this post was submitted on 30 Apr 2024
71 points (98.6% liked)

Open Source

31359 readers
424 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
 

I'm curious about

  • editing on desktop
  • editing on mobile
  • whether or not you need to self host it
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 2 points 7 months ago* (last edited 7 months ago)

quoted from here https://docs.syncthing.net/users/security.html

Security Principles

Security is one of the primary project goals. This means that it should not be possible for an attacker to join a cluster uninvited, and it should not be possible to extract private information from intercepted traffic. Currently this is implemented as follows.

All device to device traffic is protected by TLS. To prevent uninvited devices from joining a cluster, the certificate fingerprint of each device is compared to a preset list of acceptable devices at connection establishment. The fingerprint is computed as the SHA-256 hash of the certificate and displayed in a human-friendly encoding, called Device ID....

Relay Connections

When relaying is enabled, Syncthing will look up the pool of public relays and establish a connection to one of them (the best, based on an internal heuristic). The selected relay server will learn the connecting device’s device ID. Relay servers can be run by anyone in the general public. Relaying defaults to on. Syncthing can be configured to disable relaying, or only use specific relays.

If a relay connections is required between two devices, the relay will learn the other device’s device ID as well.

Any data exchanged between the two devices is encrypted as usual and not subject to inspection by the relay.

Web GUI

If the web GUI is accessible, it exposes the device as running Syncthing. The web GUI defaults to being reachable from the local host only.


In Short

Parties doing surveillance on your network (whether that be corporate IT, the NSA or someone else) will be able to see that you use Syncthing, and your device IDs are OK to share anyway, but the actual transmitted data is protected as well as we can. Knowing your device ID can expose your IP address, using global discovery.

Protecting your Syncthing keys and identity

Anyone who can access the Syncthing TLS keys and config file on your device can impersonate your device, connect to your peers, and then have access to your synced files. Here are some general principles to protect your files:

If a device of yours is lost, make sure to revoke its access from your other devices.

If you’re syncing confidential data on an encrypted disk to guard against device theft, put the Syncthing config folder on the same encrypted disk to avoid leaking keys and metadata. Or, use whole disk encryption.

^ quoted from here https://docs.syncthing.net/users/security.html

I don't know of any particular security audits off the top of my head, but I know of a lot of very intelligent computer people who think Syncthing is reasonably trustable (as far as you can trust computers....).

Yes I know they can hack your home server but hey you can make it LAN only right?

Yes, Syncthing does not require internet just a local network, you can build a cabin in the middle of Alaska with no reception of any kind, hook up a solar panel, plug in a router, connect computers and phones with Syncthing software on them and BOOM you are in business. The devices will likely just show up as nearby device_ids that you can just click on in the web gui interface. It is enragingly simple given how obtuse, incompatible or insecure most other alternatives are.