Security & Privacy implications of using the Global Discovery Servers, i.e. for Zero Days

Thank to the community for this awesome software and solution. I’m really deeply impressed on the “just works” kind of nature.

I was wondering about the security and privacy implications of using the global discovery servers and if they can be used reasonably or if I should go down the road and host my own discovery server instance.

I was not able to quickly find any hints on the following questions:

  1. What exactly is stored in plain-text on the discovery servers? I’d assume Device ID → { Full list of IP Adresses }, right?
  2. Can this information be crawled easily w/o knowing the Device ID. So would an attacker be able to quickly identify all running instances, i.e. to exploit a potential zero day?

Looking forward to learn more about this.

Thanks & Best Ben

https://docs.syncthing.net/users/security.html#global-discovery

There’s no listing functionality so you’d have to guess device IDs.

1 Like

Thank you @calmh for the very helpful link. One thing leaves me a little bit puzzled:

An eavesdropper on the Internet can deduce which machines […] and what their device IDs are.

At the same time the article states:

The connection to the discovery server is encrypted using TLS […] so the contents of the query should be considered private between the device and the discovery server.

How can an eavesdropper deduce the device IDs?
Do Syncthing instances announce their IDs on anonymous connects?

The IDs are “just” the encoded hashes of the certificates, which are exchanged during every TLS handshake.

An active attacker can try to establish a new connection to your syncthing instance, during which they can retrieve your device ID simply by looking at the certificate.

Also on another note, even if you do not use discovery at all: The entire IPv4 address space can be portscanned in < 5 minutes, so it your syncthing instance is reachable from the internet via IPv4 an attacker could try to connect to you without needing any help from discovery. Thus the attacker doesn’t really learn anything from discovery that cannot be obtained via other means, except if you run IPv6 only.

3 Likes

Thanks for the insights. Very helpful.

Currently my Syncthing instances are only accessible in the internal VPN-meshed network. Due to the different network segments I think I require discovery.

I do consider to expose some instances publicly, but would do this IPv6-only as I do with some other niche services as well.

According to your explanations, this would reduce the attack surface to eavesdropper inspecting the traffic at the Discovery server site. I think this security level is already 10.000ft above the nowadays industry standard Hey, here is my cloud-hosted DynamoDB for my cool Android app w/o any authentification"-level. :wink: So I’m totally fine with that design.

Thanks a lot for all the quick responses! :blue_heart:

2 Likes

Am I missing something here. It’s one thing to find the server but wouldn’t the next step being the acceptance of the connection? So if someone finds your server and tries to establish a connection doesn’t that connection need to be accepted?

Yes. I think the question here is “if Syncthing was entirely broken somehow, how easily could I find such instances to exploit”.

1 Like