Why does the Android app use HTTPS for the web GUI by default?
To protect against the possibility of a malicious external app âstealingâ the 8384 GUI port in an attempt to sniff API-key credentials.
1 Like
Unlike the Android webbview, your webbrowser doesnât know syncthingâs API key, so if your syncthing instance is unprotected (the default) thereâs no leakage of credentials. If your syncthing instance is password protected you should guard yourself against this attack before entering the password, yes. We thus recommend that https is used as well when setting a password.
(Also, the security models on desktops are typically vastly different from mobile. On many desktop OSâes, apps can freely access a large portion of the systemâs files. If thatâs the case, a malicious app can just read syncthingâs configuration and gain credentials this way. On Android however, app data is protected much more strictly which results in a tighter security model)
@Nummer378 That causes a warning about the certificate in Safari, though.
Is it safe to select âalways trustâ?
Thatâs a very complicated topic with few easy answers. The simplest one I can give is yes, just ignore it. I think most browsers these days are smart enough to remember the exact certificate that has been ignored (at least Firefox does), in which case this is safe to do - click the warning once, but only once (e.g. if the browser warns again this means that the certificate was changed, which may indicate that something happened).
On Safari it seems like thereâs actually two options.
-
Ignore the warning and visit the site. (This is based on cookies and will reset when browsing data is deleted, etc.)
-
Trust the certificate (This is permanent until manually revoked)
Since #1 will warn you every time your cookies are cleared, it seems like #2 is (counterintuitively) actually safer? Since you would only get a warning for a new, changed certificate.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.