11 Sep 2013 danstowell   » (Journeyer)

Exploring privacy: BitTorrent Sync (btsync)

Post-Snowden, we all need to understand privacy and cryptography a little bit better than we did before. If you use something like Dropbox to synchronise files between computers, or to collaborate with people, you may wonder about the security of it. Well, you should wonder about the security of it: the way Dropbox works is that it sends your files up into "the cloud" which is really a big filestore run by Amazon. That's handy because if you trash your computer, your files can be recovered from Amazon's servers. But it's not so handy in that all your files are stored on some third-party server, maybe in the EU, maybe in the USA. In general we shouldn't have to trust such third parties, so it'd be better if the data were encrypted so that Dropbox/Amazon couldn't inspect it. (Note: technically the data is "encrypted" on their server but not in a way that prevents them from looking at it.) Even worse, we know (post-Snowden) that it's highly likely the US security services have some kind of "relationship" with Dropbox/Amazon through which they can scan for interesting content etc, under rather looser terms than maybe we thought. So Dropbox provides a personal service but not a private one.

Luckily (?) the makers of Bittorrent have come along with an alternative called BitTorrent Sync, which does the same kind of job but in a peer-to-peer fashion.

The way it works is described in the btsync tech summary and it's rather neat. Transferring files between computers is basically done Bittorrent-style, but it transmits the data directly between your computers over an encrypted connection.

(When I say "directly"... it's still transmitted indirectly in the sense that internet traffic passes through many machines - but I mean that your data is not addressed first to some third-party machine [neither peer nor server] before it gets re-addressed and hops onward to your machine.)

If you have two computers, attached to the internet, you sync files between them by telling them the secret random code that it generates for you. You don't need any central server (in principle), because btsync is able to use a DHT which lets it ask the p2p network, "which IP addresses correspond to machines which know my secret code?"

I think this architecture is really rather nice. There are a handful of extra tweaks you need to be aware of - for example, it does in fact use centralised servers (not just DHT) to help bootstrap awareness of peers, and also to help get round firewalls - but the basic idea is neat, and cuts out the middleman compared against Dropbox. In principle, this appears much better privacy-wise.

There is a major security/privacy issue, but before that here's a minor one. The DHT stores data in the form of "SHA1(Secret):ip:port", which means that although your secret isn't directly stored, if some naughty person was spying on you and detected that your computer had sent out a message saying "who knows about SHA1(Secret)?", then the naughty person could ask the same question and discover the IP addresses of the nodes in your little sharing network. So, that doesn't give away your secret or your data, but it does give away some of your web of connectivity. For example, maybe it lets someone confidently associate your work computer and your home computer. These narrower kinds of information leak are hard to stop, but I believe there are tools that can even avoid them (RetroShare privately hops data from friend-to-friend so that an outside observer could probably work out who your friends are, but not which bit of data is destined for which destination).

The major issue is that Bittorrent sync is not open-source. Many, many security experts can tell you that open-source software is much easier to rely on for security, because the actual software code is out in the open (and ideally, the development process too) and can be inspected for any issues. In the past this was just a vague idea, but now post-Snowden we know that government agencies do force software vendors to compromise the security of their software, and then to deny it to us. So it's very difficult to trust a company (especially, right now, a US-based company) when they say their software is private and secure.

(Of course just because something is open-source doesn't guarantee it is secure. The NSA has been documented tweaking public open-source code, influencing on-the-record standards meetings, etc.)

But if it's closed source, it's like buying a boat and not being able to check all round it to see if it's seaworthy. "Is the hull watertight?" "Well, I've checked the left side, and there are no holes in that side." "Let's go!"

So, it's no wonder that the Free Software Foundation considers it a high priority to make a free-software equivalent to btsync. The design is neat, and in principle it's privacy-preserving. In practice... who knows?

Disclaimer: I'm a citizen not a cryptographer. Post-Snowden we all need to understand privacy and cryptography a little bit better than we did before. You should probably read something by Bruce Schneier or Jacob Appelbaum.

Syndicated 2013-09-11 15:16:16 (Updated 2013-09-11 15:25:47) from Dan Stowell

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!