My questions reveal my lack of knowledge about SSL security. Help me understand how to securely manage data transmission in a cluster of nodes with the following characteristics:

Node A - Remote Linux VPS Server Node B - NAS on local LAN Node C - Windows PC on local LAN Node D - Android phone on various networks I do not have SSL certificates installed on any of the devices

Presently all 4 nodes are accessible by http. I can convert Nodes A,B and C to https, although my browser complains that the 3 servers certificates are untrusted.

Syncthing on Android is presently unable to handle https. The option is disabled.

Question 1: Is there any benefit to acquiring SSL certificates for Nodes A,B,C if Node D is running http only?

Question 2: Disregarding Node D - is a 3 node cluster running https without certificates any more secure than running in http?

Question 3: Under which condition(s) is Syncthing TLS encryption enabled? (i) http (ii) https (no cert) (iii) https (with SSL cert)

Thanks.

The HTTP/HTTPS distinction is only relevant for the GUI; it has no effect at all on the actual transmission of data which is always encrypted. The HTTPS certificates being “official” or not have no effect on the security either. So, to stay secure,

1. Set a username and password.

2. Enable HTTPS.

3. Only access the GUI over HTTPS.

4. Tell your browser to remember the certificate the first time it sees it, if possible.

If the web GUI isn’t accessible from the outside (like I think is the case on Android), then none of this matters at all.

Thanks for the clarification - and the simple advice to lock down external / outside access to the GUI.

I should have realized that node-to-node data transmission was encrypted by the executable, and totally unrelated to securely accessing the WebGUI. … Duhhh! ;D

I get it now. Thx.