gui, man: Update docs & translations
This commit is contained in:
Jakob Borg
@@ -1,6 +1,6 @@
|
||||
.\" Man page generated from reStructuredText.
|
||||
.
|
||||
.TH "SYNCTHING-SECURITY" "7" "December 11, 2016" "v0.14" "Syncthing"
|
||||
.TH "SYNCTHING-SECURITY" "7" "December 17, 2016" "v0.14" "Syncthing"
|
||||
.SH NAME
|
||||
syncthing-security \- Security Principles
|
||||
.
|
||||
@@ -50,23 +50,28 @@ for reporting security vulnerabilities, please see the official \fI\%security pa
|
||||
.SH INFORMATION LEAKAGE
|
||||
.SS Global Discovery
|
||||
.sp
|
||||
When global discovery is enabled, Syncthing sends an announcement packet every
|
||||
30 minutes to the global discovery server so that it can keep a mapping
|
||||
between your device ID and external IP. The packets contain the device ID and
|
||||
listening port. Also, when connecting to other devices that have not been seen
|
||||
on the local network, a query is sent to the global discovery server
|
||||
containing the device ID of the requested device. The discovery server is
|
||||
currently hosted by \fI\%@calmh\fP <\fBhttps://github.com/calmh\fP>\&. Global discovery defaults to \fBon\fP\&.
|
||||
When global discovery is enabled, Syncthing sends an announcement every 30
|
||||
minutes to the global discovery servers so that they can keep a mapping
|
||||
between your device ID and external IP. The announcement contain the device
|
||||
ID and listening port(s). Also, when connecting to other devices that have
|
||||
not been seen on the local network, a query is sent to the global discovery
|
||||
servers containing the device ID of the requested device. The connection to
|
||||
the discovery server is encrypted using TLS and the discovery server
|
||||
certificate is verified, so the contents of the query should be considered
|
||||
private between the device and the discovery server. The discovery servers
|
||||
are currently hosted by \fI\%@calmh\fP <\fBhttps://github.com/calmh\fP>\&. Global discovery defaults to \fBon\fP\&.
|
||||
.sp
|
||||
When turned off, devices with dynamic addresses not on the local network cannot
|
||||
be found and connected to.
|
||||
.sp
|
||||
An eavesdropper on the Internet can deduce which machines are running
|
||||
Syncthing with global discovery enabled, what their device IDs are, and what
|
||||
device IDs they are attempting to connect to via global discovery.
|
||||
Syncthing with global discovery enabled, and what their device IDs are.
|
||||
.sp
|
||||
The operator of the discovery server can map arbitrary device addresses to
|
||||
IP addresses, and deduce which devices are connected to each other.
|
||||
.sp
|
||||
If a different global discovery server is configured, no data is sent to the
|
||||
default global discovery server.
|
||||
default global discovery servers.
|
||||
.SS Local Discovery
|
||||
.sp
|
||||
When local discovery is enabled, Syncthing sends broadcast (IPv4) and multicast
|
||||
@@ -82,20 +87,20 @@ found and connected to.
|
||||
.sp
|
||||
When automatic upgrades are enabled, Syncthing checks for a new version at
|
||||
startup and then once every twelve hours. This is by an HTTPS request to the
|
||||
download site for releases, currently \fBhosted at GitHub\fP\&. Automatic upgrades
|
||||
default to \fBon\fP (unless Syncthing was compiled with upgrades disabled).
|
||||
download site for releases, currently \fBhosted by :user:\(gacalmh\(ga\fP\&.
|
||||
Automatic upgrades default to \fBon\fP (unless Syncthing was compiled with
|
||||
upgrades disabled).
|
||||
.sp
|
||||
Even when automatic upgrades are disabled in the configuration, an upgrade check
|
||||
as above is done when the GUI is loaded, in order to show the "Upgrade to ..."
|
||||
button when necessary. This can be disabled only by compiling syncthing with
|
||||
button when necessary. This can be disabled only by compiling Syncthing with
|
||||
upgrades disabled.
|
||||
.sp
|
||||
In effect this exposes the majority of the Syncthing population to tracking by
|
||||
the operator of the download site (currently GitHub). That data is not available
|
||||
to outside parties (including \fI\%@calmh\fP <\fBhttps://github.com/calmh\fP> etc), except that download counts
|
||||
per release binary are available in the GitHub API. The upgrade check (or
|
||||
download) requests \fIdo not\fP contain any identifiable information about the user,
|
||||
device, Syncthing version, etc.
|
||||
The actual download, should an upgrade be available, is done from
|
||||
\fBGitHub\fP, thus exposing the user to them.
|
||||
.sp
|
||||
The upgrade check (or download) requests \fIdo not\fP contain any identifiable
|
||||
information about the user or device.
|
||||
.SS Usage Reporting
|
||||
.sp
|
||||
When usage reporting is enabled, Syncthing reports usage data at startup and
|
||||
@@ -121,6 +126,20 @@ Likewise, if the sync port (default 22000) is accessible from the internet, a
|
||||
port scanner may discover it, attempt a TLS negotiation and thus obtain the
|
||||
device certificate. This provides the same information as in the eavesdropper
|
||||
case.
|
||||
.SS Relay Connections
|
||||
.sp
|
||||
When relaying is enabled, Syncthing will look up the pool of public relays
|
||||
and establish a connection to one of them (the best, based on an internal
|
||||
heuristic). The selected relay server will learn the connecting device\(aqs
|
||||
device ID. Relay servers can be run by \fBanyone in the general public\fP\&.
|
||||
Relaying defaults to \fBon\fP\&. Syncthing can be configured to disable
|
||||
relaying, or only use specific relays.
|
||||
.sp
|
||||
If a relay connections is required between two devices, the relay will learn
|
||||
the other device\(aqs device ID as well.
|
||||
.sp
|
||||
Any data exchanged between the two devices is encrypted as usual and not
|
||||
subject to inspection by the relay.
|
||||
.SS Web GUI
|
||||
.sp
|
||||
If the web GUI is accessible, it exposes the device as running Syncthing. The
|
||||
|
||||
Reference in New Issue
Block a user