matrix-org / pantalaimon

E2EE aware proxy daemon for matrix clients.
Apache License 2.0
292 stars 42 forks source link

README should explain pantalaimon as a concept #42

Open bobpaul opened 4 years ago

bobpaul commented 4 years ago

Looking at this project, it's only vaguely clear to me what it does. I understand all the terms in the README (end to end encryption, proxy, etc) but there's no explanation of what problem patalaimon solves, security implications of running this instead of doing E2EE via the client, where it should be installed (does this belong on the home server? on every client machine?), or why someone would want to install patalaimon in the first place.

poljar commented 4 years ago

Doesn't this sentence in the usage section at least answer one of your questions?

While pantalaimon is a daemon, it is meant to be run as your own user.

It also delegates you the man page which has a longer description.

If your client supports E2EE, you probably don't want this.

menturion commented 4 years ago

I have two questions: -1- Is pantalaimon production ready at its current stage? -2- Is pantalaimon horizontally scalable?

bobpaul commented 4 years ago

Doesn't this sentence in the usage section at least answer one of your questions?

While pantalaimon is a daemon, it is meant to be run as your own user.

Not really. That mostly just tells me whether it should run as root or some daemon-specific user, which it shouldn't. I have my own user account on my homeserver; I don't think that's unusual.

But from the man page, it looks like this is really expected to be installed on machines with clients. While multiple clients can connect, you probably don't want to install pantalaimon on a machine that's only acting as a homeserver.

It also delegates you the man page which has a longer descriptive

Well, ok... but, I haven't installed pantalaimon, so I don't have the manpage. The README doesn't link to it, and a potential user has already lost interest by that point. The README is the first point of contact and the primary file that search engines index. Ideally the user knows what the project does, why, and whether it's likely to solve a problem they have before they've reached installation instructions.

I'll think on this a bit and make a pull request.

poljar commented 4 years ago

Not really. That mostly just tells me whether it should run as root or some daemon-specific user, which it shouldn't. I have my own user account on my homeserver; I don't think that's unusual.

I would hope that running as your own user wouldn't be misinterpreted as it needs to be run as root.

Well, ok... but, I haven't installed pantalaimon, so I don't have the manpage. The README doesn't link to it, and a potential user has already lost interest by that point. The README is the first point of contact and the primary file that search engines index. Ideally the user knows what the project does, why, and whether it's likely to solve a problem they have before they've reached installation instructions.

The README now links to the man page.

I'll think on this a bit and make a pull request.

Please do so, it's hard to interpret the README in a unbiased way since I already understand all the concepts.

poljar commented 4 years ago

I have two questions: -1- Is pantalaimon production ready at its current stage?

It is used in production for a couple of internal tools. In the end it's open source and there are no guarantees provided as the license states.

-2- Is pantalaimon horizontally scalable?

I'm not sure what you're planing to do, a bit more background info would be helpful. You can run one Pantalaimon instance per user on a separate machine, in fact that's the target use-case. Everybody runs Pantalaimon on their own computer as their own user. Otherwise there is no way to do device verification since the CLI utility uses DBUS.

menturion commented 4 years ago

@poljar Thanks for your reply and the info. I thought that Pantalaimon is a proxy that transparently encrypts the data of all users (and not a single one) of a homeserver.

poljar commented 4 years ago

It supports multiple users, but every user needs its own E2EE key-pair. So it creates a device that connects to the server. This device intercepts messages of your original client and encrypts/decrypts them before they are passed between the client/homeserver.

menturion commented 4 years ago

Thanks again! So this would mean that my understanding is correct.

So a valid use case would be e.g. a company's intranet with Pantalaimon as a E2EE proxy to a homeserver with the requirement that all clients need to reference this E2EE proxy, ... right?

I read that Synapse will be able to scale horizontally in the future by using Redis and in order to avoid a bottleneck in Pantalaimon there would be a demand to scale Pantalaimon horizontally too.

poljar commented 4 years ago

I mean sure, but wouldn't you mandate your company to use clients that do support E2EE in that case before turning to Pantalaimon?

menturion commented 4 years ago

You mean a company should prefer to E2E encrypt the data within each client (e.g. the browser using olm.js, Riot Android/iOS ...) instead of using a Pantalaimon proxy because the communication between the clients and Pantalaimon is unencrypted(?).

There might be different scenarios with different security demands.

Is Pantalaimon horizontally scalable?

poljar commented 4 years ago

As I said, you can run a Pantalaimon instance for every user on a separate machine if you like and set up a proxy before Pantalaimon to pick the instance based on user_id.

I'm afraid that's the only thing I can come up with.

menturion commented 4 years ago

@poljar I am still wondering which use case you are addressing with Pantalaimon.

My only bet is a M2M scenario where an app is communicating with Synapse.

The vast majority of real users don't have the technology stack to deploy Pantalaimon, not to mention the administrative overhead.

I am thinking more of a scenario where a company wants to connect e.g. a team of a subsidiary to a central communication service based on Synapse and wants to avoid all the (error-prone) manual work with E2EE passwords and recovery keys etc., it would simply have to plug and play an E2EE proxy and the local workstations (browsers) would be connected to the service in an encrypted way.

poljar commented 4 years ago

The two use-cases that emerged and I noticed have been:

  1. People that write bots, but their client/bot lib doesn't support encryption.
  2. People that use clients that don't support encryption.

The vast majority of real users will use one of the Riot clients, so it's fine if they never need to learn about Pantalaimon.

toger5 commented 4 years ago

I still agree there could be a more detailed description. Things i still dont understand:

poljar commented 4 years ago

I still agree there could be a more detailed description. Things i still dont understand:

* what is the pantalaimon[ui] dbus based user interface thing?

Not sure what you're asking here, panctl is the only UI we provide, it connects via dbus to control the daemon. Of course anyone can write their own UI since it's dbus based.

* what is the panctl useful for when i get the gnome shell notifications to click on?

I believe you can't import/export keys using gnome shell notifications. We have a man page for panctl as well.

* how am i supposed to use it? start in the .desktop of the client app? run a second terminal all the time? put it in some system startup script?

There's no need to run panctl unless you want do control the daemon in some way. So I guess run it in a terminal when you need to.