As I noted within my post #9955859@lemm.ee (alternate link), I found that thumbnail generation in Element is an enourmous privacy, and security vulnerability. Thumbnails are generated server-side, regardless of E2EE settings. What this means is that the URLs that one sends would be leaked out of your encrypted chats to the server.
Yeah it literally tells you in the UI before enabling it
Indeed, it does. It can be overlooked, however. I added that info to my post, though. Thank you for the note.
With my friend we have a bot who does this for us. Check out on maubot - at least it is mot client side work
What is this post signature, and how does one use it and create one for their own post? Also, what is the purpose?
I’m testing out some ideas that I’ve had for my posts – the signature and the edit history. They are a result of the current status of the following two issues on GitHub:
- Add the ability to view an edit history for posts
- Sign a user’s posts and comments with a private key that only the user possesses, so that server admins are unable to secretly modify a user’s content
Recently (as of 2023-10-02T03:28Z), one of the maintainers/developers for Lemmy closed those two issues with either little, or no rationale. I personally think that they are good features. Since it appears that those features are not going to be seamlessly added to Lemmy, I’m trying to see if it is practical to manually add them to posts.
Regarding the edit history: The purpose of an edit history is to solve the issue of people not knowing what changed in a post when it was edited. The main issue with a user-created, and maintained edit history, however, is its inherent the lack of trust. Its existence increases transparency, but you still have to trust that the user hasn’t lied about what is in the diff. The implementation would be to have the server generate it, but, unfortunately, the dev has removed that possibility for the time being.
Regarding the signature: The purpose of the signature was a means to ensure censorship resilience from the admins of an instance. As it currently stands, any admin can freely edit the content of a user’s posts, or comments with no one being the wiser. A signature would provide a sort of check against this. If a user signs a post with their own private key, then, by verifying the post’s signature with the user’s public key, one can be certain that that user was the one that wrote it, and not a server admin, or any other external entity. But, again, this feature has been blocked on GitHub.
The long, and short of it is this is me trying to protest silly decisions made by the devs of Lemmy.
XjVHP8uM5fq98jHV8JV5vFPu5gRXLoED0c+Zor+4GSHmw24ulwpMtjK/5+8Ns7887mYVWpZuojfJyjmPHXnX8OpkqNA5BwcGrM2s9XbaoVDK5SyFDUPDWaH4wJfiBkMTb3kf2NFgNN99+wew0kptS2OJkp/FCKsRcNt6QRDnw3Zikn4Z7Xf2VGhmNxbKnHp1pTeiCGpO97rIkLc+VYvMrejIQOhr/tKAV3f0d30WueRQjhuhhiO2VXEQDtn5wZTX+Z33VI7iVHyV92gGjgbnf+8BQxH7F0Gy4CR2EkKDlgz+tAhWtJEUm7/s7wNKAUbJuBiPgvrgu/ULQYlC9jsrmw==
Can’t the admins just edit it and sign with a new key? Either way there won’t be a way to know for sure who edited the comment, you could know if the original poster did it, but well they can just tell you that.
Can’t the admins just edit it and sign with a new key?
Of course, but if the signature were to change, it would no longer match the public key.
Either way there won’t be a way to know for sure who edited the comment
The goal is only to know if the OP edited it or not. It doesn’t really matter who edited it if it wasn’t the OP. The only important information would be that it wasn’t the OP.
but well they can just tell you that.
Verifying with the user’s public key accomplishes the same, and is independent of a direct audit from the user.
M8MWBlYzqtptLS+L0BwaziVKPJxA5cjBVybwWRLfVjCY1nQV+Kr8yjn3XFV8uwiJ9tlrzhTN7jVKfRFikIbPCz1AsuAgisiO4N77lto/pzItRs53WlZzvn1hYnLqZgUHIeehr7SJsbGCGlBxD48DWTITwzO43/AXGu23Ug/1peLG8KrB1CnIsI4Aov21IQvcOEsQf+cYrOeNR8MqJ3ivvs5cxBii1h+9GYwrM6mTBF42UlY6OqhHIpBUJ2aJmcA25TJ+PMtTeQq7H/ctD5fHe1kryyG0BwxgdjyXaye9O0Wr9cusUldjvfFhldNOkqxZJecCZ8qloYpP5CNcMcnHPg==
How can I find your public key without going through a channel that could also have been manipulated by the admins, though? That seems problematic to me
This is indeed an obstacle in practicality. You are absolutely right in that any channel under control by the admin could be used as a means to orchestrate a MITM attack and replace my public key with theirs. The only way for this to work is for me to personally provide my public key in a separate, and secure channel like Matrix.
I would like to emphasize that this is all just an experiment for my own interest. I would certainly not recommend what I am doing to anyone else.
content-signature:nHszcVqN6q4R+QXnem7w42nxw58kNPNV3UGVK/rxBP5QBWNjoHX5WstdcuLWiiuuky0ZwXVR6zif2/+oWwRcmDtbv+FNlBOKSIVfcW1lSOQNQeBddbmBNIfP7hBjtTSVbszIZPXNzJQykEFdxh9hJVaC3eEqxYnN4oIOdxWjj+MejQ2zpG3l/BdnTLqWX3rf4HK4VPD8OMYyxTbqhtTMMje+tfCrf/EtRfgY3gd0Clm6oWw6WeD6QgQdJHgbRlDrZwIVE8F5zdtnooFcIptlo4ovJl9VX7FdBCExRW9MQJUU+3AZv5gVCZ4pZ9zZaXihGmhdNRDbAX9XQVUSSRc+1w==
Makes sense, thanks for clarifying!
The goal is only to know if the OP edited it or not. It doesn’t really matter who edited it if it wasn’t the OP. The only important information would be that it wasn’t the OP.
OP can edit comment, sign with a different key and claim his comment was edited by the admins.
So we can’t know who really edited the comment unless in the default boring situation: it was OP and he signed it with the correct key which is the same as him just telling “yeah, it was me” or not saying anything at all since it’s the default.
OP can edit comment, sign with a different key and claim his comment was edited by the admins.
Dang, that is a scenario that I hadn’t considered. I’m not sure that there’s anything that can be done about it.
content-signature:h0Iy5AaMSi9fo+LeWpR1hFpbRygi066LKPL7+5aDJ4Y0mf33R8/E+wn9At+N0dvNr8HH1eAghGkpfCbfcoe5NzzcsRMgfl+qSYjrpb4DmN124DLLoFd7q55R/aqXdqqZP+4DaVTLVN5G2MKg5SPL0SMhHxTl6f4BUxhQCWy6PapqwvsG3D59hVQtNlgm4/ab7oo5ORIR+ENV59+rrssNxaNBsKud4rths93SFMCf/si3Uewo0VNCorTb/KUMoZaHv21zmneq5UxZRkqXD3ZR4/H7vDILWArp350OSpZxm69kTJAeBH3VuvYkKunMlouzsxEJqdLDaaApYWwSyyUYLQ==
Why not just host your own lemmy instance on a cheap vps and be satisfied you’re the only admin heh
That doesn’t make any sense… If the URLs are server side that means there is no e2ee at any time because the server has to know when to shown the preview…
If that’s true disabling preview generation doesn’t really matter because the vulnerability would be elsewhere
I never used matrix, but do clients own the keys or are they stored on the server?
If you look at this documentation it outlines various methods of generating URL thumbnails. Essentially, a separate request from the client for only the URL is made to the server which then returns a thumbnail. It’s an absolutely moronic design choice, if you ask me.
I agree. That’s a terrible choice to me.
Why would they not just offload this as a feature for the client to handle? At least then the security and privacy ultimately would be up to the user’s decision.
Post a link to a channel of 1k users and 1k users send a request to the website, instead of only the server once?
/edit: From a privacy standpoint I’d really trust my chat server provider over random websites. So I definitely don’t see how it’s a terrible choice for these two reasons.
That being said, if you’re concerned, disabling previews is the answer.
Have you posted a suggestion on github? I feel like this was a proof on concept during development and maybe it was forgotten about further along the life cycle.
There are existing issues on GitHub:
Is there a way to disable client image loading in general?
Syphon does this by default, but I can’t find an equivalent setting anywhere in Element