Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

188663-disable-encryption: conditional based on a new homeserver.yaml… #7

Merged
merged 4 commits into from
Mar 25, 2021

Conversation

jrschremmer
Copy link
Member

… configuration value named "encryption_enabled", which defaults to true, so existing functionality is not affected.

To minimise the merge maintenance that this solution introduces, I was initially going to do the third party rules impl (see matrix-org#4367 (comment) and matrix-org#6660 (comment)), until I saw that an additional change to rooms.py was also required. This change could be pushed back to https://github.com/matrix-org/synapse and potentially address matrix-org#4401.

Based on matrix-org#4367 (comment), encryption was disabled by setting the required power level to enable encryption for a room to be an impossible value, when creating a new room. Noting that this means the disabling of encryption will only affect rooms created after this change. It will also not affect rooms created by other servers, if federation is enabled.

Based on matrix-org#4367 (comment), RoomEncryption events were stripped, logged and ignored.

Both of the above two changes are conditional based on a new homeserver.yaml configuration value named "encryption_enabled", which defaults to true, so existing functionality is not affected.

Based on

  1. https://github.com/vector-im/element-web/blob/develop/docs/e2ee.md#disabling-encryption-by-default
  2. https://github.com/matrix-org/matrix-react-sdk/pull/4605/files
    the /.well-known/matrix/client was updated to indicate to clients if encryption is enabled. Noting that as mentioned at Unable to deploy .well-known file to disable E2EE by default. Consider config.json alternative element-hq/element-web#14079 (comment), clients use the "default_server_config" -> "m.homeserver" -> "server_name" as the domain name in the lookup of /.well-known/matrix/client. If this is different to the domain in "default_server_config" -> "m.homeserver" -> "base_url", it is suggested that your client is updated to check the "base_url" locartion if the well-known config is not found for "server_name".

These changes to the source code were applied to the synapse docker image, by copying the modified source over the top of the existing files. This method only works if the changes made to the source code don't introduce new dependencies, that the synapse docker image doesn't already provide.

Testing performed

  1. With no encryption_enabled value in the homeservice.yaml file, confirmed that https://pegacorn-communicate-roomserver.site-a:30880/.well-known/matrix/client returned "io.element.e2ee":{"default":"true"}
  2. With encryption_enabled: false in the homeservice.yaml file, confirmed that
    2.1 https://pegacorn-communicate-roomserver.site-a:30880/.well-known/matrix/client returned "io.element.e2ee":{"default":"false"}
    2.2 In element web created a new private room with encryption enabled ... confirmed that
    2.2.1 Room -> Settings -> Security & Privacy -> Encrypted is disabled
    2.2.2 In the synapse server logs saw:
    2.2.2.1 synapse.handlers.room - 906 - INFO - POST-739 - Removed RoomEncryption event for room_id=![room_id]:[homeserver server_name] created by @[user_id]:[homeserver server_name]
    2.2.2.2 synapse.handlers.room - 952 - DEBUG - POST-739 - power_level_content['events'][EventTypes.RoomEncryption]=101 for room_id=![room_id]:[homeserver server_name] created by @[user_id]:[homeserver server_name]
    2.2.2.3 Could see the unencrypted message sent in the room: synapse.storage.SQL - 306 - DEBUG - persist_events-7 - [SQL values] {persist_events-357} (... "type":"m.room.message","room_id":"![room_id]:[homeserver server_name]","sender":"@[user_id]:[homeserver server_name]","content":{"msgtype":"m.text","body":"my test message"} ...)

… configuration value named "encryption_enabled", which defaults to true, so existing functionality is not affected.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants