-
Notifications
You must be signed in to change notification settings - Fork 381
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] MSC4097: Interactions between media redirection and authentication #4097
Draft
turt2live
wants to merge
1
commit into
main
Choose a base branch
from
travis/msc/media-redirect-auth-cdn
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Draft
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
# MSC4097: Interactions between media redirection and authentication | ||
|
||
With the introduction of [MSC3860 (merged)](https://github.com/matrix-org/matrix-spec-proposals/blob/main/proposals/3860-media-download-redirect.md), | ||
media download requests can be redirected to a CDN or other resource, allowing server owners to reduce | ||
costs of hosting a Matrix homeserver. [MSC3916 (proposed)](https://github.com/matrix-org/matrix-spec-proposals/pull/3916) | ||
introduces a concept of authenticating those download requests. Authentication alone doesn't prevent | ||
the ability to use a CDN (the client simply authenticates its request, then gets redirected), however | ||
with follow-up MSCs like [MSC3911 (proposed)](https://github.com/matrix-org/matrix-spec-proposals/pull/3911), | ||
the media the client is trying to download may be linked to an event and thus should not be viewable | ||
by sharing the link to third parties. | ||
|
||
The abstract concept of preventing users from sharing download links with users/clients not in the room | ||
is tricky to resolve in a way where a CDN can still operate. CDNs are not typically capable of doing | ||
the authentication check themselves during the download request, necessitating a Matrix-aware application | ||
layer to perform that authentication. The layer can still redirect to the CDN, but that then opens up | ||
an opportunity for the user to copy/paste the link again. | ||
|
||
Some server operators may be tolerable to this risk or decide that a time-limited URL with the CDN is | ||
suitable for their use case. Others, however, may still wish to use a CDN *and* prevent most cases of | ||
copy/paste from working. | ||
|
||
This proposal covers that use case. A symmetric encryption key is generated by the server after the | ||
request is authenticated, injected into the CDN, and then returned to the client alongside the | ||
redirect. The client then follows the redirect and requests the media from the CDN. The CDN encrypts | ||
the media download on the fly using the symmetric key, and the client decrypts it before serving it | ||
to the user (or before further decrypting it, if the media is in an encrypted room). If the user were | ||
to share the redirected URL, the requester would get encrypted content back unless the user also extracted | ||
the key from their client. | ||
|
||
Most notably, this behaviour is *opt-in*. Both the client and server can decide to use a different | ||
approach for serving media, though that approach may have lesser security/privacy. | ||
|
||
**TODO**: Consider not re-encrypting media that's in an encrypted room already. It's simpler to encrypt | ||
everything, but if we already know the event ID contains encrypted content because we've linked it to | ||
the media ID, we can probably assume it'll be fine enough to serve verbatim. | ||
|
||
## Proposal | ||
|
||
**TODO**: The words! Somehow the client needs to get the key (`/config`?), and needs to know how to use | ||
it. Also, pick an encryption algorithm. | ||
|
||
## Potential issues | ||
|
||
**TODO**: This section. | ||
|
||
## Alternatives | ||
|
||
**TODO**: This section. | ||
|
||
## Security considerations | ||
|
||
**TODO**: This section. | ||
|
||
## Unstable prefix | ||
|
||
**TODO**: This section. | ||
|
||
## Dependencies | ||
|
||
**TODO**: This section. |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wouldn't having the auth/expiration data in a header instead of the URL fulfill the same purpose (preventing copying links) without the added complexity of an additional layer of encryption?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CDNs find it difficult to use headers, unfortunately.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CDNs find it easier to receive a temporary encryption key via a side channel and encrypt media on the fly than just read a header in the request and do some simple hmac check? 🤔 Fastly seems to have a header reading method at least: https://developer.fastly.com/reference/vcl/functions/headers/header-get/
A static per-media key would be easier for the CDN as it wouldn't need to know about encryption at all, and would also have the extra benefit of at-rest encryption, although that wouldn't be opt-in for clients.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The concern was that headers are slow and might not be compatible with all providers. Will take a look though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ftr, Cloudflare and headers don't get along unless you have an Enterprise plan, which affects caching pretty badly.