Hi,
I need some clarification about global discovery and privacy. The documentation says:
Knowing the device ID doesn’t help you actually establish a connection to that device or get a list of files, etc.
(Should I keep my device IDs secret?)
And on another side states:
An eavesdropper on the Internet can deduce which machines are running Syncthing with global discovery enabled, and what their device IDs are.
The operator of the discovery server can map arbitrary device addresses to IP addresses, and deduce which devices are connected to each other.
And then:
Knowing your device ID can expose your IP address, using global discovery.
(Security Principles — Syncthing documentation)
Let’s say that Alice has a device A, and Bob has a device B. There is the device C as global discovery server.
I understand that based on the first statement identifying which devices are conneced to each other does not permit C to access data exchanged between A and B devices. A encrypt data with the B’s ID, so C cannot decrypt data because lacks of B’s private key. The same thing occurs in the opposite way. The fact that knowing ‘your IP Address’ does not represent a security risk by itself.
Please could you confirm or correct what I understood? because I think that to end user the second and third statements mentioned above could leave some doubts to both Alice and Bob end users.
I look forward to read you comments.