Skip to content
This repository has been archived by the owner on Jun 24, 2022. It is now read-only.

🆕 Software Suggestion | Matrix (Riot/Synapse) #1389

Closed
5 of 7 tasks
jonaharagon opened this issue Oct 10, 2019 · 35 comments · Fixed by #1392
Closed
5 of 7 tasks

🆕 Software Suggestion | Matrix (Riot/Synapse) #1389

jonaharagon opened this issue Oct 10, 2019 · 35 comments · Fixed by #1392

Comments

@jonaharagon
Copy link
Contributor

jonaharagon commented Oct 10, 2019

Basic Information

Name: Matrix (Riot)
Category: RTC > Team Chat Platforms
URL: https://about.riot.im/

Name: Matrix (Synapse)
Category: RTC > ?
URL: https://matrix.org/docs/guides/installing-synapse
I think we need to mention Synapse specifically and encourage self-hosting over using the matrix.org homeserver, or really any public homeserver whenever possible. I don't know if this should be mentioned in the Riot listing, or if we should have a separate category for RTC servers.

Description

Since Riot was last reviewed, they have added a number of privacy-centric improvements. This is not a complete list, but these are issues we previously defined as major blockers:

There are a few unfixed issues, but I don't know if they are blockers to recommendation or not, so that's what I want to discuss here.

Finally, there are a few more "major" concerns we've voiced that have not yet been fixed, but that I do not think are blockers at all.

  • Matrix.org uses Cloudflare
    • Services using Cloudflare has historically not been a blocker for recommendation. I personally don't see it as a "major" issue at all.
    • End-to-End Encrypted chats are not really affected by this, and should be used whenever sensitive messages are being communicated.
    • Finally, during this re-listing we definitely want to discourage the use of matrix.org anyways to promote decentralization.
  • Present an aggregated terms of service dialogue at registration if possible element-hq/element-web#10167: Present an aggregated terms of service dialogue at registration if possible
    • Operators of custom Riot servers can specify ToS, Privacy Notices, etc. in config.json, no?
    • The functionality I wanted does exist, whoops!
  • Riot X identity server is not configurable. Login/register: allow to set home server and identity server urls element-hq/element-android#20
    • For privacy reasons a hardcoded IS seems unacceptable, but is Riot X currently recommended for public use? I don't think we can judge the project based on an incomplete client.
    • In addition to being in beta, identity server functionality is not implemented at all.

All the other issues within https://github.com/privacytoolsIO/privacytools.io/issues/1049 are still important to monitor but I don't think the issues not mentioned above are blockers and are mostly small issues.

Anyhow, it seems clear to me that the Matrix team is at least committed to fixing their issues. For instant messengers I would still probably prefer Signal or Wire, but for a more public, large group chat use-case there does not appear to be any better alternatives to Matrix, especially from a privacy standpoint. This is why we still use it ourselves. It seems especially disingenuous to recommend XMPP over Matrix.

Also, I think that by advertising our group chat on Matrix without recommending Matrix itself we are both sending a mixed message and promoting centralization on our own server, by not demonstrating the alternatives (hosting it yourself).

@dngray
Copy link
Collaborator

dngray commented Oct 10, 2019

I support this. It would make https://github.com/privacytoolsIO/privacytools.io/issues/1377 a lot simpler too.

All the other issues within #1049 are still important to monitor but I don't think the issues not mentioned above are blockers and are mostly small issues.

Anyhow, it seems clear to me that the Matrix team is at least committed to fixing their issues. For instant messengers I would still probably prefer Signal or Wire, but for a more public, large group chat use-case there does not appear to be any better alternatives to Matrix, especially from a privacy standpoint. This is why we still use it ourselves. It seems especially disingenuous to recommend XMPP over Matrix.

Also, I think that by advertising our group chat on Matrix without recommending Matrix itself we are both sending a mixed message and promoting centralization on our own server, by not demonstrating the alternatives (hosting it yourself).

Could not have put it better myself.

@ara4n
Copy link

ara4n commented Oct 10, 2019

Several of the issues listed here as unfixed are actually fixed - i've gone through updating the bugs in question to try to make it clear, but specifically:

@jonaharagon
Copy link
Contributor Author

Thank you @ara4n, I've updated the issue.

Re 10167 I was confused, I actually wasn't aware consent tracking existed. Don't know how that slipped by me, but since that's the case I do agree the current implementation is probably better. Sorry about that!

@blacklight447
Copy link
Collaborator

I REALLY don't want to recommend matrix until e2ee is turned on by default for private chats.

@dngray
Copy link
Collaborator

dngray commented Oct 10, 2019

I REALLY don't want to recommend matrix until e2ee is turned on by default for private chats.

If that's the case we should not recommend any XMPP clients as they do not have it on by default either; and likely never will do.

Perhaps a warning badge and a link to step-by-step guide in enabling it in Riot would do? We know that E2EE is going to be on by default for 1:1 chats with Riot element-hq/element-web#6779 at some time in the future.

@dawidpotocki

This comment has been minimized.

@dngray

This comment has been minimized.

@dawidpotocki

This comment has been minimized.

@dngray

This comment has been minimized.

@dawidpotocki

This comment has been minimized.

@dngray

This comment has been minimized.

@dawidpotocki

This comment has been minimized.

@dngray

This comment has been minimized.

@blacklight447
Copy link
Collaborator

Thing is, end to end is the default on all other platforms we basically recommend. I wouldn't see why riot deserve an exception here. Plus, they announced to make it default very soon, so it cannot hurt to wait for it a little longer.

@dngray
Copy link
Collaborator

dngray commented Oct 10, 2019

Thing is, end to end is the default on all other platforms we basically recommend.

Well except for the current XMPP clients, we recommend. Do we know if Monal supports E2EE by default? I don't think it uses E2EE for it's jingle transport https://github.com/anurodhp/Monal/issues/10 https://github.com/anurodhp/Monal/issues/267

I am pretty sure Gajim doesn't.

Perhaps we should consider a warning badge?

The rocky road to OMEMO by default probably a bit outdated, but it does talk about this issue.

I wouldn't see why riot deserve an exception here. Plus, they announced to make it default very soon, so it cannot hurt to wait for it a little longer.

I guess we can always wait.

@dawidpotocki
Copy link
Contributor

dawidpotocki commented Oct 10, 2019 via email

@dawidpotocki

This comment has been minimized.

@dngray

This comment has been minimized.

@blacklight447
Copy link
Collaborator

Maybe @ara4n will be able to give us an estimated time until e2ee will be turned on by default for private chats?

@dawidpotocki

This comment has been minimized.

@dngray

This comment has been minimized.

@Mikaela
Copy link
Contributor

Mikaela commented Oct 10, 2019

I think we need to mention Synapse specifically and encourage self-hosting over using the matrix.org homeserver, or really any public homeserver whenever possible. I don't know if this should be mentioned in the Riot listing, or if we should have a separate category for RTC servers.

I wish we could recommend a non-Synapse and non-Riot option also as currently there is only New Vector.

There are a few unfixed issues,

I have some more:

  • Communities are centralized on a single server and often broken flashing the screen too fast for clicking join or not loading at all. There is also no way to grant other users permissions in a community, so they also get centralized on a single user. They are also Riot-only as far as I am aware. I am told that communities are being rewritten, so maybe it should be a blocker before calling Riot a team chat application.
  • The direct chats system is weird and from what I understand getting more sense in MSC2199: Canonical DMs matrix-org/matrix-spec-proposals#2199 so I would also be waiting for it.
  • There is no indepedent security audit (other than the OLM one and E2EE is again not enabled by default).

Media is never redacted matrix-org/synapse#1263

Not something I would like to see in our recommendation.

End-to-End Encrypted chats are not really affected by this, and should be used whenever sensitive messages are being communicated.

Is E2EEd media also media? What about when technology is powerful enough to break todays encryption?

Finally, during this re-listing we definitely want to discourage the use of matrix.org anyways to promote decentralization.

Blocker: matrix-org/matrix.org#586

Also, I think that by advertising our group chat on Matrix without recommending Matrix itself we are both sending a mixed message and promoting centralization on our own server, by not demonstrating the alternatives (hosting it yourself).

https://github.com/privacytoolsIO/privacytools.io/issues/987

Perhaps a warning badge

Will we have a warning about it not having been indepedently audited?

afaik that's fork of Conversations that uses phone numbers as an identifier.

No, it's a build variant of Conversations.

What we really need to decide is, is it too difficult to show a user how to enable E2EE on a 1:1 conversation in Riot? - we can do that with pretty pictures. ie:

How about we just wait for New Vector to enable it default as they have said that they are going to do it? element-hq/element-web#6779

@Mikaela
Copy link
Contributor

Mikaela commented Oct 10, 2019

While assigning labels I noticed the Tor one and would like to ask @ara4n what is the status with element-hq/riot-meta#287 and related issues and mark it as a blocker.

We are currently recommending Tor for anonymity instead of a VPN and you generally don't send all your traffic through Tor and instead Torify only specific applications, possibly even with SOCKS isolation and currently all Riots make that non-trivial.

@jonaharagon
Copy link
Contributor Author

I REALLY don't want to recommend matrix until e2ee is turned on by default for private chats.

Just for clarification my proposed solution at #1392 would only "recommend" Riot as a team chat platform, mainly for this reason.

@Mikaela
Copy link
Contributor

Mikaela commented Oct 10, 2019

And I wouldn't list Riot even as a team chat application until the communities are rewritten (and when matrix-org/matrix-spec-proposals#2199 is fixed I think it may be listed also as a direct chat client). See also my other concerns above.

Edit: I think this is matrix-org/matrix-spec-proposals#1513 (meta/tracker) + worked upon at matrix-org/matrix-spec-proposals#1772.

@Mikaela Mikaela added the iOS label Oct 10, 2019
@jonaharagon
Copy link
Contributor Author

I probably disagree that the "communities" feature are an integral part to either the "team chat" or the "Matrix" experience in general. They seem to be mostly useful as flairs designating certain memberships, somewhat akin to IRC vanity vhosts...

@ara4n
Copy link

ara4n commented Oct 10, 2019

This thread makes my head hurt. It seems to be devolving into a weird list of personal gripes against Matrix, saying “we can’t possibly relist Riot until... ‘all phase 3 (ie nice-to-have) privacy bugs are closed’ or ‘it has native Tor support’ or ‘communities get rewritten’ or ‘because both it and Synapse are mainly written by the same team’ or ‘it doesn’t have latex support’ (or whatever the next complaint will be)”. This feels bizarre in the extreme, and honestly makes privacytools look bad. It feels like we are being judged by a totally different and arbitrary standard to the other tools, despite demonstrably prioritising privacy and freedom.

We hope to turn on E2E by default in the coming months - ideally by end of year. Possibly sooner, given pantalaimon and seshat are almost ready; it’s only the E2EE cross signing that remains because... we prioritised it behind addressing the privacy concerns which had been highlighted. It is genuinely hard to get it right, and we don’t want to force it on until it’s perfect otherwise it will just screw over all the users who are used to the existing behaviour. Meanwhile, just as XMPP doesn’t mandate E2EE, nor does Matrix.

At this point, we are going to keep plugging away improving Matrix, and hope that you consider it worth promoting at some point.

@Mikaela
Copy link
Contributor

Mikaela commented Oct 10, 2019

My understanding is that Matrix communities are best compared to Discord servers/guilds or IRC servers, and the flair is a side-effect.

Example

I am an operator on PirateIRC which is IRC network intended only for international Pirate Parties. IRC clients generally list all servers under specific servers and there are currently 115 channels that would appear under it, while anything joined on another server would appear under that server.

This is what I understand Discord to be replicating as if I joined a Discord server, I would see server/guild bubbles on the left and next to them the list of channels on that server (I would be autojoined to everything that I have permission to unlike at IRC).

I understand that Matrix is attempting to directly imitate Discord, so everything would not appear as belonging to a single IRC server, but belong to the releated community/communities such as Pirate Parties or Pirate Party Finland.

Thinking while finishing this comment, IPFS could have been a better example, but I haven't followed them recently due to having been on a IRC break and trying to avoid IRC-bridged Matrix rooms.

@Mikaela
Copy link
Contributor

Mikaela commented Oct 10, 2019

It feels like we are being judged by a totally different and arbitrary standard to the other tools, despite demonstrably prioritising privacy and freedom.

I think you have a worse track record than many of the other tools, but I hope everything in real time communication is judged similarly.

Meanwhile, just as XMPP doesn’t mandate E2EE, nor does Matrix.

It will probably warm you to hear that @jonaharagon has proposed delisting XMPP on our team chat and I expect him to be opening an issue soon.

My personal view on this is that you have history of storing messages forever even when they have been removed by the user and you are currently storing media messages forever, while XMPP has (as far as I know of) always had expiry time for messages. I am also confused on how file uploads sent in a direct chat can be posted elsewhere as easily as by copying the URL, which to me hints that they aren't actually private.

@jonaharagon
Copy link
Contributor Author

jonaharagon commented Oct 10, 2019

This feels bizarre in the extreme, and honestly makes privacytools look bad. It feels like we are being judged by a totally different and arbitrary standard to the other tools, despite demonstrably prioritising privacy and freedom.

@ara4n Uh, yeah, I agree 🤔 None of the issues anyone else has brought up outside the original post appear to have actual privacy implications to users.

@jonaharagon
Copy link
Contributor Author

jonaharagon commented Oct 10, 2019

Plus, they announced to make it default very soon, so it cannot hurt to wait for it a little longer.

@blacklight447-ptio Will it be the default for large group chats? E2EE is highly irrelevant for large groups which is primarily what Riot is being recommended here for, to be clear. It is not a recommended instant messenger for this reason but seeing as E2EE exists we can mention it.

@Mikaela
Copy link
Contributor

Mikaela commented Oct 10, 2019

Will it be the default for large group chats?

I don't think so, element-hq/element-web#6779.

@ara4n
Copy link

ara4n commented Oct 10, 2019

I think you have a worse track record than many of the other tools

Speaking as objectively as possible: I think this is untrue. For instance, thinking about the tools which actually claim a security focus, Wire claimed their VoIP calls were E2EE when they simply weren't; Signal has had a series of basic security screwups (free-for-all XSS and acting as an audio bug etc.)

Whereas the worst complaint levelled against us seems to be that we set a default value for the phone book & integration manager for convenience (which we then went and fixed), and that configurable history retention and e2e-by-default hasn't been merged yet (despite clearly warning in the message composer that messages are unencrypted in non-E2E rooms). It feels like folks have been dazzled by the sheer number of words put out by the libremonde 'research'.

It will probably warm you to hear that @jonaharagon has proposed delisting XMPP

I have absolutely nothing against XMPP. We're working this week on turning Bifrost back on for XMPP<->Matrix bridging, and I really appreciated the XSF team reaching out to say congrats on our funding announcement today. The enemy here is FB/Google/Discord/Slack etc - not XMPP!!!

My personal view on this is that you have history of storing messages forever even when they have been removed by the user

...which was always on the todo-list to fix - since 2015, and has now been solved. It's not like we were doing this maliciously.

and you are currently storing media messages forever

Yes, this needs to be fixed, but is it really a privacy disaster? Especially if the file is E2EE?

I am also confused on how file uploads sent in a direct chat can be posted elsewhere as easily as by copying the URL, which to me hints that they aren't actually private.

The filenames are random. All you're doing is swapping a random access_token for a random file name. It would take longer than the heat death of the universe to guess one of the filenames. So the fact that you can copy the URLs between rooms is not a massive vulnerability. That said, we're going to fix it anyway (just to stop having this conversation, if nothing else) - just as we're providing deletion APIs for attachments.

Will it (E2EE) be the default for large group chats?

E2EE will be turned on by default for rooms created as private chats - either DMs or private group chats.

@Mikaela
Copy link
Contributor

Mikaela commented Oct 10, 2019

For instance, thinking about the tools which actually claim a security focus, Wire claimed their VoIP calls were E2EE when they simply weren't; Signal has had a series of basic security screwups (free-for-all XSS and acting as an audio bug etc.)

I was only thinking of security audits of those two.

I have absolutely nothing against XMPP. We're working this week on turning Bifrost back on for XMPP<->Matrix bridging.

I am happy to hear that.

The enemy here is FB/Google/Discord/Slack etc - not XMPP!!!

You are correct and I am not taking my own words from https://github.com/privacytoolsIO/privacytools.io/issues/1377#issuecomment-540152967. While I have lost a lot of trust towards Matrix, it's not Discord (which is the instant messenger enemy that I cannot get to peace with (some may know of my Telegram cases)) and thus I am willing to come towards you and apologise for my behaviour.

...which was always on the todo-list to fix - since 2015, and has now been solved. It's not like we were doing this maliciously.

And now it's 2019, but you don't need to reply to this.

Yes, this needs to be fixed, but is it really a privacy disaster? Especially if the file is E2EE?

In the light of the enemy being Discord with their ToS and privacy policy, I guess it doesn't qualify as a disaster. I am not assured that your E2EE will be unbroken forever and thus I wish to have even the encrypted copies removed after a time.

That said, we're going to fix it anyway (just to stop having this conversation, if nothing else) - just as we're providing deletion APIs for attachments.

👍

@ara4n
Copy link

ara4n commented Oct 11, 2019

While I have lost a lot of trust towards Matrix, it's not Discord (which is the instant messenger enemy that I cannot get to peace with (some may know of my Telegram cases)) and thus I am willing to come towards you and apologise for my behaviour.

thank you - the apology is appreciated & accepted. i'm hoping it will become even clearer that Matrix is worthy of trust, even if the core development is still largely funded by one company (under the governance of the Foundation).

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants