78

Is ngrok a safe tool to use? I was reading a tutorial which recommended to use ngrok test API responses that I make to outside services that need to connect to my endpoints also.

Jackall
  • 1,120
  • 1
  • 9
  • 18
cool breeze
  • 4,461
  • 5
  • 38
  • 67

7 Answers7

42

There is no source code available for Version 2.0, considering it started as an open source project in 2014. I am suspect of any code that opens a tunnel to my localhost from the cloud. Pretty scary stuff especially without source code!

topquant
  • 437
  • 4
  • 2
31

It opens up a tunnel to your dev machine, which is partially secured by obscurity (a hard to guess subdomain), and can be further secured by requiring a password. But you're still opening yourself up to ngrok itself, and the company is completely opaque (no address, no employees, no business name, no LinkedIn presence; all I can find is that it has 1-10 employees and is private; not even sure what country its based in). On top of that the code is not open-sourced. No reason to think they're not legit, but not a lot of information available to build trust.

You may be able to use ngrok and other local tunnel services with more security by encrypting the traffic. See https://security.stackexchange.com/questions/177280/end-to-end-encryption-for-localtunnel-ngrok-setup/177357#177357 for more information.

Luke
  • 18,811
  • 16
  • 99
  • 115
  • 2
    Seems that they are on Linkedin now: https://www.linkedin.com/company/ngrok/people/ – IllusionVK Feb 03 '21 at 04:41
  • This isn't entirely true. ngrok has been open source for quite some time: https://github.com/inconshreveable/ngrok – dio Aug 02 '21 at 00:58
  • @dio -- ngrok *was* open source, until 1.7.1 (August 2015) based on https://github.com/inconshreveable/ngrok/tags ... See comment above: https://stackoverflow.com/a/46386973/1766230 – Luke Aug 03 '21 at 13:23
  • 1
    I work for ngrok. We've grown a lot since this answer was first published including raising a [series A](https://www.globenewswire.com/news-release/2022/12/13/2572855/0/en/ngrok-Raises-50M-in-First-Fundraise-to-Meet-Demand-for-Frictionless-Application-Ingress.html). We are a real company with real employees. Our platform and ngrok agent are still closed source, but we have started building open source agent libraries in [Go](https://github.com/ngrok/ngrok-go), [Rust](https://github.com/ngrok/ngrok-rs), and [JS](https://github.com/ngrok/ngrok-js) that you can use in your applications. – Russ Savage Feb 21 '23 at 19:01
24

I found good rating, but vacuous information here:

http://www.scamadviser.com/is-ngrok.com-a-fake-site.html

The kicker for me is

https://developer.atlassian.com/blog/2015/05/secure-localhost-tunnels-with-ngrok/

where the Atlassian folks recommend it highly.

I think I am going to use it.

CSQ
  • 611
  • 8
  • 7
  • Its secure as long as you are using it for testing and not using it for something persistent. – Mohd Abdul Mujib May 13 '19 at 21:06
  • 20
    so it is secure because atlassian doesn't care? c'mon :) – cool breeze Aug 21 '20 at 17:12
  • 2
    it's the article from 2015 when ngrok was opensource. – hussachai Mar 31 '22 at 21:02
  • Facts and opinions are not the same thing. You're citing opinions here. Security can't be based on opinions. The fact is that there is NOT an end-to-end encryption from the internet client to the server on your PC. Some advises to add an extra encryption tunnel on top of all that, but that's literaly missing the point of ngrok which was simplicity. You'd better use socat to establish tunnels, even through a corporate http proxy. – Jérôme Radix Jun 14 '22 at 08:45
11

If anyone is concerning compromising their development environment, you can use Docker. There are many ngrok/docker projects but here is the one I chose: https://github.com/gtriggiano/ngrok-tunnel

for macOS, use "TARGET_HOST=docker.for.mac.localhost"

Igor
  • 1,253
  • 1
  • 25
  • 34
  • 2
    ngrok has an official docker image that they publish. it is available here: https://hub.docker.com/r/ngrok/ngrok – Russ Savage Feb 21 '23 at 18:43
  • 1
    Running ngrok in Docker still gives you the security concerns of binary blobs, just in Docker. To me, the largest concern is handing your unencrypted traffic over to an anonymous third-party, which will happen inside or outside a Docker container. I suppose it could be more difficult for the binary to see stuff on the host from a Docker container, but users can already use tools to observe the binary reading local files, scanning ports on your LAN, etc. Binary blobs will only obscure activity like this and will not hide it completely. – Synthead Feb 24 '23 at 04:59
6

They now offer a service where you locally run only ssh, no need to run any of their code on your machine.

You run something like ssh -R 80:localhost:8501 tunnel.us.ngrok.com http. This connects to one of their hosts and forwards connections they receive back to your machine and the service you run on localhost:8501.

This seems secure to me, the only thing is that you don't know what information they collect and who is connecting to your exposed service. They print all connections, but it's their binary that does this and someone might well listen in without you noticing. You can check connections on your end, but you cannot be sure who it is that connects.

Toby
  • 2,174
  • 4
  • 22
  • 32
  • "the only thing is that you don't know what information they collect and who is connecting to your exposed service": this is the spooky part. Users have to put 100% trust in ngrok. Even if they're Doing The Right Thing (tm), what if they are compromised? There are always risks to giving your traffic to a third party, and they should certainly be considered when weighing privacy risks. – Synthead Feb 24 '23 at 05:04
-1

I'm encountering a similar issue and found two solutions that work as far as viewing the application directly in a browser

ngrok http 8080 --host-header="localhost:8080"
ngrok http --host-header=rewrite 8080

obviously, replace 8080 with whatever port you're running on

this solution still raises an error when I use this in an embedded page, that pulls the bundle.js from the react app. I think since it rewrites the header to localhost when this is embedded, it's looking to localhost, which the app is no longer running on

Tyler2P
  • 2,324
  • 26
  • 22
  • 31
Sabbir
  • 1
-2

It opens up a tunnel to your dev machine, which is partially secured by obscurity (a hard to guess subdomain), and can be further secured by requiring a password. But you're still opening yourself up to ngrok itself, and the company is completely opaque (no address, no employees, no business name, no LinkedIn presence; all I can find is that it has 1-10 employees and is private; not even sure what country its based in). On top of that the code is not open-sourced. No reason to think they're not legit, but not a lot of information available to build trust.

Sabbir
  • 1
  • 3
    This seems to just repeat Luke's Aug 21, 2020 answer: please at least heed [How to reference 3rd party material](https://stackoverflow.com/help/referencing). – greybeard Mar 09 '23 at 14:58