After I bought this device, six months ago, I didn’t really bothered sharing it over the internet because I had made a few trials and it felt like my home adsl wasn’t speedy enough to handle this gracefully, and this was made even more complicated by my ISP which insists to charge me an indecent amount of money for the privilege of a static IP address. So I simply shut off the server and used it as a lan harddrive.
But since a couple of weeks, I’m connected with FTTH, and my upload speed being now very comfortable, I have been more willing to put up the extra effort to create a smooth home cloud experience for me. So I hacked a few things here and there, notably I set up a certificate based ssh connection to be able to remotely mount the drive on my linux file system with sshfs (works a treat), set up various things to keep track of my ip address, which is still dynamic , and I’m generally happy as a clam in spite of the 4.04.00-303 upgrade that nearly ended up in disaster.
Now, to the point of my question : I have also opened the remote access to be able to use my files from my android phone with the WD client app, and with mycloud.com website from any computer. This works well. Extremely well. Maybe a bit too well. My question is, WHO can read my files too ? I’d have wished a fully secure point-to-point VPN, but the fact we can share files to the world with a simple URL by mail questions me. Do WD has full access to the unencrypted files ? How does remote access work for people not being logged ? Do they receive files from the drive in clear form ? Is it possible for someone to hack remotely into a drive by forging a phony URL ?
Or to sum it up, should I shut down remote access and only connect via ssh ?
Nobody can read your files not even WD unless of course you give them access. Your files are being transferred via SSL.
IMHO the remote access is more secure than SSH. If your remote access account has been compromised, chances only one account is affected, but if your SSH is compromised, the whole drive is at risk. Open SSH to the net only if you know what you’re doing, read the webhosting link in my signature, there’s a new guide which covers how to really secure your SSH/FTP on the WDMyCloud.
Thank you for your reply. Never mind my ssh access, although I wouldn’t call it unbreakable (because history taught us to refrain from such claims since the unsinkable Titanic), it’s set up passwordless with the state of the art security.
My concern is about the way access to our personal devices is handled by WD through the mycloud.com website. “Nobody can read your files not even WD unless of course you give them access” is precisely what worries me. I seems the rest api gives them a very wide access indeed.
Yeah I setup mine to password-less and also off the root password access. It’s very scary to see the attempts to break SSH from the logs which I’ve been blocking.
The REST API works with unique tokens. If you don’t share anything using the URL then no newer tokens generated. The tokens need to match the filenames that you shared. If you’re using the remote access, it’s also protected by unique hashed credentials via WebDAV.
Or do you mean those peeps at WD can see your files? They only provide the authentications match between your NAS and wdmycloud.com, once authenticated you’re directly connected to your NAS unless you’re being relayed. Even relayed, they can’t see your files because it’s tunneled via SSL layer.
, and I’m generally happy as a clam in spite of the 4.04.00-303 upgrade that nearly ended up in disaster.