Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider handling server ACLs through event auth rules rather than at the network level #928

Open
anoadragon453 opened this issue Nov 17, 2021 · 5 comments
Open

Consider handling server ACLs through event auth rules rather than at the network level #928

anoadragon453 opened this issue Nov 17, 2021 · 5 comments
Labels
feature Suggestion for a significant extension which needs considerable consideration

Comments

@anoadragon453
Copy link
Member

The topic of why server ACLs act at the network level, and not the event auth level came up in discussion today in #matrix-spec. Summarising the conversation, handling ACLs in event auth mean that:

  • locking it to a room version, which has the side-effect of knowing that all compliant homeservers in the room should support server ACLs.
    • This can prevent events from "leaking" out of servers that don't support server ACLs.
    • Room participants will have a simple way to check if all homeservers in the room support server ACLs, instead of checking homeserver implementation projects and version numbers.
    • This will boost support of server ACLs in homeserver implementations, as it will be necessary to participate in newer room versions.

The original proposal for Server ACLs noted that doing so at the network level was done for the sake of time - however @richvdh commented that a DAG-level ban would be ineffective. I'd be interested to know why?
@richvdh
Copy link
Member

richvdh commented Nov 17, 2021

gosh that was a long time ago :/. For internal folks, there was discussion of this in an old room at https://matrix.to/#/!ciirqRAoioaytTwWEQ:matrix.org/$1530540612198SvWYT:sw1v.org?via=matrix.org&via=sw1v.org&via=t2l.io.

A summary of the reasoning is:

Basically, if the ACL applies at the DAG level, there is nothing stopping an ACLed server generating join events etc based on an old point in the graph. This is mitigated to some extent nowadays by soft-fail, however an ACLed server would still be able to, for example, cause a DoS by injecting thousands of state events into the room.

Similarly, one of the goals of ACLs is to protect rooms from abusive manipulation of the state resolution algorithm. By preventing an attacker sending events at all, we dramatically reduce their ability to abuse state res.

There may well be an argument for both approaches.

@Gnuxie Gnuxie mentioned this issue Dec 2, 2021
Open
@ShadowJonathan
Copy link
Contributor

ShadowJonathan commented Dec 2, 2021
edited
Loading

The original proposal for Server ACLs noted that doing so at the network level was done for the sake of time

With some idea of what happened around that time, my opinion is to "rectify" this with the suggested approach of baking this into the stateres, but as rich says;

Basically, if the ACL applies at the DAG level, there is nothing stopping an ACLed server generating join events etc based on an old point in the graph.

This is true, but a new proposal could suggest points of "short-circuiting" as an optional preventative measure, in the same vein as it is the primary measure nowadays.

To summarize;

I think that ACLs should be primarily and firstly recognised in a context of stateres, but for the wider DoS context it exists around, it should "inform" federation relations with that server as it does today, in a similar vein to SMTP Error 421, "4.7.0", "Try Again Later".

A server could keep track of all servers that are currently on a ACL list through valid stateres, put them on a "short list", quickly match against that list when fetching or receiving incoming events, and possibly pre-emptively reject state-like events out of hand.

This above approach would be optional, enhancing the core protection that the stateres approach would provide, if the developers deem that fit.

@richvdh richvdh transferred this issue from matrix-org/matrix-spec-proposals Mar 2, 2022
@Mikaela
Copy link

Mikaela commented Mar 9, 2022

Do I understand correctly that something has been done here recently or will be done in near future considering Element blog is just mentioning that ACLs exist?

I have also blogged about other moderation issues.

@Mikaela
Copy link

Mikaela commented Mar 25, 2022

As my previous question went unanswered and Matrix.org blog mentions this now:

There’s a recent write-up of the proposed approach for Matrix at https://element.io/blog/moderation-needs-a-radical-change/, which outlines one strategy - but there are many others. Honestly, having to improve moderation tooling is a worthwhile price to pay for the benefits of open APIs.

I would like to ask is this still Element Marketing Team in action, or are these issues becoming a priority to Matrix Foundation too?

@turt2live turt2live mentioned this issue May 28, 2022
Closed
@turt2live turt2live added the feature Suggestion for a significant extension which needs considerable consideration label May 28, 2022
@Mikaela Mikaela mentioned this issue Jun 7, 2022
Open
Gnuxie added a commit to Gnuxie/matrix-doc that referenced this issue Apr 9, 2024
@Gnuxie
4124 prefix
05a6ed0 
matrix-org/matrix-spec#928
@Gnuxie
Copy link
Contributor

Gnuxie commented Apr 9, 2024

Hey everyone, I have created MSC4124 with some simple authorization rules that consider the origin server of events.

@Gnuxie Gnuxie mentioned this issue Apr 12, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature Suggestion for a significant extension which needs considerable consideration
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@Mikaela @turt2live @anoadragon453 @richvdh @ShadowJonathan @Gnuxie