Question regarding rclone security when using hubic storage

What is the problem you are having with rclone?

Hello.

I have one question regarding rclone security when using hubic storage.
I didn't find an exact answer after doing some searching in rclone doc and forum, in the offical hubic doc, or by using the -vv (super verbose) parameter.

I installed rclone 1.52.0 on Windows 10. I setup an hubic connection with default options and autoconfigure as indicated in the rclone doc. It's working fine and I'm able to manage my remote storage.

Now I have some basic question regarding security of the connection in order to avoid a "man in the middle" interception.

1- When rclone first requested the hubic token, was the connection secured (for ex tls, https or ssh) from beginning to end ? It seems to be the case since the URL used in browser to grant access to hubic was in https; but Firefox told me that some part of the page were not protected by https so I'm not 100% sure.

2- When rclone connects to hubic and sends its credentials, is the connection also secured ? Or are the credentials sent in visible format ?

3- When rclone is sending files to hubic, is the connection also encrypted as it is when using the official hubic client ? Or should I add a protected tunnel (such as ssh) by myself ?

Many thanks for your answer.

What is your rclone version (output from rclone version)

1.52.0

Which OS you are using and how many bits (eg Windows 7, 64 bit)

Windows 10 64 bit

Which cloud storage system are you using? (eg Google Drive)

Hubic

The command you were trying to run (eg rclone copy /tmp remote:tmp)

Paste command here

The rclone config contents with secrets removed.

Paste config here

A log from the command with the -vv flag

Paste  log here

Everything happens over HTTPS so it's secured.

The few exceptions are certain backends like FTP which are clear text and HTTP which is also clear text.

Minus those exceptions, everything is HTTPS.

...you can check this for yourself by using -vv --dump headers which will show all the transactions are https.

Thanks Animosity022 and ncw for your answer.

I tested with below command :
``lsd -vv --dump headers MYREMOTE:

I pasted below the debug result I got.
Unless I'm mistaken, I see only HTTP requests, not HTTPS.
Am I wrongly interpretating the debut output or is there a missing security parameter that I should configure somewhere ?

Thanks for your feedback.

DEBUG OUTPUT :

2020/06/22 07:46:49 DEBUG : You have specified to dump information. Please be noted that the Accept-Encoding as shown may not be correct in the request and the response may not show Content-Encoding if the go standard libraries auto gzip encoding was in effect. In this case the body of the request will be gunzipped before showing it.
2020/06/22 07:46:49 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2020/06/22 07:46:49 DEBUG : HTTP REQUEST (req xxxxxxxxxxxx)
2020/06/22 07:46:49 DEBUG : GET /1.0/account/credentials HTTP/1.1
Host: api.hubic.com
User-Agent: rclone/v1.52.0
Authorization: XXXXXXXXXXXXXXX
Accept-Encoding: gzip

2020/06/22 07:46:49 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2020/06/22 07:46:50 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2020/06/22 07:46:50 DEBUG : HTTP RESPONSE (req xxxxxxxxxxxx)
2020/06/22 07:46:50 DEBUG : HTTP/1.1 200 OK
Transfer-Encoding: chunked
Access-Control-Allow-Origin: *
Cache-Control: private
Content-Type: application/json; charset=utf8
Date: Mon, 22 Jun 2020 05:46:49 GMT
Server: nginx/1.4.7
Set-Cookie: SERVERID403=xxxxxxxx|xxxxx|xxxxx; path=/
Strict-Transport-Security: max-age=xxxxxxxx
X-Iplb-Instance: xxxxx

2020/06/22 07:46:50 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2020/06/22 07:46:50 DEBUG : Hubic: Got swift credentials (expiry 2020-06-23 07:29:22 +0200 CEST in 23h42m31.9137101s)
2020/06/22 07:46:50 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2020/06/22 07:46:50 DEBUG : HTTP REQUEST (req xxxxxxxxxxxx)
2020/06/22 07:46:50 DEBUG : GET /v1/AUTH_xxxxxxxxxxxx?format=json&limit=xxxxx HTTP/1.1
Host: xxxxxx.hubic.ovh.net
User-Agent: rclone/v1.52.0
X-Auth-Token: XXXXXXXXX
Accept-Encoding: gzip

2020/06/22 07:46:50 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2020/06/22 07:46:50 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2020/06/22 07:46:50 DEBUG : HTTP RESPONSE (req xxxxxxxxxxxx)
2020/06/22 07:46:50 DEBUG : HTTP/1.1 200 OK
Content-Length: xxxxx
Accept-Ranges: bytes
Content-Type: application/json; charset=utf-8
Date: Mon, 22 Jun 2020 05:46:50 GMT
X-Account-Bytes-Used: xxxxxxxxxxxxx
X-Account-Container-Count: xx
X-Account-Meta-Quota: xxxxxxxxxxxx
X-Account-Meta-Temp-Url-Key: xxxxxxxxxxxx
X-Account-Object-Count: xxxxx
X-Account-Storage-Policy-Policy-1-Bytes-Used: xxxxxxxxxxxxx
X-Account-Storage-Policy-Policy-1-Container-Count: xx
X-Account-Storage-Policy-Policy-1-Object-Count: xxxxx
X-Iplb-Instance: xxxxx
X-Openstack-Request-Id: xxxxxxxxxxxx-xxxxxxxx
X-Timestamp: xxxxxxxxxxxx.xxxxx
X-Trans-Id: xxxxxxxxxxxx-xxxxxxxx

2020/06/22 07:46:50 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Sorry, my mistake! I thought it showed the port number it was connecting to but it doesn't :frowning:

I guess you could try netstat -tnp | grep rclone and it will show you the ports that it is connected to.

Thanks ncw for your suggestion to use netstat command.

I used netstat -ab and found several lines like below one in the output :
TCP xxx.xxx.x.xx:xxxxx xxx.xxx.xxx.xxx:https ESTABLISHED
[rclone.exe]

So I have confirmation that my install of rclone is indeed using https.

Great. That is what I thought but always good to do the experiment :slight_smile: