From 1413b3b29969521ccfccf6ca2f7cf841a1204e13 Mon Sep 17 00:00:00 2001 From: Aminda Suomalainen Date: Mon, 10 Jan 2022 21:51:14 +0200 Subject: [PATCH] blog/mcasbo: explain room versions(???), mention Conduit and Matrix ACL mess and add references for those Resolves: #270 --- ...matrix-community-abuse-security-by-obscurity.md | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/blog/_posts/2021-12-05-matrix-community-abuse-security-by-obscurity.md b/blog/_posts/2021-12-05-matrix-community-abuse-security-by-obscurity.md index cc41d59..81868f3 100644 --- a/blog/_posts/2021-12-05-matrix-community-abuse-security-by-obscurity.md +++ b/blog/_posts/2021-12-05-matrix-community-abuse-security-by-obscurity.md @@ -28,12 +28,13 @@ smaller steps: 1. ***WARNING*** The room version number here is configured in Jekyll site variable, not one specific to this post. 2. ***WARNING*** You should check [the Matrix spec](https://spec.matrix.org/latest/rooms/) - for the latest stable room version. + for the latest stable room version. Or maybe the [unstable spec](https://spec.matrix.org/unstable/rooms/)? + Or maybe you should just [search GitHub](https://github.com/matrix-org/matrix-doc/issues?q=room%20version)? + I have no idea how that works as the time of writing both are missing room versions 8 and 9. 3. ***WARNING*** Traditionally homeservers by other parties than Matrix.org (read Synapse) lag behind on supported room versions and you may break your room for people using those. At the time of adding this note (2021-12-14), the - spec v1.1 is a month and couple of days old (2021-09-11) and room version - 7 is not implemented by Conduit. + spec v1.1 is a month and couple of days old (2021-09-11) and [room version 7 is not implemented by Conduit](https://gitlab.com/famedly/conduit/-/issues/161). 1. Yes, at the time of writing this post I am recommending version 9, while the aforementioned variable is {{ site.matrixLatestRoomVersion }}, as that is what Element encourages and features such as restricted rooms @@ -73,7 +74,7 @@ you have three methods to promote your other accounts: a git repository from which you can copy-paste it to all rooms, first `/devtools`, then "room state", "m.room.power_levels", "edit" and you can paste your new administrators there and press "send"! This is the only mass option you have, - and you will have to do this once every twenty rooms. + and you will have to do this in each twenty rooms. Remember you will have to do this every time you add a new moderator (or they will be unable to act in the room when they are needed)! @@ -96,6 +97,11 @@ you simply use `/devtools` and ban the entire server by sending a completely new `m.room.server_acl`, luckily you are a professional `/devtools` user at this point so having to do this 20 times is nothing to you. +*2022-01-10 addition:* this becomes worse as Matrix Synapse alongside [the Matrix protocol itself will authorise everything done by servers that don't honour the `m.room.server_acl` event](https://github.com/matrix-org/matrix-doc/issues/3506) +so as per the guide, you will have to acl those servers too (or the ACL might as well not exist). Sadly at the time +of writing that also includes [Conduit, so all Conduits must be ACLed too](https://gitlab.com/famedly/conduit/-/issues/67), +even if they weren't malicious. A minor comfort is that [Conduit doesn't currently support room versions 7, 8 and 9](https://gitlab.com/famedly/conduit/-/issues/161). + ### Icing on the cake Could this get any better? Yes, the abuse could happen when you are sleeping