Synergy-core: Encryption should not be a Pro feature

Created on 20 Jan 2017  路  19Comments  路  Source: symless/synergy-core

I'm opening this issue to start a discussion among the developers of this app regarding something I feel very strongly about: in this day and age, secure operation for any application should absolutely not be an extra/premium/pro feature.

Last year, cybersecurity came to the forefront of the minds of the public who began to feel more than ever its huge rippling effects in global politics, freedom, and personal safety. The push towards HTTPS for all websites continued, while end-to-end encrypted chat came into the mainstream with Whatsapp, Signal, and others. Apple introduced a new policy of no longer even accepting apps in its app stores that don't use TLS encryption to connect to external services. Users now have an expectation of privacy and security by default for anything they use (free, paid, or "pro"), and they are right to.

When you have tiered pricing plans where one of your "extra" features is encryption, effectively what you're saying is that users can pay $19 for your software, but it's $10 extra for that software not to become a giant gaping hole in their computer's security that lets anyone sitting next to them in a cafe log their keystrokes and steal their identity.

Not only is that dangerous for anyone using your "Basic" version, but I don't think it sends the message you want to your users.

enhancement
Source
picture fletom
👍22 👎2

Most helpful comment

Hey everyone, good news, we'll be moving SSL to Synergy Basic in version 2.

picture nbolton on 27 Jun 2017
🎉6

All 19 comments

Honestly, this project is not maintained enough to really consider buying it right now anyway. It's mind boggling to me that someone hasn't just forked it and added HTTPS communication at this point.

cardonator picture cardonator on 20 Jan 2017
👍1

The project is open-source so you modify and compile it as you please. SSL/TLS is implemented already in Synergy via OpenSSL too, just not enabled if not using a Pro license (but Github is where programmers live so it's not a big problem). Anyway the cafe scenario is silly considering you're bringing two computers in. So yeah either compile it yourself or skip out on a few coffees the buy a lifetime license.

yupi2 picture yupi2 on 20 Jan 2017

This is currently being considered. I don't think anyone disagrees in principle. We should be able to give you more information on this by the end of the month.

nlyan picture nlyan on 20 Jan 2017

I created a fork that removes the license requirement just for the SSL support if you're interested. I tried to be as minimally invasive as possible so that the same patch can survive across releases. I still stand by that it should be a standard feature supported by synergy.

cardonator picture cardonator on 21 Jan 2017

I think that if a business were to be buying the software, that they would be paying the extra 10$ for the support, and not for the encryption.

Encryption should be standard. I want my applications to be secure, and not to introduce security holes.

bloons3 picture bloons3 on 28 Jan 2017
👍1

I'm risking a bit here, but. I think its a fine way to drive sales. people can test it out unencrypted. Then decide that software has a cost and pay for it. I think the security feature is a interesting way to encourage people to support the software authors. - edit- I sit corrected, too many people won't just use it as a test and will actually deploy in a live environment before paying. for what its worth. I wasn't trying to argue against the encryption. I'm all for good security practices, if your going to use it in a live environment it absolutely needs to be encrypted.... but I agree, people often deploy w/o thinking carefully and will leak passwords inadvertently, even if its a background app that isn't behaving. Its too easy for data to get out if its not encrypted by default.

PlatoCantCode picture PlatoCantCode on 27 Mar 2017

@PlatoCantCode One of the fundamental principles of usable security is that the easiest choice should be the secure choice. Installing the free basic client is the easiest choice, so it should be secure.

If you want to make money while encouraging secure practices, consider requiring users to pay to disable encryption.

deckar01 picture deckar01 on 27 Mar 2017
👍4

Anyway the cafe scenario is silly considering you're bringing two computers in. So yeah either compile it yourself or skip out on a few coffees the buy a lifetime license.

Or you have synergy server autostart on your laptop because you hook it up to your main PC at home or in office.

I'm risking a bit here, but. I think its a fine way to drive sales. people can test it out unencrypted. Then decide that software has a cost and pay for it. I think the security feature is a interesting way to encourage people to support the software authors.

People undervalue and/or underestimate the importance of security, making it more difficult (and more expensive) to securely set up Synergy doesn't sound like a good idea to me.

3onyc picture 3onyc on 27 Mar 2017
👍3

I don't even see the point unless you're using Synergy over the Internet, which makes no sense. I don't need encryption on my LAN.

Frogging101 picture Frogging101 on 28 Mar 2017

@Frogging101 You're forgetting things such as corporate and public networks, you have no idea who's listening in. And even on my home network I'd want that extra layer of security as well.

3onyc picture 3onyc on 28 Mar 2017
👍1

@Frogging101 some of the biggest hacks that have taken place were people just monitoring unencrypted LAN traffic. As Synergy supports copy/pasting between devices, I would say it is VERY important to mask passwords and such that could be floating between machines at any given time.

cardonator picture cardonator on 28 Mar 2017

Security should not be a paid for addon. Should be a basic feature of the product.

rkirk-r7 picture rkirk-r7 on 29 Mar 2017
👍1

The first reaction my colleague made when I told him I was using Synergy, was "Let's start Wireshark".
I'm even thinking non-ssl traffic should not be supported (unless synergy is started with the '--insecure'-option).
Having unencrypted passwords and such flying over a LAN is a gaping security issue and should not even be supported.

Ruben-Bosch picture Ruben-Bosch on 2 Apr 2017
👍2

Let the record show. For the first time in history. A person was convinced by thoughtful and intelligent conversation in a form. Encryption should NOT be a pro feature.

PlatoCantCode picture PlatoCantCode on 3 Apr 2017

@Frogging101 Since nobody else has I'll chime in and say this: you absolutely do need encryption on your LAN. How many devices do you have connected to it? Would you trust all of them with your most sensitive data? I don't think so. Security cameras, printers, smart fridges, DVRs, etc. are being hacked constantly these days since they don't get nearly the same security attention that e.g. your main Apple or Microsoft devices do. On top of that, how strong is your Wi-Fi password? How many guests have you given it to? Not to sound overly paranoid, obviously we're talking worst case scenarios here. But if you trust your LAN, you're foolishly putting your eggs in the blind luck/nobody-cares-enough-to-hack-you basket. It's much better to put eggs in the math/crypto basket.

fletom picture fletom on 6 Apr 2017
👍3

Hey everyone, good news, we'll be moving SSL to Synergy Basic in version 2.

nbolton picture nbolton on 27 Jun 2017
🎉6

Yay, thanks @nbolton. Is there a timeline on v2?

cardonator picture cardonator on 27 Jun 2017

Thank you @nbolton

bloons3 picture bloons3 on 27 Jun 2017

Kudos for doing the right thing! @nbolton

maqp picture maqp on 30 Jun 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

johnny-mac picture johnny-mac  路  4Comments
130s picture 130s  路  3Comments
jasonosei picture jasonosei  路  3Comments
jasonfisherjlf picture jasonfisherjlf  路  4Comments
Celant picture Celant  路  4Comments