Main Area and Open Discussion > General Software Discussion

Bleep… Bittorrent unveils serverless & encrypted chat client

<< < (5/5)

Nod5:
Yeah Bittorrent Sync is great. Very simple to use compared to fiddling with a ftp server/client setup. And who knows maybe they have some solution to the question I posed. But it puzzles me that articles I've read on it doesn't ask about that, for example the MIT Review article "Sync Your Files without Trusting the Cloud".

rgdot:
The answer is probably the obvious one. There are 2 levels of privacy here, incidentally it has always been 2, not just in NSA days.
First is those you can decide to trust, which comprises of Dropbox (just to use them as example) employees and developers
The second is those looking in without Dropbox's knowledge (this list includes the NSA but is not exclusively NSA or a gov agency, it could be any 'third party' who takes advantage of holes and/or backdoors)

Renegade:
I think it will be a good thing to see multiple programs doing the same thing there. Competition is good.

Bittorrent has a big name though, so that's not going to work in their favour for Tox.

Nod5:
BTW does the peer matching for Bittorrent Sync work the same way? Some write ups claim that Bittorrent Sync is more secure than Dropbox since the data isn't cloud stored. But if the client matching happens in the cloud a powerful agency could require the cloud operator to hand over the secret key and then use the key to access the Sync folder directly on the client. ... -Nod5 (August 15, 2014, 03:40 AM)
--- End quote ---

Some recent new prompted BT to write this explainer that answer my old question above about Bittorrent Sync. Thought others might find it useful.
http://forum.bittorrent.com/topic/32592-bittorrent-sync-security-is-our-highest-priority/
- Folder hashes are not the folder key (secret). They are used to discover other peers with the same folder. The hashes cannot be used to obtain access to the folder; it is just a way to discover the IP addresses of devices with the same folder. Hashes also cannot be guessed; it is a 160 bit number, which means that it is cryptographically impossible to guess the hash of a specific folder.

-Links make use of standard public key cryptography to enable direct and secure key exchange between peers. The link itself cannot be used for decrypting the communication as it only contains the public keys of the machines involved in the exchange. After a direct connection is established (the user can verify that by comparing the certificate fingerprint for both peers) Sync will pass the folder key over an encrypted channel for the other peer. In addition, the public key and the folder hash appear after the # sign in the URL, which means that all modern browsers won’t even send this to the server. Additional features have been implemented to further secure the key exchange using links, including (1) the links automatically expire within 3 days (set as default) and (2) explicit approval is required by the inviting peer before any key exchange takes place (also set as a default).

- We host a tracker server for peer discovery; the tracker is only there to enable peers to find each other. It is not a part of the folder exchange. As mentioned earlier, the hashes cannot be used to obtain access to a folder.

- Sync security is completely dependent on client-side implementation. The public infrastructure is there to enable better connectivity and a more user-friendly folder sharing experience. Compromising the public infrastructure cannot impact the security of Sync
--- End quote ---

Navigation

[0] Message Index

[*] Previous page