BitTorrent Remote Beta Privacy FAQ
I'm concerned that the BitTorrent Remote servers see and keep a record of all of my torrent activity. Why should I use a service that exposes my private information?
How is this so? BitTorrent Remote uses a cryptographic protocol called SRP, the Secure Remote Password protocol. SRP is an authentication and key-exchange protocol. In BitTorrent Remote, your web browser serves as the client and your BitTorrent client as the server. The BitTorrent Remote servers act only as a channel between the two.
SRP has two other features worth mentioning:
- An attacker or intermediary who has access to the entire SRP negotiation should gain no information which would enable him to recover the password. It is effectively a zero knowledge proof (http://en.wikipedia.org/wiki/Zero-knowledge_proof) to the server that the client has the password.
- SRP provides perfect forward secrecy: even if an adversary is able to somehow compromise your password, it will not allow the decryption of past sessions. If a session key is compromised, it will not allow an attacker to recover the password. http://en.wikipedia.org/wiki/Perfect_forward_secrecy
- More information about SRP is available here: http://srp.stanford.edu/whatisit.html
- An early version of SRP is described in RFC2945: http://tools.ietf.org/html/rfc2945
- More information about AES is available here: http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
How can I be sure that what you say about BitTorrent Remote privacy is true?
I still don't trust BitTorrent Remote. I'm going to (not update/switch clients/use the regular WebUI).
BitTorrent Remote is still in beta, so the details will continue to evolve. We've seen enough interest in the project and questions about privacy that we felt it was time to describe the general approach. We hope to help our users make an informed choice about their privacy by being transparent about our goals and making the preservation of our users' privacy a guiding design principle.