Disable device name lookup over federation by default (#12616)

matrix-org · May 4, 2022 · 332cce8 · 332cce8
1 parent ba3fd54
commit 332cce8
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 12 deletions.
diff --git a/changelog.d/12616.misc b/changelog.d/12616.misc
@@ -0,0 +1 @@
+Prevent remote homeservers from requesting local user device names by default.
diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml
@@ -709,11 +709,11 @@ retention:
 #
 #allow_profile_lookup_over_federation: false
 
-# Uncomment to disable device display name lookup over federation. By default, the
-# Federation API allows other homeservers to obtain device display names of any user
-# on this homeserver. Defaults to 'true'.
+# Uncomment to allow device display name lookup over federation. By default, the
+# Federation API prevents other homeservers from obtaining the display names of
+# user devices on this homeserver. Defaults to 'false'.
 #
-#allow_device_name_lookup_over_federation: false
+#allow_device_name_lookup_over_federation: true
 
 
 ## Caching ##

diff --git a/docs/upgrade.md b/docs/upgrade.md
@@ -89,6 +89,17 @@ process, for example:
  dpkg -i matrix-synapse-py3_1.3.0+stretch1_amd64.deb
  ```
 
+# Upgrading to v1.59.0
+
+## Device name lookup over federation has been disabled by default
+
+The names of user devices are no longer visible to users on other homeservers by default.
+Device IDs are unaffected, as these are necessary to facilitate end-to-end encryption.
+
+To re-enable this functionality, set the
+[`allow_device_name_lookup_over_federation`](https://matrix-org.github.io/synapse/v1.59/usage/configuration/config_documentation.html#federation)
+homeserver config option to `true`.
+
 # Upgrading to v1.58.0
 
 ## Groups/communities feature has been disabled by default

diff --git a/docs/usage/configuration/config_documentation.md b/docs/usage/configuration/config_documentation.md
@@ -1035,13 +1035,13 @@ allow_profile_lookup_over_federation: false
 ---
 Config option: `allow_device_name_lookup_over_federation`
 
-Set this option to false to disable device display name lookup over federation. By default, the
-Federation API allows other homeservers to obtain device display names of any user
+Set this option to true to allow device display name lookup over federation. By default, the
+Federation API prevents other homeservers from obtaining the display names of any user devices
 on this homeserver.
 
 Example configuration:
 ```yaml
-allow_device_name_lookup_over_federation: false
+allow_device_name_lookup_over_federation: true
 ```
 ---
 ## Caching ##

diff --git a/synapse/config/federation.py b/synapse/config/federation.py
@@ -46,7 +46,7 @@ def read_config(self, config: JsonDict, **kwargs: Any) -> None:
  )
 
  self.allow_device_name_lookup_over_federation = config.get(
- "allow_device_name_lookup_over_federation", True
+ "allow_device_name_lookup_over_federation", False
  )
 
  def generate_config_section(self, **kwargs: Any) -> str:
@@ -81,11 +81,11 @@ def generate_config_section(self, **kwargs: Any) -> str:
  #
  #allow_profile_lookup_over_federation: false
 
- # Uncomment to disable device display name lookup over federation. By default, the
- # Federation API allows other homeservers to obtain device display names of any user
- # on this homeserver. Defaults to 'true'.
+ # Uncomment to allow device display name lookup over federation. By default, the
+ # Federation API prevents other homeservers from obtaining the display names of
+ # user devices on this homeserver. Defaults to 'false'.
  #
- #allow_device_name_lookup_over_federation: false
+ #allow_device_name_lookup_over_federation: true
  """