Continuing the discussion from Upcoming security release of Go:
I’ve just pushed and built Syncthing v0.12.14. This build is built with Go 1.5.3, except for the Windows which is built using Go 1.6beta2. Go 1.5.3 / 1.6beta2 fixes the security issue described here, but the relevant part is:
Specifically, incorrect results in one part of the RSA Chinese Remainder computation can cause the result to be incorrect in such a way that it leaks one of the primes. While RSA blinding should prevent an attacker from crafting specific inputs that trigger the bug, on 32-bit systems the bug can be expected to occur at random around one in 2^26 times. Thus collecting around 64 million signatures (of known data) from an affected server should be enough to extract the private key used.
On 64-bit systems, the frequency of the bug is so low (less than one in 2^50) that it would be very difficult to exploit. Nonetheless, everyone is strongly encouraged to upgrade.
For us, this should mean that an eavesdropper collecting a sufficient number of TLS handshakes (i.e. connection attempts) could potentially break the key and thus impersonate the device ID. This concerns keys generated on v0.12.4 or earlier - later versions generate EC keys which are not susceptible to this attack.