Restricting access to Etherpad / widgets in general

[madduck]

The widgets idea is awesome, even though I managed to lose 30 minutes of (finger) work today, presumably due to spotty connectivity while on a train. I understand it's new and probably far from "stable".

But one thing concerns me. Take for instance Etherpad: if I add an Etherpad to a room that's members-only and encrypted, I'd kinda expect it to be "secure" in the sense that the Etherpad contents are also encrypted, and only accessible by people authenticated to the Matrix-universe.

However, there seems to be a publicly-accessible URL (with a random yet stable URL part) that anyone with knowledge can load, and this at the very least violates the principle of least surprise.

I don't know if this is even possible or how one would do it, but I'd like to vote for somehow embedding widgets within the authentication/authorization constraints that underlie Matrix. Here's an issue to track this. ;)

[lampholder]

Sorry you lost your work - was that in an etherpad OOI?

[madduck]

also sprach Tom Lant notifications@github.com [2017-10-20 18:49 +0200]:

Sorry you lost your work - was that in an etherpad OOI?

What's Etherpad "OOI"?

-- The sender e-mail address used (github.com@pobox.madduck.net) is valid and specific to our correspondence. It should not indicate any affiliation with your organisation.

Die verwendete E-mail-Adresse (github.com@pobox.madduck.net) ist gültig und spezifisch für unsere Korrespondenz. Sie soll in keiner Weise auf eine Verbindung mit Ihrer Organisation hindeuten.

Spamtrap: github.com.bogus@pobox.madduck.net

[turt2live]

OOI = Out Of Interest.

[rootkea]

there seems to be a publicly-accessible URL (with a random yet stable URL part)

I would like to add that the URL string is not random and is simply the matrix room id.

E.g. I'm part of the group https://app.element.io/#/room/!rkYVERwyJtEKuDRNvF:matrix.org which is configured to only allow people to join who have been invited. So you won't be able to join this group. But it doesn't matter. Since now you know the room address you can access the Etherpad and Ethercalc we're working on.

The URL format for etherpad is:

https://scalar.vector.im/etherpad/p/!FOO_matrix.org

where FOO is the random string from room address. For above group (which you can't join) the FOO is rkYVERwyJtEKuDRNvF (random string from room address). So the Etherpad URL will be: https://scalar.vector.im/etherpad/p/!rkYVERwyJtEKuDRNvF_matrix.org

Go on. Test it and see if you can access the etherpad.

This makes for a very easy privacy violation. Attacker just needs to know the matrix room address and even if he couldn't join the room he can easily see the Etherpad being worked by the group.

---

Same thing with Ethercalc widget.

The URL format for EtherCalc is:

https://ethercalc.net/%21FOO%3Amatrix.org

where FOO is the random string from room address. For above group (which you can't join) the FOO is rkYVERwyJtEKuDRNvF (random string from room address). So the EtherCalc URL will be: https://ethercalc.net/%21rkYVERwyJtEKuDRNvF%3Amatrix.org

[rootkea]

The URL formats in above comment are publicly accessible.

There are another URL formats for Etherpad and Ethercalc but you need to be logged in to matrix to view the pad and calc at those URLs. Doesn't matter whether you are part of the room which owns the pad/calc or not. Just be logged in to any matrix account to access these URLs.

The URL format for Etherpad is:

https://scalar.vector.im/api/widgets/etherpad.html?padName=!FOO:matrix.org

where FOO is the random string from room address. For above group (which you can't join) the FOO is rkYVERwyJtEKuDRNvF (random string from room address). So the Etherpad URL will be: https://scalar.vector.im/api/widgets/etherpad.html?padName=!rkYVERwyJtEKuDRNvF:matrix.org

Go on. Test it and see if you can access the etherpad. Just be sure to logged in to any matrix account to access this URL.

---

Same thing with Ethercalc widget.

The URL format for EtherCalc is:

https://scalar.vector.im/api/widgets/ethercalc.html?sheetName=%21FOO%3Amatrix.org

where FOO is the random string from room address. For above group (which you can't join) the FOO is rkYVERwyJtEKuDRNvF (random string from room address). So the Ethercalc URL will be: https://scalar.vector.im/api/widgets/ethercalc.html?sheetName=%21rkYVERwyJtEKuDRNvF%3Amatrix.org

[rootkea]

There needs to be some form of authentication which is tightly coupled with the matrix room member status. (if you're a member of the room then only you can access the room etherpad or ethercalc)

Which also means hosting Etherpad and Ethercalc instance on vector/modular server. (So not using https://ethercalc.net as pointed out in previous to previous comment)

The authentication may not be password based as when a member leaves/gets kicked out of the room then the passwords for Etherpad and EtherCalc have to be changed. (Or may be change passwords automatically when a member leaves the room?)

[rootkea]

Meanwhile, till the authentication is implemented maybe we should add a notice text like "The contents of this Etherpad/EtherCalc are publicaly accessible" to the default text shown in Etherpad/EtherCalc.

[jryans]

The strongest way to achieve this would be for the widget to store all of its data in the room, and the widget then only views / edits room data. With this design, accessing the widget's data is clearly linked to the room's access model.

Of course, each widget would need to be designed to work with the room as their data storage for this to happen.

[vertigo220]

I don't fully understand how Etherpad works because I've only looked into it a bit and don't have my own server to run it on, but I see scattered information about being able to password-protect it, though I can't figure out how. I'm assuming it's something you can only do when running your own instance, but the fact the capability seems to be there makes me wonder if it can be used to solve this issue.

Also, I definitely agree there should be a warning like rootkea mentioned, as it currently only warns that the widget won't be encrypted, but this just makes it sound like anyone with access to the homeserver(s) can read it and doesn't make it clear that anyone can.