Implement skip of encrypted XMPP messages#217
Conversation
|
That's a very good catch, thanks! I'm wondering what should be a good default here. Most MUC chatrooms are not encrypted so is it useful to implement OMEMO at all? I think i'm partial to no OMEMO support with:
What do you think? Is that reasonable for you to make that the default behavior, but still relay a public warning once about a probable misconfiguration? |
|
I am sure about most, but if I am correct, Matrix handler supports encryption, so it would be consistent to implement it for XMPP one day. If I understood your idea correctly, I am in favour of "a one-off message about not supporting OMEMO in all chatrooms across the gateway" on first encrypted message occurrence and skip all further ones to avoid spamming. However, the way I made this particular change is because goal was to preserve existing behaviour (blindly relay everything) while being able to opt-in to skip encrypted messages if some members of MUC accidentally or purposefully enabled it to share some confidential thing that should not be stored in plaintext. I do agree that it is not something common and probably weird, but in private MUC where everyone knows everyone else it could make sense. |
|
So if i understand there's three different questions:
I think we should support OMEMO. I'm not sure there's value in skipping specific messages if we support OMEMO: do you know anyone who would enable encryption for a single message then turn it off? (i've never heard of this before) |
|
I would like to point out that in scenario when XMPP gets bridged to Telegram (or Discord), OMEMO becomes useless because plaintext is leaked to a third party (Telegram/Discord) if decryption is implemented by the bridge. Hence if you have same MUC where both encrypted and plaintext messages are stored but only plaintext get relayed to unencrypted chats, this per-message difference makes sense to me to avoid leaking some sensitive content that must be E2EE'd. |
|
Yes, i understand that usecase in theory. But do you know people who would actually use this? Bridging their super sensitive chatroom except for a few messages every now and then? Does that even work well across XMPP clients to just start and stop encryption randomly? My personal feeling is that public chatrooms should not be encrypted and that private chatrooms should not be bridged to random 3rd parties (eg. Telegram). Does that make sense to you? |
|
I agree with you on public chatrooms, but as for private ones I am the one who runs a bridge with such constraint for a private group - unfortunately, a few people not yet willing to use XMPP and stuck with Telegram. I would also like to highlight that it is true that there is a risk that someone could quote sensitive message without OMEMO enabled and accidentally leak it. |
|
OK so you want a chatroom with your friends from Telegram, but you don't want them to receive 100% of the messages. Is that correct? Would it maybe make sense to have a separate "more" private chatroom which is not relayed to 3rd party networks? Sorry i hope i'm not condescending. I'm not trying to deny your usecase, i just find it really weird and i'm guessing it may produce unexpected results in clients due to how OMEMO (TOFU + key rotation via double ratchet) works. If you say it works and that's definitely what you want to be doing, then i case we could accomodate this usecase indeed. |
|
Having more groups is less convenient due to necessity to switch between them, selectively (and rarely) enabling OMEMO looks a good tradeoffs to me, with a safeguard to not flood the unencrypted end with "this message was encrypted with OMEMO" if someone forgot to disable it. I do agree that the use case is weird, no worries :) I can't elaborate on how this is reliable because this setup runs only for a few days in a not very active chat. So far no issues with Gajim and Conversations across multiple devices. |
|
I don't think i truly appreciate the usecase, but that sounds reasonable as an optional setting. It would be helpful for the check in (changelog.md and settings.md need to be updated btw, otherwise that looks good, thanks!) |
|
Sorry about two commits, did not notice I am editing wrong file first. Could you please confirm if this is enough or should the description be more detailed? |
|
I'm in favor of implementing OMEMO support and enabling it as a default, with encryption capabilities noted in Enabling OMEMO for only some messages in the same channel seems like a wrong approach. Better to have multiple channels (bridges) on different gateways, even if each channel is using the same XMPP account, allowing some with OMEMO enabled and others without. |
|
Maybe an option to send a fallback message would be better instead of silently dropping it? Like "This message was encrypted with OMEMO and could not be relayed"? |
End-to-end encrypted XMPP messages can't be decrypted by the matterbridge yet - they get relayed to other chats as their plaintext fallback body such as "I sent you an OMEMO encrypted message but your client doesn't support that".
This change adds a boolean option SkipEncrypted for XMPP gateway with a default value false to keep current behavior unchanged.