I have been playing with pulse. Looks neat. I have a few questions:
Just to be clear. It is 100% safe to expose a pulse instance to the internet, just like we would (for example) an sshd?
Your docs state that the device IDs are not secret. So am I correct in thinking that the system remains secure because two nodes wishing to communicate must explicitly “approve” each other’s keys?
What measures do you take to ensure that a device ID is unique? Can two nodes be allocated the same ID?
Is there a command line interface?
Disclaimer: I’m still very new to Pulse, so take this with a grain of salt. If anything I’ve said is wrong, somebody please correct me. That said, I’m pretty confident about all this .
- Don’t assume anything is 100% safe. That said, it is pretty safe. The initial connection is handled by Go’s TLS package, which is pretty good; each node has a certificate, so nothing should get past Go’s TLS code unless it’s a node you’ve explicitly decided to connect with. You can read a bit more about security in @calmh’s post here.
- Yes. See above.
- The node ID is an encoding of the SHA-256 hash of the node’s certificate. The chance of someone being able to create a valid certificate that hashes to the same thing as your certificate is so astronomically small that’s it hard to explain it in a few words. Good thing @clamh did a good job of doing that already . Search for An Aside About Collisions.
- Yes, syncthing-cli.
Thanks for your response. That clears a few things up.