The full device ID should never appear in the log, at least by default. Not tech savvy users would post those logs as they are and could easily become a target of anonymous surveillance. Here’s how:
- A user has a phone with Syncthing on it. He syncs with his home PC and the work PC. It’s a pretty usual setup to simplify sending the files from and to the device.
- One day this user has some issues with Syncthing so he posts the log here with all device IDs fully visible. The issues are hopefully resolved and this is forgotten.
- But some malicious “hacker” (in quotes because it doesn’t really require any hacking skills) copied those IDs and started querying the discovery server for IPs that correspond to these IDs.
- Not only the IPs (and hence the country of origin or even city) is disclosed to anyone on the Internet. Soon the hacker notices that IP of one device changes twice a day. Probably it belongs to a mobile device that goes from one network to another. And it’s expected if the victim uses Wi-Fi at home and at work. Furthermore, if the work IP belongs to a relatively big corporation, it becomes trivial to find out where the victim works. And also when he leaves to work and gets back. I.e. when the house is empty. You know what I mean.
The worst thing is that each time you post your logs unredacted you invite the entire world to track you, anonymously, for free. Given that Syncthing positions itself as a secure and private alternative to other such services it’s completely unacceptable. Search this forum for lines like “Established secure connection to” and grab those IDs (yes, some people already redact them but what about those who don’t? And if the log is long enough it’s easy to miss some of them), then make requests to https://discovery-v4.syncthing.net/v2/?device=XXXXXXX-XXXXXXX-… You’ll get all the victim external IPs. If you query them once per hour it will cause no suspicion whatsoever and it’s often enough to see if the addresses change.
My proposition:
- Only show the first group of the device ID in the log, i.e. the first 7 characters. It’s absolutely enough to distinguish between the user devices to locate the issue. The full ID is almost never needed as it’s pseudorandom and collisions should be extremely rare (36^-7 = 1/78364164096 = 0.00000000001276).
- For that extremely rare case when it’s really needed provide a command line switch with a long and descriptive name to enable full ID recording. Something like --i-dont-care-about-privacy-and-surveillance-please-dump-full-ids-in-the-log
I already posted about this issue before but the IDs are still there. Even the official FAQ tells users they shouldn’t keep the IDs secret and it’s mindblowing to me as it’s a huge privacy flaw. Please remove them from the log. Maybe IPs as well, leave only the first and last octet, though IPs often belong to a LAN. Still, if the victim connects to his home device from work that would most likely happen via the Internet and it will reveal the external IP of that device. Anyway, this won’t enable a 24/7 surveillance by itself unlike the device IDs which are much more important to hide from the general public.