https://bugs.kde.org/show_bug.cgi?id=515707
--- Comment #5 from [email protected] --- FYI This issue is also (kind of) tracked on Tailscale’s GitHub starting at this comment: https://github.com/tailscale/tailscale/issues/14476#issuecomment-3844353335 I'm also affected by this issue, also using Tailscale, also by manually adding the Tailscale IPs / hostnames to the KDE Connect clients via config file / "add devices by IP" on desktop / Android resp.. I agree to Matt’s 2nd suggestion to add a setting for this, I assume, security feature filtering for local IPs only. Esp. because a) KDE Connect (seems to) use a TLS connection with TOFU authenticating both sides and b) there will be (advanced) setups where KDE Connect connections should be routed through some kind of VPN, be it device-to-device / site-to-site / and so on. Enabling this security feature by default IMO is fine because I think this will be sufficient most users. And I see that this increases the security as filtering for local IPs only should decrease the attack surface esp. on phones which may be confronted with connections using public IPs (e.g. via cellular connections). Just in case, other ideas I had in my mind are, but which seem more complex & less secure when applied to all users: 2) allowing connections from IPs which are explicitly listed in the configs (but then this may require users to list them on both sides; and what about hostnames with multiple records) 3) only allowing connections from already paired devices (may be complex to implement; still allows for increased attack surface; requires "local" pairing first) I would not just fix this for the 100.64.0.0/10 IP space because: - There is IPv6 with its public & unique local addresses (ULA, fc00::/7). Site-to-Site VPNs between trusted local networks may use public IPv6s. And on the other side, depending on the context and/or network operator, ULAs might be routed across "untrusted" networks. - some uncommon networks may use public IPv4 addresses - maybe some users want/require KDE Connect connections via the internet -- You are receiving this mail because: You are watching all bug changes.
