I’ve been pestering poor Jacob with some privacy issues regarding discosrv and the stats server some time ago:
There I explained in detail what can be done with different kinds of information and what can’t be done.
Apparently you (Eddy2909) don’t really understand the problems that distribution and encryption bring with them or how the current setup works. That’s why I’d like to tell you that encrypting or otherwise protecting IPs and IDs on the server just isn’t worth it. Those who can hack one with this information don’t have to get it from Syncthing.
The only thing which can be done with the ID-IP mapping are targeted attacks on the device/network at the IP. But the only entities interested in such information (state actors like NSA&GCHQ and paid/motivated hackers) don’t need syncthing to get this information.
State actors simply subvert the network and detect ones unencrypted http sessions via identifiers like usernames, email-addresses and so on. They then inject their malware which the browser then executes and one got owned. This also works for https as long as we use the broken X509 certificate system where each of the hundreds of certificate authorities (among them Chinese and Iranian entities as well as companies which can be subverted legally in the US) can issue certificates for any domain.
Hackers will instead use ones e-mail address, facebook, jabber or other instant messaging IDs to deliver their malware.
From 0.12 on even passive sniffing from a favorable network perspective isn’t enough to get this data - the discovery server has to be actively hacked (because we don’t use shitty X509).
I’d also like to mention https://whispersystems.org/blog/contact-discovery/ which explains some methods of and the problems with protecting this exact kind of data on a server.
BTW: the problem of the very small namespace applies to phone numbers and IPv4 addresses, IPv6 ones are better.
And none of the solutions scale incredibly well. It would work better for Syncthing than TextSecure because our users have less contacts on average, but the work is still not worth if for the minimal benefit. Phone numbers are way more sensitive then IPs.
If we ever use a kind of DHT to protect against attacks on a centralized infrastructure, we should use an encrypted DHT, but that’s about it.