I am just in the process of setting up Syncthing for the first time and wanted to ask for clarification on HTTPS warnings and security. Title pretty much says it all, but:
When I login to the UI, my browser complains about it not being secure, unless I add it to exceptions. I realise this is probably fine for local connections - ie computers that aren’t accessible from outside, but I plan to have a remote node accessible using port forwarding so that I do not have to rely on relays.
Will this remote computer with the port being forwarded to it be insecure without generation of a certificate and HTTPS? Or have I misunderstood? Basically, can I just forward and leave it? Or is there some critical point I have missed that’s going to leave me wide open?
HTTPS trafic is encrypted, HTTP is not. If you have someone malicious on your network, they could read the web UIs username and password in plain text by just intercepting the network traffic.
This sentence makes it look like there is a misconception: Relaying has nothing to do with the UI login/https settings. The actual sync connection (which may be by relay) is always secured, there’s nothing you can configure.
The browser exception thingy is because by default when enabling https for the UI, a “self-generated” certificate is used, i.e. the browser can’t verify the issuer of it. If you are the only one to access the web UI, I don’t think there is anything wrong with adding exceptions. Otherwise you’ll have to look into replacing the generated certificate by one signed by an authority (e.g. lets encrypt).