synapse/docs/server-server/security-threat-model.rst

4.1 KiB

Overview

Scope

This document considers threats specific to the server to server federation synapse protocol.

Attacker

It is assumed that the attacker can see and manipulate all network traffic between any of the servers and may be in control of one or more homeservers participating in the federation protocol.

Threat Model

Denial of Service

The attacker could attempt to prevent delivery of messages to or from the victim in order to:

  • Disrupt service or marketing campaign of a commercial competitor.
  • Censor a discussion or censor a participant in a discussion.
  • Perform general vandalism.

Threat: Resource Exhaustion

An attacker could cause the victims server to exhaust a particular resource (e.g. open TCP connections, CPU, memory, disk storage)

Threat: Unrecoverable Consistency Violations

An attacker could send messages which created an unrecoverable "split-brain" state in the cluster such that the victim's servers could no longer dervive a consistent view of the chatroom state.

Threat: Bad History

An attacker could convince the victim to accept invalid messages which the victim would then include in their view of the chatroom history. Other servers in the chatroom would reject the invalid messages and potentially reject the victims messages as well since they depended on the invalid messages.

Threat: Block Network Traffic

An attacker could try to firewall traffic between the victim's server and some or all of the other servers in the chatroom.

Threat: High Volume of Messages

An attacker could send large volumes of messages to a chatroom with the victim making the chatroom unusable.

Threat: Banning users without necessary authorisation

An attacker could attempt to ban a user from a chatroom with the necessary authorisation.

Spoofing

An attacker could try to send a message claiming to be from the victim without the victim having sent the message in order to:

  • Impersonate the victim while performing illict activity.
  • Obtain privileges of the victim.

Threat: Altering Message Contents

An attacker could try to alter the contents of an existing message from the victim.

Threat: Fake Message "origin" Field

An attacker could try to send a new message purporting to be from the victim with a phony "origin" field.

Spamming

The attacker could try to send a high volume of solicicted or unsolicted messages to the victim in order to:

  • Find victims for scams.
  • Market unwanted products.

Threat: Unsoliticted Messages

An attacker could try to send messages to victims who do not wish to receive them.

Threat: Abusive Messages

An attacker could send abusive or threatening messages to the victim

Spying

The attacker could try to access message contents or metadata for messages sent by the victim or to the victim that were not intended to reach the attacker in order to:

  • Gain sensitive personal or commercial information.
  • Impersonate the victim using credentials contained in the messages. (e.g. password reset messages)
  • Discover who the victim was talking to and when.

Threat: Disclosure during Transmission

An attacker could try to expose the message contents or metadata during transmission between the servers.

Threat: Disclosure to Servers Outside Chatroom

An attacker could try to convince servers within a chatroom to send messages to a server it controls that was not authorised to be within the chatroom.

Threat: Disclosure to Servers Within Chatroom

An attacker could take control of a server within a chatroom to expose message contents or metadata for messages in that room.