Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

But SyncThing exposes users to a risk that they may have not been prepared for. It's a great tool, but it's not a tool fot the masses.


What risk? Other users on the same system accessing the web UI?

That can be mitigated with a token included in the browser launch URL, but it seems like a pretty unlikely vector anyway, someone would have to write code that specifically knows about SyncThing, and then convince you to install it, and then you'd have to not use password protection.


Opening your computer to network. Incorrectly configured folders for sharing could end up wiping out your data (no warning or chance for recovery, unless you configure file versioning- which is confusing AND off by default). WebUI not configured with a password by default, allowing multi-user systems to access your files.


All of your complaints are specific to Syncthing which, admittedly, doesn't have great defaults (but the fans will be quick to defend it).

A webui for a desktop app can be made perfectly securely, though.

For example it can bind to 127.0.0.1, not do external network requests, and require a token (generated by a systray menu utility or an app shortcut for example) that will prevent automated exploits from accessing it as well as other users on a multi-user system.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: