Closed kethinov closed 5 months ago
immanuelfodor
commented
1 year ago Could you please share the config, how can one achieve this? (It'd be great for me if it would be a full example, I mean with the Docker commands as well if possible, AFAIK nginx doesn't contain the Lua engine anymore, so I need to do something to have Lua besides nginx)
rltas
commented
1 year ago I can do that later, yeah. In my case it's integrated with https://github.com/spantaleev/matrix-docker-ansible-deploy and thus involves Traefik as well, but it should be easy to adapt.
richvdh
commented
1 year ago Until this is resolved, I added a Lua script in my nginx reverse proxy which only allows media access for ip addresses that successfully accessed the /capabilities or /sync endpoints, which seem to be two authenticated ones that are reliably accessed first.
Be aware that this will break federation: it will mean that users on other servers will be unable to view media uploaded on your server.
rltas
commented
1 year ago Yeah I'm not federating, thanks for pointing that out. I guess if you're looking for some extra privacy without aiming for the obvious solution that is encryption, you'll have a specific reason for that tradeoff.
n0toose
commented
5 months ago @turt2live thanks!
kethinov
commented
5 months ago @turt2live the original link in my original post can still be viewed without authentication. Has this change gone live yet on the matrix.org homeserver?
And will it apply to all previous media, or only to new media shared after the change goes live?
turt2live
commented
5 months ago The matrix.org homeserver's rollout is being worked out following the spec change - there should be more detail in a few weeks (watch the matrix.org blog for updates).
The spec change does not add authentication to existing endpoints, but rather introduces new ones. Servers are being advised to freeze the unauthenticated endpoints, like the one linked above, rather than add authentication retroactively. Media from before the freeze will remain accessible on the old endpoints while new media will only be accessible on the new endpoints. This is what matrix.org plans to do as well.
Example, this was shared in a private 3 person chat, but anyone can view it: https://matrix.org/_matrix/media/v1/download/matrix.org/bSRWdHBFqtVzowZDhwRGbzDq
Most people I've recruited into Matrix are Google Hangouts refugees looking for an open platform. On Hangouts, you cannot view the web URL of an image in this way unless you're authenticated with the server and the user has shared it with you in a chat.
Would it be possible to support moving past security through obscurity at some point? Or, failing that, at least expire the images after a week or so?
This is concerning because it would be rather trivial for someone to write a simple app querying random alphanumeric strings to harvest images people have shared in private conversations.