic security protocol.