Why is Cryptomator contacting an external IP address?

archos958 · May 13, 2018, 10:49am

Hi,
we are testing before working productively:

When generating a new vault/opening cryptomator, our firewall notifies us oft he follwing:

Cryptomator.exe is trying to contact 185.170.112.120 (TCP, port 443)
Cryptomator then contacts 127.0.0.1 (TCP, port 55536)
Cryptomator then contacts 127.0.0.1 (TCP, port 55566, 55602, 55618,56208,56251,56271 as well as 56278 and so forth)

As you correctly advertise “No backdoors, no registration”, many users would appreciate if you could explain why these (especially external) IP(s) (i.e. 185.170.112.120) are contacted.

It would be great if you could precisely elaborate on this, because -after all- the aim of using cryptomator is to secure data
Thanks a lot.

tobihagemann · May 13, 2018, 12:17pm

Cryptomator is checking for updates, see cryptomator/ui/controllers/WelcomeController.java#L115.

You can deactivate the update checker in the settings.

I’m honestly not exactly sure about the other ports because the default port for the localhost WebDAV connection should be 42427, see cryptomator/common/settings/Settings.java#L31.

WebDAV is used to provide the virtual drive, see Security Architecture (Virtual Filesystem). This will change in the future because we’re going to use Dokany, see GitHub Issue 207.

The only thing that I can think of right now is that the InterProcessCommunicator may cause these warnings. It’s there to check if another instance of Cryptomator is running. But I always assumed that the port is actually a file. Maybe @overheadhunter knows more about that.

archos958 · May 13, 2018, 1:12pm

Thanks. Would be great to have some details here.
Also, another security related topic: Cryptomator leads to new network device. Risk of exposure?

archos958 · May 15, 2018, 10:43am

Dear @overheadhunter , do you or anyone from Cryptomator’s team have any security-relevant explanations for these IP Adress behaviour?

To enhane trust it would probably be wise to make this clear to all users.
Thanks

overheadhunter · May 15, 2018, 11:27am

@tobihagemann already explained everything.

185.170.112.120 is the former ip address of the server hosting the update check file. In the meantime the server’s ip changed to 51.15.49.138

All ports above 49152 are dynamic ports assigned by your operating system for local inter-process communication.

So what is it that you consider unanswered?

archos958 · May 15, 2018, 1:57pm

Thank you. In fact, we now have 51.15.49.138 contacted, which we understand is the update server.
THat is clarified. Thank you.

SO why is cryptomator contacting 127.0.0.1 via multiple TCP ports, not only above port 49152, but also in the lower trange, i.e. 42427?
Thanks

overheadhunter · May 15, 2018, 2:58pm

This has been answered here:

To summarize:

outgoing connection to update server on port 443 (can be disabled via settings)
incoming connection on 42427 for WebDAV clients (strictly bound to localhost only)
in- and outgoing inter-process communication on system-assigned ports (above 49152)

archos958 · May 20, 2018, 10:48am

Thank you very much. Clarified.