Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Untrusted devices may delete data #894

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Untrusted devices may delete data #894

wants to merge 1 commit into from

Conversation

WhyNotHugo
Copy link

Explicitly mention that untrusted devices can delete files from a synchronised folder. While this can be inferred from the current description, it's probably best to be explicitly for this kind of caveat.

@calmh
Copy link
Member

calmh commented Feb 5, 2025

I don't think they can, really. Current implementation wise I suspect it will result in the untrusted side just being out of sync and wanting to download it again, and protocol wise it doesn't actually matter what the untrusted side says about the delete bit, I think...

@WhyNotHugo WhyNotHugo marked this pull request as draft February 5, 2025 16:10
@WhyNotHugo
Copy link
Author

I tested this and you're right; the encrypted remote just indicates that local changes must be reverted. I'll update to reflect the real facts.

@WhyNotHugo
Clarify behaviour of deletion with untrusted hosts
de11102 
Reading of the original explanation of how encrypted sync works might
make one assume that deleting an encrypted copy of a file would be
synchronised as a deletion onto plaintext hosts. This is not the case,
so explicitly clarify this.
@WhyNotHugo WhyNotHugo marked this pull request as ready for review February 5, 2025 16:17
@WhyNotHugo
Copy link
Author

I've updated the PR to reflect the actual behaviour.

I'm [positively] surprised that deleting an encrypted file doesn't get replicated as deleting the plaintext counterpart. Is the deletion "action" also relayed in an encrypted form?

@WhyNotHugo
Copy link
Author

(also updated commit message appropriately)

@calmh
Copy link
Member

calmh commented Feb 5, 2025
edited
Loading

It's an effect of the whole encrypted file metadata being carried inside the untrusted metadata. That original metadata can't be affected by an untrusted device, so it can't set the delete bit inside it.

An untrusted device can indeed delete a file locally and another untrusted device would replicate that delete because it doesn't know better. A trusted device that can decrypt the "inner" information will ignore the "outer" delete bit, though.

(I think that still doesn't happen in Syncthing because encrypted folders are receive-only and don't accept local changes, but that's an implementation detail rather than something inherent to the protocol. A hypothetical EvilSyncthing could send the deletes.)

@WhyNotHugo
Copy link
Author

So when a trusted device deletes a file, it encrypts new metadata with a deletion bit set and sends that over to the untrusted host, yes?

The untrusted host then keeps that around in order to sync with other (potentially trusted) hosts.

Does the untrusted host every delete the encrypted file? E.g.: the one which contains an encrypted deletion bit set?

@WhyNotHugo
Copy link
Author

Thanks for the explanation btw :)

@WhyNotHugo
Copy link
Author

A hypothetical EvilSyncthing could send the deletes.

So the protocol does allow it? E.g.: if the file is locally deleted and an untrusted host announced this the deletion gets replicated to trusted hosts?

@calmh
Copy link
Member

calmh commented Feb 6, 2025

No, but to other untrusted devices.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@WhyNotHugo @calmh