1SYNCTHING-SECURITY(7) Syncthing SYNCTHING-SECURITY(7)
2
6 syncthing-security - Security Principles
7 Security is one of the primary project goals. This means that it should
9 not be possible for an attacker to join a cluster uninvited, and it
10 should not be possible to extract private information from intercepted
11 traffic. Currently this is implemented as follows.
12 All device to device traffic is protected by TLS. To prevent uninvited
14 devices from joining a cluster, the certificate fingerprint of each
15 device is compared to a preset list of acceptable devices at connection
16 establishment. The fingerprint is computed as the SHA-256 hash of the
17 certificate and displayed in BASE32 encoding to form a reasonably com‐
18 pact and convenient string.
19 Incoming requests for file data are verified to the extent that the
21 requested file name must exist in the local index and the global model.
22 For information about ensuring you are running the code you think you
24 are and for reporting security vulnerabilities, please see the official
25 security page <https://syncthing.net/security.html>.
26
28 Global Discovery
29 When global discovery is enabled, Syncthing sends an announcement every
30 30 minutes to the global discovery servers so that they can keep a map‐
31 ping between your device ID and external IP. The announcement contain
32 the device ID and listening port(s). Also, when connecting to other
33 devices that have not been seen on the local network, a query is sent
34 to the global discovery servers containing the device ID of the
35 requested device. The connection to the discovery server is encrypted
36 using TLS and the discovery server certificate is verified, so the con‐
37 tents of the query should be considered private between the device and
38 the discovery server. The discovery servers are currently hosted by
39 @calmh <https://github.com/calmh>. Global discovery defaults to on.
40 When turned off, devices with dynamic addresses not on the local net‐
42 work cannot be found and connected to.
43 An eavesdropper on the Internet can deduce which machines are running
45 Syncthing with global discovery enabled, and what their device IDs are.
46 The operator of the discovery server can map arbitrary device addresses
48 to IP addresses, and deduce which devices are connected to each other.
49 If a different global discovery server is configured, no data is sent
51 to the default global discovery servers.
52 Local Discovery
54 When local discovery is enabled, Syncthing sends broadcast (IPv4) and
55 multicast (IPv6) packets to the local network every 30 seconds. The
56 packets contain the device ID and listening port. Local discovery
57 defaults to on.
58 An eavesdropper on the local network can deduce which machines are run‐
60 ning Syncthing with local discovery enabled, and what their device IDs
61 are.
62 When turned off, devices with dynamic addresses on the local network
64 cannot be found and connected to.
65 Upgrade Checks
67 When automatic upgrades are enabled, Syncthing checks for a new version
68 at startup and then once every twelve hours. This is by an HTTPS
69 request to the download site for releases, currently hosted by @calmh
70 <https://github.com/calmh>. Automatic upgrades default to on (unless
71 Syncthing was compiled with upgrades disabled).
72 Even when automatic upgrades are disabled in the configuration, an
74 upgrade check as above is done when the GUI is loaded, in order to show
75 the “Upgrade to …” button when necessary. This can be disabled only by
76 compiling Syncthing with upgrades disabled.
77 The actual download, should an upgrade be available, is done from
79 GitHub, thus exposing the user to them.
80 The upgrade check (or download) requests do not contain any identifi‐
82 able information about the user or device.
83 Usage Reporting
85 When usage reporting is enabled, Syncthing reports usage data at
86 startup and then every 24 hours. The report is sent as an HTTPS POST to
87 the usage reporting server, currently hosted by @calmh
88 <https://github.com/calmh>. The contents of the usage report can be
89 seen behind the “Preview” link in settings. Usage reporting defaults to
90 off but the GUI will ask once about enabling it, shortly after the
91 first install.
92 The reported data is protected from eavesdroppers, but the connection
94 to the usage reporting server itself may expose the client as running
95 Syncthing.
96 Sync Connections (BEP)
98 Sync connections are attempted to all configured devices, when the
99 address is possible to resolve. The sync connection is based on TLS
100 1.2. The TLS certificates are sent in clear text (as in HTTPS etc),
101 meaning that the certificate Common Name (by default syncthing) is vis‐
102 ible.
103 An eavesdropper can deduce that this is a Syncthing connection and cal‐
105 culate the device IDs involved based on the hashes of the sent certifi‐
106 cates.
107 Likewise, if the sync port (default 22000) is accessible from the
109 internet, a port scanner may discover it, attempt a TLS negotiation and
110 thus obtain the device certificate. This provides the same information
111 as in the eavesdropper case.
112 Relay Connections
114 When relaying is enabled, Syncthing will look up the pool of public
115 relays and establish a connection to one of them (the best, based on an
116 internal heuristic). The selected relay server will learn the connect‐
117 ing device’s device ID. Relay servers can be run by anyone in the gen‐
118 eral public. Relaying defaults to on. Syncthing can be configured to
119 disable relaying, or only use specific relays.
120 If a relay connections is required between two devices, the relay will
122 learn the other device’s device ID as well.
123 Any data exchanged between the two devices is encrypted as usual and
125 not subject to inspection by the relay.
126 Web GUI
128 If the web GUI is accessible, it exposes the device as running Sync‐
129 thing. The web GUI defaults to being reachable from the local host
130 only.
131
133 Parties doing surveillance on your network (whether that be corporate
134 IT, the NSA or someone else) will be able to see that you use Sync‐
135 thing, and your device IDs are OK to share anyway <https://docs.sync‐
136 thing.net/users/faq.html#should-i-keep-my-device-ids-secret>, but the
137 actual transmitted data is protected as well as we can. Knowing your
138 device ID can expose your IP address, using global discovery.
139
141 Anyone who can access the Syncthing TLS keys and config file on your
142 device can impersonate your device, connect to your peers, and then
143 have access to your synced files. Here are some general principles to
144 protect your files:
145 1. If a device of yours is lost, make sure to revoke its access from
147 your other devices.
148 2. If you’re syncing confidential data on an encrypted disk to guard
150 against device theft, put the Syncthing config folder on the same
151 encrypted disk to avoid leaking keys and metadata. Or, use whole
152 disk encryption.
153
155 The Syncthing Authors
156
158 2014-2019, The Syncthing Authors
159v1 Jun 11, 2019 SYNCTHING-SECURITY(7)