Thank to the community for this awesome software and solution. I’m really deeply impressed on the “just works” kind of nature.
I was wondering about the security and privacy implications of using the global discovery servers and if they can be used reasonably or if I should go down the road and host my own discovery server instance.
I was not able to quickly find any hints on the following questions:
What exactly is stored in plain-text on the discovery servers? I’d assume Device ID → { Full list of IP Adresses }, right?
Can this information be crawled easily w/o knowing the Device ID. So would an attacker be able to quickly identify all running instances, i.e. to exploit a potential zero day?
Thank you @calmh for the very helpful link. One thing leaves me a little bit puzzled:
An eavesdropper on the Internet can deduce which machines […] and what their device IDs are.
At the same time the article states:
The connection to the discovery server is encrypted using TLS […] so the contents of the query should be considered private between the device and the discovery server.
How can an eavesdropper deduce the device IDs?
Do Syncthing instances announce their IDs on anonymous connects?
The IDs are “just” the encoded hashes of the certificates, which are exchanged during every TLS handshake.
An active attacker can try to establish a new connection to your syncthing instance, during which they can retrieve your device ID simply by looking at the certificate.
Also on another note, even if you do not use discovery at all: The entire IPv4 address space can be portscanned in < 5 minutes, so it your syncthing instance is reachable from the internet via IPv4 an attacker could try to connect to you without needing any help from discovery. Thus the attacker doesn’t really learn anything from discovery that cannot be obtained via other means, except if you run IPv6 only.
Currently my Syncthing instances are only accessible in the internal VPN-meshed network. Due to the different network segments I think I require discovery.
I do consider to expose some instances publicly, but would do this IPv6-only as I do with some other niche services as well.
According to your explanations, this would reduce the attack surface to eavesdropper inspecting the traffic at the Discovery server site. I think this security level is already 10.000ft above the nowadays industry standard Hey, here is my cloud-hosted DynamoDB for my cool Android app w/o any authentification"-level. So I’m totally fine with that design.
Am I missing something here. It’s one thing to find the server but wouldn’t the next step being the acceptance of the connection? So if someone finds your server and tries to establish a connection doesn’t that connection need to be accepted?
If I use global discovery and relays, my Syncthing instance interacts with external servers. During these interactions, a zero day in Synchting could be exploited.
How much is the potential for exploit there?
I am assuming that some of the relay nodes might even be malicious (I have heard some of these relay nodes run also Tor exit nodes and might be targets).
Keep in mind that anyone can run these servers, and Synchting is very popular and hence a juicy target.
I almost forgot I had asked that question before. Surprised also the same question occurs to me (triggered by this similar post).
Essentially, it seems that you are indicating yes, there is some interaction with both relay and discovery servers, and as with any interaction, a malicious server could send malformed messages to the clients causing buffer overflow, code execution, and so on.
But looking at CVEs, this has not happened much in the past, at least publicly.
The global discovery servers are safe because they are run by Synchting Foundation. The risk is in the relays.
This is not generally supposed to happen in code written in Go. It’s one of the design parameters of the language, as opposed to C etc. There are exceptions, but they are quite few and far between. Certainly any buffer involved in processing network requests is not susceptible.
So I’m totally fine with that design.