search

sp614x / optifine

1.81k stars 417 forks source link

[Privacy/security] Skip chat signatures for 1.19+ #6847

Open Madis0 opened 2 years ago

Madis0 commented 2 years ago

Description of the new feature

Similar to #6694, you should implement the following Forge/Fabric mod called No Chat Reports (licensed under WTFPL) as a default-enabled toggle.

How it works:

Client will refuse to send account's public key to the server, and signatures will be stripped from the messages that you send. This way it won't be useful to try and report your messages, as there will be no proof they were actually sent from your account. Server will relay them unless "enforce-secure-profile" option is set to true in server options, in which case it will not let you join.

Why? Because players are rightfully concerned by the system, as evident by the comments here, here, here, here and Optifine could really impact this with its huge playerbase.

abasgames commented 2 years ago

i highly agree

lele92007 commented 2 years ago

if players want to install this mod, they can optifine is an optimisation mod, not a mod made to bypass the chat moderation

sp614x commented 2 years ago

What are the exact changes that have to be done?

Madis0 commented 2 years ago

What are the exact changes that have to be done?

As 1.19.1 is not released yet, this is not currently fully clear, but right now I'd say:

Aizistral commented 2 years ago

I have gone over my codebase to properly comment what most of it does just today, in case you're interested to evaluate what from it can be copied and how. Nevertheless, as much as I would be happy to see my work becoming a part of something as great as OptiFine - some of the key features of the mod designed to protect its user may be out of scope for inherently unrelated project. The biggest advantage mod provides in client-only mode is the ability to send unsigned messages on servers that have enforce-secure-profile turned off. However, as of pre-release 2 of 1.19.1 it is default-on, and the only way to check the value of this option is to try joining the server without exposing public key of the account, in which case the player gets kicked with a specific reason if option is enabled.

My mod works with this by detecting disconnect screen and seeing what the kick reason was, and if the user indeed ended up kicked because of the key - I swap disconnect screen with the one that looks like this: image If the user clicks "proceed" - they will get reconnected to that server. This time their public key will be exposed and mod will not prevent the client from sending signed messages. "Do not show again for this server", if checked, will add the server to whitelist of servers in config for which this warning screen will not be shown in the future. The client will still try to refuse sending public key as a test on every user-initiated connection to such servers (in case value of enforce-secure-profile changes later on server), but instead of showing warning screen after being kicked they will be reconnected immediately as if they clicked proceed.

While such implementation works reasonably well for my case, it has certain nuances that might make it impractical for integration as part of unrelated project:

  1. Duplicating such implementation has to take into account compatibility concerns that might arise when used alongside with original mod;
  2. Shenanigans with warning screen and state managament on join present certain maintenance commitment. Signature stripping itself is quite easy to do, but we have to keep track of when it can be done and when not;
  3. I make an assumption that it is always safe and reasonable to connect to the server twice in short order for the purpose of testing the value of enforce-secure-profile on every player-initated connection;
  4. A lot of servers will keep enforce-secure-profile enabled. We will have to wait and see how many, but the more we have them around - the less effective this client-sided protection of the user is useful on average.

Of course, other features of the mod can be copied much more easily, like disabling the report button itself in Social Interactions screen, stripping signatures on all incoming player messages and/or removing Chat Trust Status indications (which serve little purpose but to scare people away from servers which actually try to make user messages unidentifiable). While this works for the purpose of counteracting reporting system - it does so by taking some degree of knowledge or power away from the user of the mod, which can seem a bit unfair in case mod will not try to do anything that would actually protect user themselves from those who don't have such mod. Whether doing that would be reasonable is up to your judgment, of course, I am simply making you aware.

Overall, I think the safest approach here would be to wait until 1.19.1 is actually released, and we can do more complete evaluation of what can be done to combat reporting system on the ongoing basis. I am always happy to provide my consultation in this regard, now or then.

jaylawl commented 2 years ago

if players want to install this mod, they can optifine is an optimisation mod, not a mod made to bypass the chat moderation

Shader options do not optimise your game either, yet OptiFine has them. While i agree with your general message, no rules shall be absolute.

And huge thanks to the OP for bringing this up. Quite the important topic!

Madis0 commented 2 years ago

An update on that question:

What are the exact changes that have to be done?

Now that 1.19.2 is really out, I'd say OptiFine should just add the following options:

Also, when the server kicks the player with the reasons multiplayer.disconnect.missing_public_key, multiplayer.disconnect.expired_public_key, multiplayer.disconnect.invalid_public_key_signature, OptiFine could show a custom message referring to the option, instead of vanilla one.

Edit: updated for 1.20.2 and now assuming the vanilla defaults