Rclone 1.53.3 release

Hi Nick, we are human being and make mistakes, so thanks very much for taking this seriously and telling us about it.

First at all I run the passwordchecker, it result was:

*** 1 Insecure passwords found

You recommend create a new crypt remote repo, and upload the data again. I just changed the key using rclone config, with generate option (using rclone 1.53.3)

Then run de passwordchecker again and the result was:

*** No insecure passwords found

Is this procedure correct too?

Thanks very much...

This doesn't secure the already uploaded data. Anyone can decrypt that if they know about this vulnerability. That is why the recommendation is to re-upload the data after updating the config file.

1 Like

i would like to understand exactly how anyone can decrypt the data.
really, how much at risk is my crypted data?

what would they need?

  • the rclone.conf
    and/or
  • a sample crypted file

then what program would be used to obtain my password and salt?

thanks,

You'd need these things to happen

  1. you have a weak password as identified by the checker
  2. your adversary gets a copy of your data somehow (breaks into your google account?)
  3. your adversary spends a few CPU weeks finding out which weak password your data is encrypted with

Point 1) we can check for. 2) risk is hard to quantify here 3) is not trivial but not super hard for a determined adversary

Then would need a sample crypted file. They would not need the rclone.conf

One that hasn't been written as far as I know.

2 Likes

Sorry - Just to make sure I do this right - for something like this, we'd want to ensure that the
server_side_across_configs = true is FALSE, right?

Yes you definitely want that false.

1 Like

Well, now I've officially interacted with the legendary ncw. Thank you for blessing us with rclone!

3 Likes

@ncw

Thank you!

One question about this:

So if an earlier version like 1.48... 1.47 etc. was used, then it's unaffected? Basically it was only a problem that was introduced starting with 1.49+? Because the earleir versions did also have the generate option so I just wanted to be sure. Thanks.

Yes, that is correct.

Yes the problem was introduced when refactoring the code which landed in the 1.49 release.

If you want to know for certain then use the checking tool

@ncw

Cant get this to work on Ubuntu Desktop 18.04LTS:

rclone v1.53.1

  • os/arch: linux/amd64
  • go version: go1.15

plex@Intelnuc:~$ ./passwordcheck /home/plex/.config/rclone/rclone.conf
2020/11/30 11:17:17 found 4 remote definitions
2020/11/30 11:17:17 found 0 passwords generated by rclone config which need chec king
2020/11/30 11:17:17 ignored 0 passwords not generated by rclone config
2020/11/30 11:17:17 ignored 3 passwords less than 64 bits
2020/11/30 11:17:17 No passwords to check found in config file - did you use the right file?

The rclone.conf file is at the correct place .

What am I missing here?

Nothing. From the output, it worked.

Ok but I dont understand why the output shows:

2020/11/30 11:17:17 No passwords to check found in config file - did you use the right file?

I do have a password for my encrypted content.

Note the line above it.

1 Like