Rclone 1.53.3 release

Esteban · November 23, 2020, 8:12pm

Hi Nick, we are human being and make mistakes, so thanks very much for taking this seriously and telling us about it.

First at all I run the passwordchecker, it result was:

*** 1 Insecure passwords found

You recommend create a new crypt remote repo, and upload the data again. I just changed the key using rclone config, with generate option (using rclone 1.53.3)

Then run de passwordchecker again and the result was:

*** No insecure passwords found

Is this procedure correct too?

Thanks very much...

darthShadow · November 23, 2020, 8:45pm

This doesn't secure the already uploaded data. Anyone can decrypt that if they know about this vulnerability. That is why the recommendation is to re-upload the data after updating the config file.

asdffdsa · November 23, 2020, 9:01pm

i would like to understand exactly how anyone can decrypt the data.
really, how much at risk is my crypted data?

what would they need?

the rclone.conf
and/or
a sample crypted file

then what program would be used to obtain my password and salt?

thanks,

ncw · November 23, 2020, 9:26pm

You'd need these things to happen

you have a weak password as identified by the checker
your adversary gets a copy of your data somehow (breaks into your google account?)
your adversary spends a few CPU weeks finding out which weak password your data is encrypted with

Point 1) we can check for. 2) risk is hard to quantify here 3) is not trivial but not super hard for a determined adversary

Then would need a sample crypted file. They would not need the rclone.conf

One that hasn't been written as far as I know.

AxeMAN · November 27, 2020, 3:32pm

Sorry - Just to make sure I do this right - for something like this, we'd want to ensure that the
server_side_across_configs = true is FALSE, right?

ncw · November 27, 2020, 3:35pm

Yes you definitely want that false.

AxeMAN · November 27, 2020, 3:51pm

Well, now I've officially interacted with the legendary ncw. Thank you for blessing us with rclone!

aidyn · November 28, 2020, 3:47am

@ncw

Thank you!

One question about this:

So if an earlier version like 1.48... 1.47 etc. was used, then it's unaffected? Basically it was only a problem that was introduced starting with 1.49+? Because the earleir versions did also have the generate option so I just wanted to be sure. Thanks.

ncw · November 28, 2020, 12:49pm

Yes, that is correct.

Yes the problem was introduced when refactoring the code which landed in the 1.49 release.

If you want to know for certain then use the checking tool

Morphy · November 30, 2020, 10:19am

@ncw

Cant get this to work on Ubuntu Desktop 18.04LTS:

rclone v1.53.1

os/arch: linux/amd64
go version: go1.15

plex@Intelnuc:~$ ./passwordcheck /home/plex/.config/rclone/rclone.conf
2020/11/30 11:17:17 found 4 remote definitions
2020/11/30 11:17:17 found 0 passwords generated by rclone config which need chec king
2020/11/30 11:17:17 ignored 0 passwords not generated by rclone config
2020/11/30 11:17:17 ignored 3 passwords less than 64 bits
2020/11/30 11:17:17 No passwords to check found in config file - did you use the right file?

The rclone.conf file is at the correct place .

What am I missing here?

Animosity022 · November 30, 2020, 12:24pm

Nothing. From the output, it worked.

Morphy · November 30, 2020, 12:36pm

Ok but I dont understand why the output shows:

2020/11/30 11:17:17 No passwords to check found in config file - did you use the right file?

I do have a password for my encrypted content.

Animosity022 · November 30, 2020, 12:53pm

Note the line above it.

system · January 30, 2021, 8:53am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.