Spurious ephemeral contact #19
Comments
|
Hey @KyleMaas, thanks that you are thinking about these things. I don't have a lot of time now, but I'll try to come back to this thread soon. The gist of my argument is that SSB works best as a "pull network" (this is a term we've used several times in SSB, you can search for it to read more about it), in other words, an invite-only network. We have attempted doing open invites (see e.g. easy-ssb-pub) and allow any random person to get data from almost anyone, and it back-lashed: brought spam, randos, disinteresting content, abuse vectors, etc. We intently do not want to support such use cases again, and I think we'll operate just fine with a pull network only. I myself initially joined SSB by asking for an invite. New social networks like Clubhouse are also growing solely on an invite system, and it proves it can scale fast. So has Gmail done in the past. Anyway, I firmly believe in the pull network idea. It doesn't undermine off grid use cases (you can gossip-replicate with other off grid friends, or just mutually follow on-the-spot), and rooms aren't meant to replace pubs (although I would like for rooms to replace pubs for onboarding), and even pubs shouldn't be open invite, most pubs nowadays any way do mutual follows, so they would work with EBT and other assumptions of mutual follows. I want to invite you to think about pros and cons. For instance
We have heard from many users in the SSB community that exactly that would be a huge step forwards. One person's easy access to data is another person's easy exposure to abuse. |
|
Thank you for your consideration on this subject.
That demonstrates exactly problem I see with requiring mutual follows. I think we're talking about the same problem from two different angles, because I'm arguing against open invites, and what makes me nervous about requiring mutual follows is that I see that requirement as causing a side effect of essentially requiring open invite pubs to exist. Everyone new to the network should be in a position to not be trusted. You don't know if they're trying to force spam, abuse, etc. onto the network. Likewise, when connecting to a new peer, you may not know if you actually want to follow their content, but would like to replicate anything they have from others who you do follow/trust. But as I understand it, the requirements for Tunneled Authentication mean that you wouldn't even be able to establish a connection with another peer without both of you following each other. Consider the follow use case from the Tunneled Authentication page:
If you had the ability to replicate from them without following, the SSB client application could show "You have received an incoming connection request from X, here are their last 10 messages that we've temporarily replicated without saving to the database. Do you trust them enough to follow them?" Without untrusted replication, you would have to blindly trust them first to see if they are worth trusting. The trust model is backwards. With mutual follows required, onboarding a user that you do know (a real-life friend, for example) would have to be done interactively to do it without using an open invite pub (or at least in a bunch of steps with potential long lag time between). The way I read the spec right now, if you were trying to invite a friend, you could not invite them until after they generated their key, because they have to be followed first. Even assuming you blindly trusted incoming connections within a time period and assumed it was probably your friend, their connection would first have to fail so you'd get a record of it and could follow them. Without a secondary interactive communications medium, the new user gets no data and is left to stare at a blank screen until they can get their feed followed by their inviting friend.
I would argue that by posting broadcast public messages, if anyone follows you who's connected to a pub, you've already lost that battle to keep your "public" data secret. Or if any pub on the network increases their hop count to replicate further out from them and happens to pull in your content. One way or another, anyone on the network can follow you without your consent or control, and that data can get to them indirectly whether you follow them back or not. So why should rooms 2.0 be different?
This is exactly what I'm saying. Open-invite pubs are, in my opinion, worse for the network for spam, abuse, etc. than if you limited the amount of trust that was given out to users willy-nilly. By allowing held-at-arms-length replication without trust, the network can be made much more robust for legitimate users (who are far more likely to already have their content widely replicated and thus available to new untrusted peers) without having to break that trust model. In an ideal case, that would nearly eliminate the need for pubs, especially open-invite pubs, which I think nearly everyone agrees are bad for the network. If you could do partial replication with folks you don't trust, you could still replicate data from those who you do trust. You could mistrust the messenger but still get trusted and verified data. My point is that trust should be earned, not given freely. A mutual follow prerequisite requires trusting someone first to determine if they're trustworthy. It requires giving out more trust more freely than I'm comfortable with. That is the core of my concern. |
You can invite them without them having generated a key, but you'll see a connection attempt from "some ID", and you'll have to manually accept or deny that connection. The secondary communications medium is assumed to exist one way or another (to get an invite, for instance), so you can either accept that incoming connection by confirming the ID in a secondary channel, or by just assuming that the timing makes sense.
I'm not concerned about that and I think a trust-is-given-not-earned approach is commendable, it's more welcoming. |
But then it's not an automatically-accepted invite that you can give a friend and have them join at their leisure like you can do with DHT connections, for example. It requires a secondary approval by the invite generator after they've already given their approval, and it requires a connection denial to show the request. It introduces more steps and lag time. A secondary communications medium is required one way or the other, yes, but a secondary interactive communications medium is required with this if you want to avoid the "new user gets a blank screen" outcome. I can't just give a coworker an invite code and say "join when you get home".
Which is why open-invite pubs exist. |
For people who don't mind exposure to randos, yes. But we'd like to have safer defaults. There's always a tradeoff between privacy and convenience, there's never a clear win that doesn't sacrifice anything. |
Indeed. But that's what I mean by people earning trust instead of it being given out freely. And that's why I feel like requiring a mutual follow to connect breaks the trust model. An open-invite pub trusts everyone freely and blindly. If we can do partial replication without fully following/trusting, then there can be varying degrees of trust:
If you require mutual following, there is no middle ground between (1) and (4). And for the most part, that has to be arranged for ahead of time. I see where you're coming from, but I feel there is room for nuance. There can be a sliding scale of trust, and control can be given to the user with a sane default on the client. It doesn't need to be all-or-nothing extremism to be able to function in a safe and effective manner for everyone involved. |
|
Case (2): do you mean that they are friends of friends? I can see an option where tunneled authentication allows friends and friends of friends, where this can be configured. Case (3): you may want their data, but they may not want you to have their data. |
|
I very much appreciate the thoughtful discussion on this.
Let's say you follow person A, B, and C. You connect to a peer X who doesn't follow you but does follow person A and C. You ask peer X for any information they have on anyone you follow - A, B, or C. They send you what they have for person A and C. In this case, at no point do you replicate peer X's data.
And what if they do? I'm saying this should be user-configurable with a client setting, not baked into the protocol. |
One point I should clarify about this use case. I simplified this down to a single hop example for simplicity. But in reality, you could not imply from this from peer X follows person A or person C. They may only have their data because peer X follows person D who follows both person A and person C, and has by extension pulled both into their database. For that matter, they may have followed person D at one time but have now blocked them and just didn't remove A and C's messages from their database. They may have their hops set to 100 and have pulled in every message on earth. So you can't derive information about who peer X follows from this. It just means that their data has been somehow replicated to their database. |
It's actually quite hard to "bake into the protocol" the design decisions. Most or almost all design decisions can easily be forked in a compatible way. Specifically here with tunneled authentication, it's a "client protocol", so it's enforced by room clients, not the room server. It's entirely possible for clients to allow connections from any peer, there is little we can do with protocol design to prevent them from doing that. The reason why this room design doc encourages mutual follows is that allowing open connections from any peer will open the door to several kinds of problems, especially because aliases will make it easy for anyone on the internet to connect with you directly, by giving you a public URL that could be posted anywhere. That's different from rooms 1.0. Not only are there abuse risks, there's also bandwidth and overload problems. Connecting directly means that your peer (potentially a mobile phone) will act as "server", uploading many megabytes worth of data to any peer that asks for it. It could suddenly slow down your phone or even crash it. Think of a use case where Famous Person puts an alias on their webpage, and then thousands of strangers consume that alias, connect with Famous Person over the room, and then each one of those thousands will ask for megabytes worth of data. It's a bad default to allow strangers to connect to you. Not the case with pubs as they are usually built for uptime and can reboot. You don't want your phone's battery dying or your desktop computer crashing.
If I'm the person initiating the connection with X, I'm not the one enforcing the "mutual connection" requirement, it's X that checks for that. In other words, the peer receiving the connection attempt is the one who checks if a follow exists, and if not, cancels the would-be connection. It's perfectly possible that X would not have such enforcement logic, and would allow anyone to connect. Again, it's about the defaults and the intended use case. |
|
Also worth mentioning that in Manyverse we did a user experience research on the topic of onboarding (which informed the design of alias URLs in this repo), and we discovered that users consider it important to manually allow/reject connection attempts, for privacy and safety. https://gitlab.com/staltz/manyverse/-/wikis/UX-project:-%22Welcome-to-the-Manyverse%22 |
Fair point. Makes good sense. As long as the user is given the option, and it can be configured without breaking clients connecting to them, it mostly solves my concern. How about a bandwidth limit for replicating to others unless you follow them?
If that's the case, and it's regularly tested so that it can be done without clients crashing, then I could see this working. Looking through the UX project documents, one thing that both onboarding use cases expressed was the desire to download and receive a link they could use later. This is great, and is one of the concerns I had above. Maybe I don't understand this, but if mutual following is enforced, I at least see a need for a non-authenticated means of connection to be able to redeem an invite code. Other use cases from case studies that I can see breaking if mutual follow is enforced:
Which means 10/12 of their cases where they would like to follow others during onboarding are potentially blocked by a default setting if mutual follow enforcement is the default. It also breaks "Social tiers" (3) on page 10, since it's exceedingly unlikely that a "famous person" or anyone in the Dunbar's 500+ is going to follow everyone who wants to follow them. Also breaks "(Semi-)public organizations" on page 14, since for example my local food pantry could not ask for help or request a type of food unless they also mutually followed everyone who might be able to help them. Is my local food pantry going run their own pub that everyone has to individually join, with the static IP requirement, maintenance, and moderation that implies? Almost certainly not. But if they're running a client like Patchwork on a computer which has a decent internet connection, it gives them the ability to run a public profile with essentially zero additional technical expertise and without requiring users to join an open-invite pub somewhere to be able to connect with them. So, I guess where I'm at is that I would love to see provisions for clients to have several settings:
But present the options to the user (even if it's an Advanced setting) and let them decide. |
Continuing the conversation from arj03/ssb-browser-demo#186
Originally posted by @arj03 in arj03/ssb-browser-demo#186 (comment)
Originally posted by @KyleMaas in arj03/ssb-browser-demo#186 (comment)
Originally posted by @KyleMaas in arj03/ssb-browser-demo#186 (comment)
Originally posted by @arj03 in arj03/ssb-browser-demo#186 (comment)
The gist of this is: SSB is designed for off-grid use with only occasional contact with the outside world. By requiring mutual follow to replicate anything, it means that there is no such thing as a spurious read-only contact when coming off-grid. It means you can only contact the network through people you have a trust relationship with. This may be fine under normal circumstances but breaks down in several possible scenarios:
This also means that rooms cannot truly replace pubs. There will always need to be pubs to onboard new users or people who have had to replace their feed. And these will continue to have a tendency to quickly become massive messes just like open-invite pubs with tons of follows do now. But with a mutual follow requirement, they stay the same "evil" but become even more "necessary".
In short, a "follow" is an implied trust relationship. You trust the other person to not shovel garbage into your database. I see the requirement to establish a mutual trust relationship with a stranger to be able to view publicly-posted messages to be a huge step backward. Why should they have to trust me for me to be able to read? I'm hoping maybe this can start a dialog on how to support these use cases, because I would really hate to lose the ability to safely replicate off-grid from strangers.
The text was updated successfully, but these errors were encountered: