µTorrent Remote Beta Privacy FAQ

I'm concerned that the µTorrent Remote servers see and keep a record of all of my torrent activity. Why should I use a service that exposes my private information?

The µTorrent Remote servers do not see the details of your torrent activity. If you add a torrent, for example, we know that a torrent was added, but not the torrent URL or infohash.

How is this so? µTorrent Remote uses a cryptographic protocol called SRP, the Secure Remote Password protocol. SRP is an authentication and key-exchange protocol. In µTorrent Remote, your web browser serves as the client and your µTorrent client as the server. The µTorrent Remote servers act only as a channel between the two.

When you log in to µTorrent Remote, your browser uses JavaScript to authenticate to your client, without ever sending the password over the connection. As a byproduct of this authentication, SRP allows each side (browser and µTorrent client) to independently arrive at the same value for a cryptographically-strong secret. This secret is then used as a session key to encrypt the body of the request (which contains the infohashes, URLS, etc.) using the AES encryption standard. This occurs entirely in your web browser, before the request is sent to µTorrent Remote for proxying to your µTorrent client.

SRP has two other features worth mentioning:

  1. An attacker or intermediary who has access to the entire SRP negotiation should gain no information which would enable him to recover the password. It is effectively a zero knowledge proof (http://en.wikipedia.org/wiki/Zero-knowledge_proof) to the server that the client has the password.
  2. SRP provides perfect forward secrecy: even if an adversary is able to somehow compromise your password, it will not allow the decryption of past sessions. If a session key is compromised, it will not allow an attacker to recover the password. http://en.wikipedia.org/wiki/Perfect_forward_secrecy

How can I be sure that what you say about µTorrent Remote privacy is true?

The easiest way to check is to use a tool like Firebug. Observe the Ajax requests and note that each request and response body is hex-encoded ciphertext. If you set breakpoints in Firebug's JavaScript debugger, you can call the same encryption/decryption functions µTorrent Remote does and recover the plaintext. This will confirm that we're sending regular µTorrent WebAPI requests, subject to some modifications -- e.g. moving torrent infohashes and URLs out of the query string and into the request body -- in order to keep your data private.

You can also use a tool like Wireshark, but you won't be able to decrypt the bodies. You're also welcome to read the µTorrent Remote JavaScript source to verify that it works as described.

I still don't trust µTorrent Remote. I'm going to (not update/switch clients/use the regular WebUI).

We understand that µTorrent Remote is not going to be a good fit for everyone. If you don't want to use it, just leave "Enable Remote Access" unchecked in your µTorrent preferences and we won't send requests to the µTorrent Remote servers. If you'd like to use the regular WebUI instead, do so. We plan to merge some of the µTorrent Remote user interface improvements back into it so that our standalone WebUI users can also enjoy an improved µTorrent Remote experience.

µTorrent Remote is still in beta, so the details will continue to evolve. We've seen enough interest in the project and questions about privacy that we felt it was time to describe the general approach. We hope to help our users make an informed choice about their privacy by being transparent about our goals and making the preservation of our users' privacy a guiding design principle.