undefined | Better HN

0 pointsCyphase2y ago0 comments

That's not how Syncthing keys/IDs work.

That device ID you have to send to someone is not nominally private; it is in fact explicitly the public key of a key pair. If you use the public discovery servers (which is the default), that key is sent there so people who'd want to connect to you can look up your IP address with it.

https://docs.syncthing.net/users/security.html#global-discov...

https://docs.syncthing.net/users/faq.html#should-i-keep-my-d...

> Should I keep my device IDs secret?

> No. The IDs are not sensitive. Given a device ID it’s possible to find the IP address for that device, if global discovery is enabled on it. Knowing the device ID doesn’t help you actually establish a connection to that device or get a list of files, etc.

> For a connection to be established, both devices need to know about the other’s device ID. It’s not possible (in practice) to forge a device ID. (To forge a device ID you need to create a TLS certificate with that specific SHA-256 hash. If you can do that, you can spoof any TLS certificate. The world is your oyster!)

0 comments

noirbot2y ago

Ah, thanks for the clarification. I guess I just saw a key larger than an IPv6 address and assumed it was something I couldn't share openly. It does seem weird that it's that big then. 50+ characters that can be A-Z0-9 feels like an insane amount of entropy for something that's essentially a proxy for a 12 digit number. It's longer than Windows product keys or the SSH public key I use for Github!

Additionally, I don't necessarily want a key sitting out there that will let any random person who finds it a dynamic way to look up my current IP address. It's not the worst thing in the world, but it's definitely not something I'd publish publicly.

CyphaseOP2y ago

> 50+ characters that can be A-Z0-9 feels like an insane amount of entropy for something that's essentially a proxy for a 12 digit number.

That's not all it is. It's your cryptographic public key.

> Additionally, I don't necessarily want a key sitting out there that will let any random person who finds it a dynamic way to look up my current IP address.

Sure, that makes sense. How else would you propose that it work?

Just to mention, you can use a private, self-hosted discovery server.

j / k navigate · click thread line to collapse