I switched my Android phone node to use Tor. Just to see if it would work more than anything. After a few seconds I could confirm that it did indeed work: it could connect, and send and receive data from my other nodes.
However, about two minutes later an unknown device ID attempted to connect to all my other nodes (excluding my phone). The new device was connecting from the IP address of a Tor exit node.
Any idea how that unknown device got my device IDs? I’m assuming it was observed traveling out of the Tor network either at or immediately upstream of the the Tor exit node.
I’d disabled local device discovery prior to enabling Tor. Tor drops UDP packets so it shouldn’t really have made any difference.
You can probably count on all Tor traffic being very invasively monitored and any interesting endpoints probed. Probably it’s such probes you’re seeing. Maybe it’s a Syncthing specific probe that will grab your files if you accept, maybe it’s just a HTTPS/TLS probe.
I realise there are varied reasons for using Tor, but conversely you should realise that by using tor you are sending your traffic to be man-in-the-middled by an unknown, likely shady, third party. Syncthing is resistant to that as long as you don’t do something unwise like accept connection requests from unknown devices.
I realise there are varied reasons for using Tor, but conversely you should realise that by using tor you are sending your traffic to be man-in-the-middled by an unknown, likely shady, third party.
I personally don’t need the anonymity but I occasionally “play” with Tor just to see how it works. My own boring use of Tor is mostly limited to doing a few generic web searches and reading a blog or two. However, my boring use of Tor does help hide the traffic for people who do need the anonymity offered by Tor.
In this case, I was considering setting up a Tor hidden service for Syncthing on my phone to not having to deal with Syncthing’s relays or NATing. (My home ISP disabled IPv6 two years ago following an acquisition by another ISP who — I guess — wanted to save on peering and infrastructure costs.)
Syncthing is resistant to that as long as you don’t do something unwise like accept connection requests from unknown devices.
It’s an opportune moment to try something like this, though. Say you’re adding a new device through Tor and you expect to see a new device prompt. Who is crazy enough to actually check on device IDs manually? (Other than me, that is.)
I believe people would be less likely to accept random devices if the permission GUI also displayed the IP address that the request originated from. In this case it would have shown a completely unknown ID coming from a completely unknown IP address.
It could be interesting to check on the device ID in any logs for the discovery servers or any other places where the device ID might be used. Assuming there is anywhere in Syncthing’s centralized infrastructure that logs the device ID.
I can provide the device ID in question to anyone emailing me through the email address I’m registered with on this forum. (It’s a unique address for this forum so knowing it will serve as your proof of admin credentials.)
@calmh I think this is a good idea. Maybe if possible also display DNS name?
This would help e.g. if you work in Germany and get a request from unknown IP you will see “device from dialin123.example.jp (111.222.333.444) wants to connect to you” which gives you more info that this request should be blocked (if you don’t know anybody in Japan)
Open new issue?
@Dan you could try to run a completely new Syncthing instance and see if it happens again if you are connected using TOR
I’m skeptical. A reverse lookup might help, but the IP on its own will be completely meaningless for most users. Also, it might legitimately be consumer broadband in Japan even if the device is in Germany, because relays… We could maybe then hide it for relay connections…
But again, I’m not convinced of the value here. If you’re not expecting a new device connection you should not accept it, regardless.
I think (I am not sure, would have to check), that’s just how it’s implemented to support backwards compatability before hello messages. Perhaps this was a genuine syncthing specific probe and I am just talking garbage.
I’m 99% sure we only show the “add device” dialog when the other side actually does speak our protocol. But other connection attempts that get at least as far as presenting a certificate, and then error out by talking unintelligeble gibberish, also generate a “popup” as they cause a warning level log message - “Connecting to $deviceID: protocol error: unknown perhaps newer protocol version” or something like that like Audrius mentions. So it depends on what exactly the popup / message was.
(There’s also the certificate common name check, but this happens quite late. It needs to look up the device in the config to see if it might have a custom common name, and the “add device” happens prior to that… For some reason.)