| 15 Apr 2025 |
 emily | my strong impression of Matrix is that it was not really designed with much thinking about even the kinds of abuse that have been common on the internet for decades and I keep getting more information to confirm this feeling :/ | 22:25:07 |
 @joepie91:pixie.town | (this is correct) | 22:26:53 |
| emily | repeating the email mistake of letting you have entirely different attacker-controlled content in plain and rich text forms of a messageā¦ š¬ | 22:27:51 |
 amadaluzia[tde] | They had to just make better IRC and years later we are still working on it | 22:27:52 |
| @joepie91:pixie.town | there's generally been a lack of threat modelling in the design process. I have attempted to track down the design rationale and threat modelling behind stateres, an enumeration of specific types of attacks and how it would defend against it, and after many vague answers and a fruitless search by other folks for old internal docs, the conclusion seemed to be "nobody ever actually did this at any point" | 22:27:58 |
 uep | In reply to @emilazy:matrix.org
my strong impression of Matrix is that it was not really designed with much thinking about even the kinds of abuse that have been common on the internet for decades and I keep getting more information to confirm this feeling :/ yeah. it's a clever system for eventual consistency relying on reliable message delivery as the main focus, which seems like a good idea for a base transport layer, but it turns out that in ignoring the actual abuse cases and deferring to reactive bots, you get race conditions like the above, and wind up without reliable message delivery sometimes too somehow | 22:28:08 |
| emily | so it's perfectly possible to create a message that looks benign to mods or bots but very much isn't for other viewers | 22:28:09 |
| amadaluzia[tde] | * | 22:28:34 |
 Dandellion | This was all going to be solved by an even more complicated reputation layer :) | 22:30:38 |
| emily | do we get to do key signing parties again??? | 22:31:42 |
 @emma:rory.gay | no it cant leave before the other user joins | 22:32:44 |
| @emma:rory.gay | otherwise the room becomes orphaned, and you might aswell not create a room at all | 22:33:07 |
| Dandellion | Publishing reputation was actually part of the thoughts back then so maybe lol. But as most matrix things only 5% of the feature was ever implemented, then the whole thing is shelved for "funding" | 22:33:46 |
| Dandellion | but the mjolnir banlists as rooms stuff did come straight out of it IIRC | 22:34:11 |
| uep | that's an acutally nice use of the transport and features that exist | 22:34:44 |
| @emma:rory.gay | nah mjolnir didnt come out of the reputation system | 22:35:03 |
| @emma:rory.gay | its just that rooms are convenient as databases w/ replication | 22:35:37 |
| uep | speaking as someone that build an early internet banking system on top of lotus notes, it's amazing what you can do on top of a "database with integrated pki and replication" | 22:36:40 |
| Dandellion | are you sure? I recall some very old conversations which predate mjolnir mentioning those things. But the ideas might have just converged and spawned around the same time | 22:36:42 |
| uep | * | 22:36:54 |
| @emma:rory.gay | mjolnir was never supposed to be used outside of Element | 22:37:36 |
| Dandellion | I agree it's a very natural thing to do though | 22:37:57 |
 Cat | Theres a MSC to fix the problem that causes issues with instant bans. Sadly well that is yet to see implementation. | 22:46:53 |
| Cat | And the Synapse PR that provides an alternative fix is stuck in that sucks as its status as who in their right mind as a regular admin user wants the soft failures in their regular timelines. Well thats why the PR is stalled as it needs to be configurable so you dont get this problem. | 22:48:29 |
| Cat | Essentially if your bot is Soft Failure aware this problem doesnt actually materialise with a ban blinding you. Its one of the best things to come out of that Meowlnir is an AS that wants direct Postgres access to the Synapse production DB. It can bypass this problem while a proper solution is being worked on. | 22:49:39 |
| uep | echoing emily earlier, the more I learn, the more my impressions are confirmed | 22:50:37 |
| Cat | Yup Element has taken security way too lax during years. | 22:52:02 |
| uep | I mean, I'm glad that the conclusions and problem analysis I can draw from a few bits of basic observation and reasoning about the system I don't really know well turn out to be accurate. That's nice. That they're well known to people more involved in Matrix is helpful to some degree. That they're unsolved after years, less so. | 22:54:07 |
| emily | the more things I see Element/matrix.org deprioritize the more I wonder what they do prioritize :) | 22:54:33 |
| emily | ("getting government contracts", I guess?) | 22:55:03 |
