Security Question: Why does 3HUB needs to connect to S3HUB.s3.amazonaws.com ?

[gpx]

To be sincere, I do not like to see any app that is supposed to transfer data from a computer to another to be connecting to 3rd party URLs. I would expect to see only connections to and from my own servers or URLs. While using LittleSnitch ( firewall ) I could see that 3HUB attempts to connect to S3HUB.s3.amazonaws.com, which is not a URL of amazon ownership, but a bucket from your own app. Even if you might not be storing personal user data to such location, the usage of such tools for serious users will simply not happen. Users must trust 3Hub in such case. My experience dictates to never trust. Any security expert will agree with me.

Now, I do not see any reasons why you should connect to your own 3Hub bucket. Any transient or preference data could be placed on buckets of the users rather than a centralized one.

Please take my observation as view from a cautionary user.  A simple change to your software to ensure it connects only to users buckets and servers would allow such relief. While many other apps connect to specific servers to be able to get some update information and notification, any app that is involved with transfer of personal data or files should not, by basic security principles.

Thanks

[Gabriel Handford]

3hub stores your friends list, automatic permissions and other preferences in a special bucket, that is only readable by you. This is so that no matter what computer you connect, these preferences are available. This was meant as a feature so that, for example, if you marked a bucket to auto include permissions whenever you upload that the correct permissions are set. Certain sharing features also rely on this bucket. In Preferences | Advanced, you'll see an option called 'Hide 3Hub bucket from view'. You can uncheck this and look at the permissions. 

I realize this is not desirable for some users, especially those that don't use or want these features. I can add a setting to disable this feature, so that it doesn't have to use this special bucket. The permissions on this bucket are carefully managed so that no information is readable by others. In fact, I think I'll probably make it opt-in, to reduce any confusion at all.

Thanks for your question and hopefully this will resolve your issue in the next release, which hopefully will be available in the next few weeks.