how the web client stores my key?

I understood that when you define a key in the syncthing-gtk client the key is not stored as a plain text anywhere in your computer, it is stored hashed in a config file instead. That seems to me an important and indispensable safety measure. But how about the web client? If I only install syncthing and syncthing-tools I can still configure everything via the web client in firefox, which includes the key. But I wonder: 1) is the key stored as safe as when you use the syncthing-gtk client when typed in the web client? 2) if so, what is happening when the browser ask you if you want it to save your password? Is the browser also using the hashed version of it (safe) or it is storing as plain text somewhere else (totally unsafe)? I am asking because I liked the web client better than the syncthing-gtk one, but I am worried about how safe it is. Thank you all!

Which key?

1 Like

This one… I am sure the browser is encrypting it but the browser has to submit the pre hashed value so it has to store the pre hashed value.

The password is stored by syncthing in the config.xml as a hash.

When you open Setting in the web client it shows “Gui Autentication User” and “Gui Autentication Password”: that key. It is the same one that you type in the syncthing-gtk client when first configuring it.

Right, so the Web UI login password. That’s stored as a hash in a text file (so it is not possible to read the text file and figure out what the password is).

humm ok… But if I never ask it to remember my password, so it will still be stored in plain text somewhere?

I assume so, you’ll have to ask the Syncthing-GTK author. Ping @kozec

My basic concern here is: regarding the handling of the login password the web client is as safe as the desktop client or not? I love minimalist installs, so I don’t want to install the Desktop client if the web client is the same as good.

Regardless, if anyone can read your config file they can grab the API key (which is stored in plain text), and access the web UI anyway. They can also read your private key which lets them configure another Syncthing instance to pretend to be you. In addition, they can read all of your files, so trying to access Syncthing is pretty pointless. If they can write to your config file, there’s no point in them going through the web UI at all…

Basically if someone has access to your user’s files, there’s nothing you can do to stop them from messing around with Syncthing, but there’s no point in them doing that because they can mess around with your files directly anyway.

1 Like

Yes it is as safe as long as you don’t store the password in the browser. If you do store the password in the browser it depends on how safely the browser stores it…

Probably not a problem but to find out you will have to look into the security of the browser, not Syncthing.

Now you make me nervous… Where is this file containing my key in plain text? It is not config.xml because I just check it.

key.pem.

You’re missing the point though. If someone can pretend to be your user, they can do anything with your files, including read them directly. In this case there is no point in them messing around with Syncthing – they’ve already got everything they need.

Ok I think I got it… But I just opened key.pem and the key is hashed at least. I suppose that an attacker would ned some sort of encryption key that syncthing has store in its code lines in order to use this hashed key, am I correct? If so, how hard would that be?

key.pem is just binary – it’s not hashed, it’s (simplistically) a big random number. Anyone who gets that big random number can pretend to be your Syncthing device.

But yet again, none of this matters, because you’re still missing the point.

Let me see if I understand what you are saying. If someone can crack in to my user space and read all my files, than he/she would already have everything that matters, not only my keys but also the files itself that syncthing syncs behind encrypted transmission. So before being worried about about how safe are my syncthing credentials stored I must be worried on how safe my own user space is from the outside world. Is that correct?

Yes. If they have access to all of your files, it doesn’t matter that they have access to Syncthing. Indeed, there’s no way to stop them from getting access to Syncthing.

If you’re cooking dinner and someone turns up with a flamethrower and sets your house on fire, and the resulting inferno burns your dinner, it doesn’t matter your dinner’s burnt: your house is on fire. Indeed, your house fire is the reason your dinner’s burnt. Invest in a fire alarm and fire extinguisher, not a fire-proof casserole dish…

1 Like

Ok, thank you very much, Antony and Kluppy.

(Although if your Syncthing GUI password is also your bank account password, that’s obviously an issue. Don’t do that.)

Syncthing-GTK doesn’t deal with passwords at all, it uses API key and reads it from same config file as syncthing does. It shouldn’t add any attack surface.

1 Like

In the end what would be the most secure option in your opinion, the synthing-gtk or the web client? I am inclined to think that it would be the web client, since an open source browser like firefox, which is certainly audited regularly, seems better suit for protection agains attackers than syncthing-gtk, but that is just a guess…