|
| 1 | +# MSC2870: Protect server ACLs from redaction |
| 2 | + |
| 3 | +[Server ACLs](https://matrix.org/docs/spec/client_server/r0.6.1#server-access-control-lists-acls-for-rooms) |
| 4 | +are a way to prevent malicious/untrusted homeservers from participating in a given room. These ACLs |
| 5 | +are represented by a state event which is easily capable of demolishing all useful functionality of |
| 6 | +a federated room. Typically this sort of design flaw would be worked out during the MSC process, and |
| 7 | +in this particular case it was acknowledged as a potential source of accidental mistake, however the |
| 8 | +impact of making a mistake appears to be larger than anticipated. |
| 9 | + |
| 10 | +Specifically, the ACLs do not default to allowing all servers when they are set but missing an `allow` |
| 11 | +field. When an `allow` rule is missing, it means that all servers can no longer participate in the |
| 12 | +room. The natural reaction to such a disaster is to try sending a new ACL event, however all the |
| 13 | +receiving servers rightly refuse the event because the specification says so and it's not yet |
| 14 | +possible to tell if a trusted server is publishing the new ACLs (due to the social nature of the |
| 15 | +problem space rather than the technical side). Redacting a server ACL event causes the event content |
| 16 | +to become `{}`, which means no `allow` rule is present. |
| 17 | + |
| 18 | +## Proposal |
| 19 | + |
| 20 | +In a future room version, the `allow`, `deny`, and `allow_ip_literals` fields of the `m.room.server_acl` |
| 21 | +state event are protected from redaction. Typically this measure is only taken when a field is critical |
| 22 | +to the operation of the protocol, such as in the case of protecting power levels from redactions. ACLs |
| 23 | +are not as critical to the protocol as most of the other protected event fields, however the consequences |
| 24 | +of accidentally redacting a server ACL event are disproportionately large. |
| 25 | + |
| 26 | +## Potential issues |
| 27 | + |
| 28 | +None foreseen - this MSC should remedy a problem encountered in the wild. |
| 29 | + |
| 30 | +## Alternatives |
| 31 | + |
| 32 | +We could instead dictate that a lack of `allow` rule implicitly means `allow: ["*"]`, however this is |
| 33 | +a behavioural change which is easily missed between room versions. We could also define that `{}` means |
| 34 | +applying the same mechanics of ACLs when the state event isn't set, however again this is subject to |
| 35 | +being missed as a behavioural change. Behavioural changes are hard to represent in the specification as |
| 36 | +room versions are not meant to contain information about how a room might react in the eyes of a room |
| 37 | +administrator or client implementation, where possible. They are more intended to change server-side |
| 38 | +algorithms, like the redaction algorithm, to change the functionality under the hood without impacting |
| 39 | +the room administrator's understanding of their room's function. |
| 40 | + |
| 41 | +Another possible approach is to have servers prevent sending faulty ACL events by preventing their |
| 42 | +local clients from doing so, such as by rejecting redaction requests. This doesn't solve the issue |
| 43 | +over federation, but can reduce the liklihood of such events making it to the federation layer. This |
| 44 | +is what Synapse currently does to help mitigate the issue. This is only effective if the server (or |
| 45 | +client, locally) implements it - it's common for both clients and servers to forget to add these checks |
| 46 | +during development, leading to occasional room breakage. This MSC instead tries to resolve the issue |
| 47 | +more completely for future room versions, pending replacement of ACLs entirely. |
| 48 | + |
| 49 | +Meanwhile, [MSC4124](https://github.com/matrix-org/matrix-spec-proposals/pull/4124) exists as a possible |
| 50 | +permanent replacement for ACLs. |
| 51 | + |
| 52 | +## Security considerations |
| 53 | + |
| 54 | +It may be desirable to redact server ACLs due to abusive server names needing to be banned. Clients |
| 55 | +are encouraged to *not* display the differences to the ACLs without the user opting in to seeing the |
| 56 | +changes (such as by clicking a 'show details' link). |
| 57 | + |
| 58 | +Of particular note is that redacted events may be provided to future users/servers, regardless of the |
| 59 | +history visibility settings. If fields are protected from redaction, this means they will be visible |
| 60 | +to those future joiners. This may be undesirable in some circumstances. This MSC does not attempt to |
| 61 | +address this concern. |
| 62 | + |
| 63 | +## Unstable prefix |
| 64 | + |
| 65 | +Implementations looking to test this MSC before it lands in a released room version can use `org.matrix.msc2870` |
| 66 | +as the room version, using [room version 11](https://spec.matrix.org/v1.9/rooms/v11/) as a base. |
0 commit comments