Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Login/register: allow to set home server and identity server urls #20

Closed
bmarty opened this issue Jan 8, 2019 · 16 comments
Closed

Login/register: allow to set home server and identity server urls #20

bmarty opened this issue Jan 8, 2019 · 16 comments

Comments

@bmarty
Copy link
Member

bmarty commented Jan 8, 2019

Currently matrix.org is hard-coded and so used by default

@bmarty bmarty added the p1 label Jan 8, 2019
@bmarty bmarty changed the title Login/register: allow to change home server and identity server url Login/register: allow to set home server and identity server urls Jan 8, 2019
@ganfra
Copy link
Member

ganfra commented Jan 21, 2019

Quickly done, will have to make it better later.

@ganfra ganfra closed this as completed Jan 21, 2019
@jomat
Copy link

jomat commented Jul 9, 2019

ID server is still vector.im

@afonari
Copy link

afonari commented Jul 22, 2019

Why identity server cannot be changed?

This case was closed, is it not considered a bug?

Workaround: Block riot.im and vector.im using Blokada and login to a server not hosted on matrix.org.

@maxidorius
Copy link

maxidorius commented Jul 26, 2019

Given the extensive research documents on privacy, @bmarty @ganfra could you please take privacy seriously and the time to do this right directly? We know how "later" will play out already.

@afonari
Copy link

afonari commented Jul 26, 2019

@maxidorius I don't they gonna do it. See https://github.com/vector-im/riot-web/issues/7757
They want to lock the users in.

@ghbjklhv1
Copy link

ghbjklhv1 commented Jul 28, 2019

Quickly done, will have to make it better later.

Aye, any progress updated?
This issue may be fairly severe.

@Mikaela
Copy link

Mikaela commented Jul 29, 2019

Also could this issue be reopened until it's fixed so it's easier to track?

@ara4n ara4n reopened this Jul 29, 2019
@lampholder
Copy link
Member

RiotX doesn't use an identity server (there is a reference to vector.im in https://github.com/vector-im/riotX-android/blob/master/vector/src/main/res/values/config.xml, but it looks like that that's been copy+pasted from the original android app config - I'll file a bug to get that removed).

@lampholder
Copy link
Member

#445 is the issue to track vaping the unused config.

@maxidorius
Copy link

maxidorius commented Jul 29, 2019

RiotX doesn't use an identity server (there is a reference to vector.im in https://github.com/vector-im/riotX-android/blob/master/vector/src/main/res/values/config.xml, but it looks like that that's been copy+pasted from the original android app config - I'll file a bug to get that removed).

@lampholder RiotX does use Identity server, here (saved to Wayback machine) to be precise, which is used in the authenticate method. Funny enough it uses a hardcoded (yet again) value to vector.im defined earlier in the code. There are identity server references in other parts of the code as well. Please clarify what you meant by "RiotX doesn't use an Identity server".

@lampholder
Copy link
Member

Hi @maxidorius - in element-hq/element-web#445 I said that I found a reference to vector.im in the RiotX codebase easily, and there might be more, and all references to using vector.is should be removed becuase RiotX doesn't use an Identity Server.

Please clarify what you meant by "RiotX doesn't use an Identity server".

I'm not sure what the lack of clarity is here, but I'm happy to try and elaborate.

Identity Servers provide services to support contact discovery, namely: bulk contact lookup, individual contact lookup, and publicly binding your own email or phone number with your matrix ID. RiotX doesn't do any of that. So whilst as element-hq/element-web#445 says there are references to vector.im as an Identity Server in the RiotX code base (resulting from those parts of the code being carried over from Riot Android, IIUC), RiotX doesn't actually communicate with an Identity Server at all, so this URL isn't part of the live code execution. Its being there causes confusion, though, hence element-hq/element-web#445.

Of course, RiotX is open source software, and the benefit of open source software is that anyone can see precisely what the code is doing. So if despite our efforts and intentions you spot something that contradicts the above please do bring it to our attention!

@ganfra
Copy link
Member

ganfra commented Jul 29, 2019

#446 removed confusing code.

@maxidorius
Copy link

maxidorius commented Jul 29, 2019

Identity Servers provide services to support contact discovery, namely: bulk contact lookup, individual contact lookup, and publicly binding your own email or phone number with your matrix ID. RiotX doesn't do any of that.

@lampholder You're right, RiotX itself doesn't do that, instead it will use that info in the create room code (that just got touched (but not removed!) by element-hq/element-web#446) which is sent to the Homeserver which in turn, can use it. That's still being used. You might tell me that because RiotX doesn't support inviting people to room, it's not used and you would be right. But as soon as that is added, it will use code which is already there, which comes back to my original comment:

could you please take privacy seriously and the time to do this right directly? We know how "later" will play out already.

This is the "later" I am talking about: there is communication that there is nothing Identity related in RiotX and so nothing to fear, nothing to consider, nothing to do. Please handle Identity server correctly and don't leave anything to chance. If Identity server is not used, then get rid of the code for it, or comment it out, or actually implement it right.

Either way, having a hardcoded IS URL in the code itself is dangerous for privacy (and is still in there even after element-hq/element-web#446). The exact same issue exist in the current Riot: remove the config value in config.json and the hardcoded value in code takes over, which is vector.im again. This is a high risk point: Default settings matter. That is the topic of my first research document.

@ara4n
Copy link
Member

ara4n commented Oct 10, 2019

just to be clear, once again, RiotX does not implement any identity service functionality at all yet. This is why it does not expose an identity server URL. When it does get added, we will of course make it configurable and function in a privacy preserving manner in line with https://matrix.org/blog/2019/09/27/privacy-improvements-in-synapse-1-4-and-riot-1-4

@jcaesar
Copy link

jcaesar commented Oct 14, 2019

IS URL in the code itself […] is still in there even after element-hq/element-web#446

@maxidorius And… where would that be? (I hope you're not referring to the one in the tests.)

@bmarty
Copy link
Member Author

bmarty commented Jan 3, 2020

I linked to element-hq/element-web#607 (FTR) and close this one

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

10 participants