Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP] MSC3647: Bring Your Own Bridge - Decentralising Bridges #3647

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from

Conversation

ShadowJonathan
Copy link
Contributor

@ShadowJonathan ShadowJonathan commented Jan 14, 2022

@ShadowJonathan ShadowJonathan changed the title BYOB [WIP] MSC3647: Bring Your Own Bridge - Decentralising Bridges Jan 14, 2022
@turt2live turt2live added application services kind:feature MSC for not-core and not-maintenance stuff needs-implementation This MSC does not have a qualifying implementation for the SCT to review. The MSC cannot enter FCP. proposal A matrix spec change proposal labels Jan 14, 2022
the user's account. This can be done by having the user open a DM with the HB, send a
to_device message, or to send a dummy event in the bridge room. (each have tradeoffs and considerations)

Verifying a platform account is tricker, as the bridged chat platform may not follow an exact format
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm worried about this step. A VB could easily bridge the wrong messages for a user, or just not bridge anything at all and effectively be a malicious actor in the room.

How can the HB trust that the VB really has access to a remote users account. Even if there is initial verification, what's the process to avoid a netsplit after the VB is compromised.

One of the advantages on a monolithic bridge architecture is you only need to trust the one bridge, in this model users need to trust bridges that third parties are providing.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The line specifically was more about that making a generic process is hard to do between radically different platforms (slack, discord, IRC)

I guess for your specific concern, a HB can initiate a verification/challenge at any point in time, to re-verify a VB.

For this specific situation, the user has to trust the VB, and then the VB has to trust the HB (and vice versa), in this case the HB will have a "hands off" approach, and assumes that the user knows what they're doing to have the VB request the HB to yield bridging of their specific user to the VB.

The trade-off is that, yes, now users need to trust third-party bridges, but if the users already trust the HB, and the HB has verified the VBs have access to their respective users, then it's a pseudo-web-of-trust.

The only security problem (and I'll update this in the text) is that yes, any VB can assume control (either voluntary or not) of a particular user's accounts, and then deny bridging their messages properly.

removal of the need for the AS API could move these bridges to remote spots, such as user-hosted
raspberry PIs, operating itself as a "normal" matrix user.

# Potential Issues

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another noteworthy downside is the added complexity. Bridging two chat protocols is already a really complex endeavor, with a lot of subtle bugs caused by nuanced differences between both platforms. It is also inherently stateful, keeping the bridge appservice in sync with both worlds is incredibly tricky.

Thus, I'd consider adding even more complexity and even more distributed state a bad idea.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
application services kind:feature MSC for not-core and not-maintenance stuff needs-implementation This MSC does not have a qualifying implementation for the SCT to review. The MSC cannot enter FCP. proposal A matrix spec change proposal
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants