syncthing-tray icon indicating copy to clipboard operation
syncthing-tray copied to clipboard

Published 20 hours ago verified publisher icon alex2108

Trust certificate on first use

Open generalmanager opened this issue 11 years ago • 6 comments
trafficstars

It seems like it checks if the certificate domain matches the domain given via -target, which fails because of syncthings self-signed certificate with a fake domain:

ERROR: Get https://localhost:8080/rest/config: x509: certificate is valid for syncthing, not localhost

generalmanager avatar Oct 21 '14 03:10 generalmanager

The check of the certificate seems to be the default of go, should not be too hard to deactivate

alex2108 avatar Oct 21 '14 06:10 alex2108

Thanks for your quick reply! As long as there is no authentication going on (or the ui being on localhost), disabling the TLS check should be justifiable from a security perspective if the data isn't top secret. In all other scenarios this would be a very dangerous thing to do, because it would make a man in the middle attack trivial. A trust on first use based behaviour (TOFU) would be a lot better for that.

This means automatically accepting the certificate when contact is first made and saving it, so that it can't be replaced without a pop-up warning that there is either an active attack going on, or the tray application being run after wiping the pulse config/on a different computer.

Am 21. Oktober 2014 08:32:41 MESZ, schrieb alex2108 [email protected]:

The check of the certificate seems to be the default of go, should not be too hard to deactivate

Reply to this email directly or view it on GitHub: https://github.com/alex2108/syncthing-tray/issues/2#issuecomment-59884974

generalmanager avatar Oct 21 '14 08:10 generalmanager

Trust on first use is better, that's correct. I will have to look how to implement that.

As a fast fix I will deactivate the check but keep this open for a real fix of the problem.

alex2108 avatar Oct 21 '14 08:10 alex2108

Awesome, thanks! Would be nice if you informed the user about the ignoring, if the host is different from localhost/127.0.0.1.

Am 21. Oktober 2014 10:53:01 MESZ, schrieb alex2108 [email protected]:

Trust on first use is better, that's correct. I will have to look how to implement that.

As a fast fix I will deactivate the check but keep this open for a real fix of the problem.

Reply to this email directly or view it on GitHub: https://github.com/alex2108/syncthing-tray/issues/2#issuecomment-59897501

generalmanager avatar Oct 21 '14 08:10 generalmanager

added -i in https://github.com/alex2108/syncthing-tray/commit/7e73ffc0373923b198a80f3223e5737219b8a734 to skip the check

leaving it open with changed title because saving the certificate would be better

alex2108 avatar Oct 27 '14 07:10 alex2108

Thanks for the workaround until it can be done right!

Am 27. Oktober 2014 08:29:57 MEZ, schrieb alex2108 [email protected]:

added -i in https://github.com/alex2108/syncthing-tray/commit/7e73ffc0373923b198a80f3223e5737219b8a734 to skip the check

Reply to this email directly or view it on GitHub: https://github.com/alex2108/syncthing-tray/issues/2#issuecomment-60557791

generalmanager avatar Oct 27 '14 09:10 generalmanager