A few questions.

Hi,

I have been playing with pulse. Looks neat. I have a few questions:

  1. Just to be clear. It is 100% safe to expose a pulse instance to the internet, just like we would (for example) an sshd?

  2. Your docs state that the device IDs are not secret. So am I correct in thinking that the system remains secure because two nodes wishing to communicate must explicitly “approve” each other’s keys?

  3. What measures do you take to ensure that a device ID is unique? Can two nodes be allocated the same ID?

  4. Is there a command line interface?

Cheers!

Disclaimer: I’m still very new to Pulse, so take this with a grain of salt. If anything I’ve said is wrong, somebody please correct me. That said, I’m pretty confident about all this :smile:.

  1. Don’t assume anything is 100% safe. That said, it is pretty safe. The initial connection is handled by Go’s TLS package, which is pretty good; each node has a certificate, so nothing should get past Go’s TLS code unless it’s a node you’ve explicitly decided to connect with. You can read a bit more about security in @calmh’s post here.
  2. Yes. See above.
  3. The node ID is an encoding of the SHA-256 hash of the node’s certificate. The chance of someone being able to create a valid certificate that hashes to the same thing as your certificate is so astronomically small that’s it hard to explain it in a few words. Good thing @clamh did a good job of doing that already :smile:. Search for An Aside About Collisions.
  4. Yes, syncthing-cli.

Enjoy!

Thanks for your response. That clears a few things up.