Can a Global Discovery Server decrypt exchanged data?


I need some clarification about global discovery and privacy. The documentation says:

Knowing the device ID doesn’t help you actually establish a connection to that device or get a list of files, etc.

(Should I keep my device IDs secret?)

And on another side states:

An eavesdropper on the Internet can deduce which machines are running Syncthing with global discovery enabled, and what their device IDs are.

The operator of the discovery server can map arbitrary device addresses to IP addresses, and deduce which devices are connected to each other.

And then:

Knowing your device ID can expose your IP address, using global discovery.

(Security Principles — Syncthing documentation)

Let’s say that Alice has a device A, and Bob has a device B. There is the device C as global discovery server.

I understand that based on the first statement identifying which devices are conneced to each other does not permit C to access data exchanged between A and B devices. A encrypt data with the B’s ID, so C cannot decrypt data because lacks of B’s private key. The same thing occurs in the opposite way. The fact that knowing ‘your IP Address’ does not represent a security risk by itself.

Please could you confirm or correct what I understood? because I think that to end user the second and third statements mentioned above could leave some doubts to both Alice and Bob end users. :slight_smile:

I look forward to read you comments.

The first statement talks about authentication, the other two talk about privacy/knowledge that syncthing is being used and potentially privacy, as you can “follow” someone on the internet just by knowing their device id.

Not sure what else there is to clarify.

Answering the question in the subject, no. Discovery servers aren’t even in the data path, and of course, they couldn’t decrypt the data even if they were.

1 Like