Yesterday I decided to check the box on the webgui interface asking for the browser to use https “Using HTTPS for GUI”. However, just after reloading the browser immediately warns that the connection is not secure, and from that on shows permanently in the address bar https in red with the no secure warn. So, my questions are: 1) Is this the normal behavior, and there is some configuration (perhaps in the browser itself and not in the webgui) that is not set up properly? 2) if not, is this a glitch of some sort within the GUI? 3) regardless, is both my data being transferred through sync and and any type of information stored in the client protected via cryptography? Thank you all for your attention.
Is this the normal behavior, and there is some configuration (perhaps in the browser itself and not in the webgui) that is not set up properly?
Yes it’s normal.
When a website (e.g. syncthing.net) uses https, it gets a trusted authority to verify that the person asking for the https certificate actually controls the website address. This is included in the certificate given to the web browser. So when your browser connects to syncthing.net, it sees that this trusted authority has verified that the person who was given the https certificate actually controls syncthing.net: it can be sure that some malicious party isn’t intercepting your request and pretending to be syncthing.net
It’s not possible to do this when connecting to a website using its IP address, particularly when that IP address is your local machine. The trusted authority is never going to issue a certificate saying that Syncthing has control over “127.0.0.1”.
What you can do is to tell your browser to trust the certificate generated by Syncthing (without relying on a trusted authority). How to do this depends on the browser, but you’ll find the certificate called https-cert.pem in Syncthing’s configuration directory.
regardless, is both my data being transferred through sync and and any type of information stored in the client protected via cryptography? Thank you all for your attention.
Yes.
3 Likes
What happens when https-cert.pem doesn’t exist?
IIRC it is (re-)generated automatically.