🆕 Software Suggestion | Matrix (Riot/Synapse) #1389
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#1389
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Basic Information
Name: Matrix (Riot)
Category: RTC > Team Chat Platforms
URL: https://about.riot.im/
Name: Matrix (Synapse)
Category: RTC > ?
URL: https://matrix.org/docs/guides/installing-synapse
I think we need to mention Synapse specifically and encourage self-hosting over using the matrix.org homeserver, or really any public homeserver whenever possible. I don't know if this should be mentioned in the Riot listing, or if we should have a separate category for RTC servers.
Description
Since Riot was last reviewed, they have added a number of privacy-centric improvements. This is not a complete list, but these are issues we previously defined as major blockers:
There are a few unfixed issues, but I don't know if they are blockers to recommendation or not, so that's what I want to discuss here.
Finally, there are a few more "major" concerns we've voiced that have not yet been fixed, but that I do not think are blockers at all.
https://github.com/vector-im/riot-web/issues/10167: Present an aggregated terms of service dialogue at registration if possibleOperators of custom Riot servers can specify ToS, Privacy Notices, etc. inconfig.json
, no?Riot X identity server is not configurable. https://github.com/vector-im/riotX-android/issues/20For privacy reasons a hardcoded IS seems unacceptable, but is Riot X currently recommended for public use? I don't think we can judge the project based on an incomplete client.All the other issues within https://github.com/privacytoolsIO/privacytools.io/issues/1049 are still important to monitor but I don't think the issues not mentioned above are blockers and are mostly small issues.
Anyhow, it seems clear to me that the Matrix team is at least committed to fixing their issues. For instant messengers I would still probably prefer Signal or Wire, but for a more public, large group chat use-case there does not appear to be any better alternatives to Matrix, especially from a privacy standpoint. This is why we still use it ourselves. It seems especially disingenuous to recommend XMPP over Matrix.
Also, I think that by advertising our group chat on Matrix without recommending Matrix itself we are both sending a mixed message and promoting centralization on our own server, by not demonstrating the alternatives (hosting it yourself).
I support this. It would make https://github.com/privacytoolsIO/privacytools.io/issues/1377 a lot simpler too.
Could not have put it better myself.
Several of the issues listed here as unfixed are actually fixed - i've gone through updating the bugs in question to try to make it clear, but specifically:
Thank you @ara4n, I've updated the issue.
Re 10167 I was confused, I actually wasn't aware consent tracking existed. Don't know how that slipped by me, but since that's the case I do agree the current implementation is probably better. Sorry about that!
I REALLY don't want to recommend matrix until e2ee is turned on by default for private chats.
If that's the case we should not recommend any XMPP clients as they do not have it on by default either; and likely never will do.
Perhaps a warning badge and a link to step-by-step guide in enabling it in Riot would do? We know that E2EE is going to be on by default for 1:1 chats with Riot https://github.com/vector-im/riot-web/issues/6779 at some time in the future.
Conversations uses OMEMO by default for sure.
But does everyone use conversations on Android?
Do you know anyone who doesn't? I'm pretty sure it's most popular XMPP
client for Android and there are also few forks like Quicksy, which also
use OMEMO by default.
afaik that's fork of Conversations that uses phone numbers as an identifier.
What about if you're not on Android.
ChatSecure (iOS) is using OMEMO too.
Does it support E2EE by default? I can't definitively find anywhere where it says it does, i would have thought that would have been worth mentioning on their blog https://chatsecure.org/blog/
Yes, I just checked it.
And what if you want to access in a web browser (public/friends computer), a desktop or some other platform like maybe a Librem, the point is you're going to have to know where to click on all platforms (some you may not even know) when instructing friends to do things. When their client crashes, or has some issue, "works for me on my platform" isn't going to be an answer they will accept.
Nothing is perfect, (no software is), but taking the pragmatic approach and suggesting something that is just going to annoy people is not really going to help privacytools.io the likely result is that people will just stay with their offering from Facebook, Inc. or maybe consider Signal, though that requires a phone number (something plenty of people I know who are tech noobs are not happy to hand out).
What we really need to decide is, is it too difficult to show a user how to enable E2EE on a 1:1 conversation in Riot? - we can do that with pretty pictures. ie:
Should also be noted that once a user does that it cannot be disabled, (something that might happen if you use an XMPP client that doesn't have OMEMO on by default, "Never send encrypted messages to unverified devices in this room from this device" seems pretty explanatory too.
I would also argue that emoji fingerprint verification is far less daunting than a huge alphanumeric fingerprint. (QR only really works if you are in the same room as the person you're trying to verify).
Thing is, end to end is the default on all other platforms we basically recommend. I wouldn't see why riot deserve an exception here. Plus, they announced to make it default very soon, so it cannot hurt to wait for it a little longer.
Well except for the current XMPP clients, we recommend. Do we know if Monal supports E2EE by default? I don't think it uses E2EE for it's jingle transport https://github.com/anurodhp/Monal/issues/10 https://github.com/anurodhp/Monal/issues/267
I am pretty sure Gajim doesn't.
Perhaps we should consider a warning badge?
The rocky road to OMEMO by default probably a bit outdated, but it does talk about this issue.
I guess we can always wait.
There is Rocket.chat also in Team Chat category which seems to have E2EE
with real Alpha quality (no support on Mobile app, no forward secrecy)
I tried Monal today, seems to send unencrypted messages and I have no
idea how to make OMEMO work there. I would replace it with ChatSecure.
What would you suggest for users of MacOS? iirc ChatSecure was iOS only.
Maybe @ara4n will be able to give us an estimated time until e2ee will be turned on by default for private chats?
Beagle IM (https://beagle.im/), looks nice and fully supports OMEMO.
Never used it myself, because I don't use macOS.
I don't think I would recommend anything which includes half-baked E2EE unencrypted channels: (voice, video, file transfer), https://github.com/tigase/beagle-im/issues/1 https://github.com/tigase/beagle-im/issues/3). I would say this is far more dangerous than Riot which once E2EE is enabled, everything is encrypted. It's not the first time a vendor has claimed to be fully E2EE.
I would say at this point Riot's E2EE implementation is better than most, even though it is not enabled by default.
In one of our issues previously auditing has been mentioned. The reality is this isn't going to happen for the majority of XMPP clients.
I wish we could recommend a non-Synapse and non-Riot option also as currently there is only New Vector.
I have some more:
Not something I would like to see in our recommendation.
Is E2EEd media also media? What about when technology is powerful enough to break todays encryption?
Blocker: https://github.com/matrix-org/matrix.org/issues/586
https://github.com/privacytoolsIO/privacytools.io/issues/987
Will we have a warning about it not having been indepedently audited?
No, it's a build variant of Conversations.
How about we just wait for New Vector to enable it default as they have said that they are going to do it? https://github.com/vector-im/riot-web/issues/6779
While assigning labels I noticed the Tor one and would like to ask @ara4n what is the status with https://github.com/vector-im/riot-meta/issues/287 and related issues and mark it as a blocker.
We are currently recommending Tor for anonymity instead of a VPN and you generally don't send all your traffic through Tor and instead Torify only specific applications, possibly even with SOCKS isolation and currently all Riots make that non-trivial.
Just for clarification my proposed solution at #1392 would only "recommend" Riot as a team chat platform, mainly for this reason.
And I wouldn't list Riot even as a team chat application until the communities are rewritten (and when https://github.com/matrix-org/matrix-doc/pull/2199 is fixed I think it may be listed also as a direct chat client). See also my other concerns above.
Edit: I think this is https://github.com/matrix-org/matrix-doc/issues/1513 (meta/tracker) + worked upon at https://github.com/matrix-org/matrix-doc/pull/1772.
I probably disagree that the "communities" feature are an integral part to either the "team chat" or the "Matrix" experience in general. They seem to be mostly useful as flairs designating certain memberships, somewhat akin to IRC vanity vhosts...
This thread makes my head hurt. It seems to be devolving into a weird list of personal gripes against Matrix, saying “we can’t possibly relist Riot until... ‘all phase 3 (ie nice-to-have) privacy bugs are closed’ or ‘it has native Tor support’ or ‘communities get rewritten’ or ‘because both it and Synapse are mainly written by the same team’ or ‘it doesn’t have latex support’ (or whatever the next complaint will be)”. This feels bizarre in the extreme, and honestly makes privacytools look bad. It feels like we are being judged by a totally different and arbitrary standard to the other tools, despite demonstrably prioritising privacy and freedom.
We hope to turn on E2E by default in the coming months - ideally by end of year. Possibly sooner, given pantalaimon and seshat are almost ready; it’s only the E2EE cross signing that remains because... we prioritised it behind addressing the privacy concerns which had been highlighted. It is genuinely hard to get it right, and we don’t want to force it on until it’s perfect otherwise it will just screw over all the users who are used to the existing behaviour. Meanwhile, just as XMPP doesn’t mandate E2EE, nor does Matrix.
At this point, we are going to keep plugging away improving Matrix, and hope that you consider it worth promoting at some point.
My understanding is that Matrix communities are best compared to Discord servers/guilds or IRC servers, and the flair is a side-effect.
Example
I am an operator on PirateIRC which is IRC network intended only for international Pirate Parties. IRC clients generally list all servers under specific servers and there are currently 115 channels that would appear under it, while anything joined on another server would appear under that server.
This is what I understand Discord to be replicating as if I joined a Discord server, I would see server/guild bubbles on the left and next to them the list of channels on that server (I would be autojoined to everything that I have permission to unlike at IRC).
I understand that Matrix is attempting to directly imitate Discord, so everything would not appear as belonging to a single IRC server, but belong to the releated community/communities such as Pirate Parties or Pirate Party Finland.
Thinking while finishing this comment, IPFS could have been a better example, but I haven't followed them recently due to having been on a IRC break and trying to avoid IRC-bridged Matrix rooms.
I think you have a worse track record than many of the other tools, but I hope everything in real time communication is judged similarly.
It will probably warm you to hear that @JonahAragon has proposed delisting XMPP on our team chat and I expect him to be opening an issue soon.
My personal view on this is that you have history of storing messages forever even when they have been removed by the user and you are currently storing media messages forever, while XMPP has (as far as I know of) always had expiry time for messages. I am also confused on how file uploads sent in a direct chat can be posted elsewhere as easily as by copying the URL, which to me hints that they aren't actually private.
@ara4n Uh, yeah, I agree 🤔 None of the issues anyone else has brought up outside the original post appear to have actual privacy implications to users.
@blacklight447-ptio Will it be the default for large group chats? E2EE is highly irrelevant for large groups which is primarily what Riot is being recommended here for, to be clear. It is not a recommended instant messenger for this reason but seeing as E2EE exists we can mention it.
I don't think so, https://github.com/vector-im/riot-web/issues/6779.
Speaking as objectively as possible: I think this is untrue. For instance, thinking about the tools which actually claim a security focus, Wire claimed their VoIP calls were E2EE when they simply weren't; Signal has had a series of basic security screwups (free-for-all XSS and acting as an audio bug etc.)
Whereas the worst complaint levelled against us seems to be that we set a default value for the phone book & integration manager for convenience (which we then went and fixed), and that configurable history retention and e2e-by-default hasn't been merged yet (despite clearly warning in the message composer that messages are unencrypted in non-E2E rooms). It feels like folks have been dazzled by the sheer number of words put out by the libremonde 'research'.
I have absolutely nothing against XMPP. We're working this week on turning Bifrost back on for XMPP<->Matrix bridging, and I really appreciated the XSF team reaching out to say congrats on our funding announcement today. The enemy here is FB/Google/Discord/Slack etc - not XMPP!!!
...which was always on the todo-list to fix - since 2015, and has now been solved. It's not like we were doing this maliciously.
Yes, this needs to be fixed, but is it really a privacy disaster? Especially if the file is E2EE?
The filenames are random. All you're doing is swapping a random access_token for a random file name. It would take longer than the heat death of the universe to guess one of the filenames. So the fact that you can copy the URLs between rooms is not a massive vulnerability. That said, we're going to fix it anyway (just to stop having this conversation, if nothing else) - just as we're providing deletion APIs for attachments.
E2EE will be turned on by default for rooms created as private chats - either DMs or private group chats.
I was only thinking of security audits of those two.
I am happy to hear that.
You are correct and I am not taking my own words from https://github.com/privacytoolsIO/privacytools.io/issues/1377#issuecomment-540152967. While I have lost a lot of trust towards Matrix, it's not Discord (which is the instant messenger enemy that I cannot get to peace with (some may know of my Telegram cases)) and thus I am willing to come towards you and apologise for my behaviour.
And now it's 2019, but you don't need to reply to this.
In the light of the enemy being Discord with their ToS and privacy policy, I guess it doesn't qualify as a disaster. I am not assured that your E2EE will be unbroken forever and thus I wish to have even the encrypted copies removed after a time.
👍
thank you - the apology is appreciated & accepted. i'm hoping it will become even clearer that Matrix is worthy of trust, even if the core development is still largely funded by one company (under the governance of the Foundation).