RTC/Riot: warn about media and centralization on matrix.org? #1395
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#1395
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Currently the warning links to https://github.com/vector-im/riot-web/issues/6779 on the E2EE being experimental.
I think there are other issues that should be mentioned together with it, mainly:
The list is shorter than I thought while I was reading my complaints from #1389, I guess I am over-eager at judging what is a team chat application (with my rare use-case) and what a private chat.
This will likely be resolved by https://github.com/privacytoolsIO/privacytools.io/issues/1377#issuecomment-540152967. Maybe it should go directly to upstream privacy tracker? https://vector-im.github.io/feature-dashboard/#/plan?label=privacy-sprint&repo=vector-im/riot-web&repo=vector-im/riot-ios&repo=vector-im/riot-android&repo=vector-im/riotX-android&repo=matrix-org/matrix-doc&repo=matrix-org/sydent
Notably, other homeservers are somewhat prominently displayed in Riot (which is what we link to, not the two pages in that issue) during registration, at least in a way that makes it clear to the end-user that other homeservers are available IMO.
I don't think these issues warrant warning badges in the same fashion that other warning badges have been implemented, but I do think if we rework the instant messenger page entirely like in #1377 they should be mentioned 👍
Where? I opened riot.im/app and wanted to register and I am offered only matrix.org for free, modular.im for a pay (both by New Vector) or if I am advanced, then I can enter something (what?) by myself.
I would say the characterization of this #1395 is disingenuous:
Most email clients don't list every email server you could possibly use.
They have taken a pragmatic approach of suggesting "a server": matrix.org for people to use. You could also purchase a subscription to Modular if you want to use your own domain and cannot be bothered maintaining a server yourself.
This serves to do two things, generate some money for the project, (developers need to eat) and something as complex as Matrix requires full time development. Additionally it provides businesses who may not have their own IT staff a ready-to-go system they can use. Many small businesses rely on SaSS options to minimize costs.
I can see the reason why they may not want to endorse any particular server, that could be due to unknowns about the reliability of their hosting. There is the Hello Matrix project and there are a number of servers on there listed, perhaps we could make a suggestion the user selects one of those?
If I recall correctly XMPP did a similar thing to this with jabber.org.
When making a suggestion of what server to use, this isn't a one size fits all;
We should educate the user to select a choice appropriate to their needs. A server locally close to their origin may provide better performance but may be less desirable if that country has poor privacy protections.
Sure.
I am not aware of any client pointing to jabber.org though.
Can matrix/riot be even considered a privacy tool at all? They seem to promote decentralization, which is great too at least if done properly, but that's not really the same thing. I mean, not only they still haven't got e2ee by default, but until very recently they snooped a lot of data even when the user was using a third-party server.
They have imoroved and will hopefully keep on improving and I guess they are important to list as an alternative to Discord.
There is also this list public homeserver list.
E2EE by default and cross-signing are being rolled out for 1on1 and private group chats: https://github.com/vector-im/riot-web/issues/6779#issuecomment-580001333
A few more recent security updates pertaining to Riot/Matrix, that you may already know here but I think it's good to write here for reference:
Given these security improvements, and if the currently rolling E2EE by default with cross-signing goes well, I would suggest that Riot could be promoted as one of the main chat options on PTIO.
Indeed, compared to other great solutions like Signal, I would argue anonymity is a lot easier to achieve with Riot/Matrix: use E2EE by default to encrypt messages and voice calls, and access the web app through Tor Browser. Whereas for Signal, one needs to register on a smartphone first, and without a rooted phone, it's unclear how Signal could be fully piped through Orbot and Orwall (and anyway Signal could still gather lots of metadata about the phone if it becomes evil).
Now I'm not saying that Signal is evil, I don't think so, but that how Riot is designed right now allows the user to have more control on their own metadata and IP address (notably by passing through Tor Browser, which can be used since the very start of the registration process), whereas other solutions such as Signal often requires some degree of trust to an authority. And it's not simply because Riot/Matrix is federated (although this forces the devs to decouples from a design point of view some things like servers which is a good thing), but also because it provides a web app that can be used through Tor Browser (which I think is better than if the desktop app would offer a Tor proxy option, because here you don't need to trust the app to redirect all events through Tor, which may not happen due to bugs, here Tor Browser kind of acts like a shield, so the app anyway doesn't have direct access to the user's system but only to the webbrowser infos, hence not only shielding IP address but also metadata).
Of course, webbrowser exploits and such are always a possibility (although the opensource nature of the Riot webapp should hopefully allow for quick fixes of any exploit), but from a design standpoint, I think it's a quite robustly secure and anonymous approach for an instant messenger.
There were some interesting lectures at FOSDEM 2020 this year:
I think the three previous comments are offtopic here (and so is this response), but I am not certain where they belong as we cannot promote Riot above Signal as they are in two different categories, centralized and federated.
I guess Riot would be competitive with Signal if it supported self-destructing messages and didn't store media uploads forever.
If we did suggest Riot as an alternative to Signal, it wouldn't matter if everyone registered on Matrix.org as Signal is also centralized service. As I still view everyone registering on Matrix.org as a undesired event, I view these two issues separately.
I wouldn't put the self-destructing message feature to a very high priority, since it is impossible to do well anyway. It's the same problem as with other types of DRM: the attacker and the intended recipient are the same.
Does Matrix encrypt those media uploads? If so, it probably isn't a very big issue. Of course, if "forever" is long enough, the encryption might become obsolete and vulnerable to attacks.
Depends on whether the room in question is encrypted.
This is my concern and also that deleted uploads are not deleted in reality. https://github.com/matrix-org/synapse/issues/1263
👍
I expect if this becomes a feature in Matrix we will disable it for the public chat room. Very annoying and pointless to delete comments posted publicly, it provides absolutely no privacy when it's been indexed, cached, locally logged and possibly screen shotted by other users.
It's highly irritating when people set exploding messages on Keybase as we don't check that as frequently as Matrix. All it does is destroy the flow of conversation.
Public is public, if you don't want it public don't say it in public, people need to not get caught up in "message destruction" features and remember that.
Yes, in encrypted rooms.
This rule applies to any kind of cryptography no matter where it is.
There's also nothing stopping people from pasting a link to a file on a server they do control, or that they can delete, eg how we did in the days of IRC.
To clarify, I am missing self-destructing messages in private Matrix/Riot conversations, just like I have them in private Signal group/chats.
I am not personally using Signal for anything public and I don't view Signal suitable for public chats, as I am not willing to share my phone number and even more importantly it has no group moderation.
Also https://github.com/privacytoolsIO/privacytools.io/pull/1701 is the only answer I have to the offtopic conversation in this issue.
Yes and not it's not really off topic, I'll clarify why tomorrow when I'll
get access to a computer (but basically it's not centralized anymore on
matrix.org because you can change or disable all servers, although messages
are still indefinitely retained on the homeserver you chose, but there are
discussions to change this, but the issue is that this would add more
metadata on e2e encrypted messages, so they need to figure out an elegant
solution)
Le mar. 11 févr. 2020 à 10:00, Mikaela Suomalainen notifications@github.com
a écrit :
If I now installed Riot on a new device, would it tell me that other homeservers than Matrix.org exist or ask me which homeserver I want to use giving me choice of others than Matrix.org without deciding that I am an experienced/advanced user by entering a custom homeserver address?
You would have to manually enter a custom server (and this can also be done
later on). This was covered by other answers above, it's not an
illegitimate thing for them to do commercially wise (it's not like Wire who
offered free accounts to then become paid only services).
The thing is that with Riot, you can choose what server will store your
messages, and you can still have access to the whole federated network.
Whereas with Signal and others, you can't. I didn't check if signal server
is opensource, but even if it is and you self host it, then you can't
access other users on the main Signal server. Whereas here you can.
That's not to say that Riot should not have warnings or instructions to
properly configure it to make it more secure. But out of all currently
available messengers, it has one of the most decentralized design, so if a
warning about centralization is added, pretty much all other messengers
will have it (including p2p such as Jami, who uses several servers to offer
several services).
Le mar. 11 févr. 2020 à 11:00, Mikaela Suomalainen notifications@github.com
a écrit :
@Mikaela To reply in more details, in your opening post, point 4 vector-im/riot-web#10696 is now done (I checked in the app, the integration manager can be disabled).
For the rest, I won't repeat myself, but yeah I agree Riot could do better in terms of decentralization by linking to a list of instances, instead of just showing an option to enter a custom homeserver address. But still, the possibility exists, and is not that hard to do, and there are pros and cons to using a custom server anyway, so for the lambda user, what matters more is E2EE by default and expiring messages IMO.
E2EE by default is being deployed right now as I wrote above.
For messages expiration, I had to do a bit of research to track down the pertinent info, but it seems it's now implemented, both at the server level and room level, although not easily changeable (ie, no button on the GUI in the room's options, you need to send a custom state event) because it's not yet part of the Matrix specification:
However, this is only true for messages, not for media, for which an issue was opened recently.
Also, about what you wrote in https://github.com/privacytoolsIO/privacytools.io/issues/1389#issuecomment-540826288:
I remember reading a github issue on riot or matrix repo about this indeed, where the devs were aware that encrypted medias could be accessed by anyone with the handle because the medias were not attached to a particular room or permission, and they were thinking about how to elegantly fix this while minimizing the addition of meta-data. But unfortunately I can't find the issue where I have read that, I will post it here if I ever stumble on it again.
Also, URL previews are a weak point that can be used to subvert E2EE, but they are disabled by default and when enabling in the options you get a warning.
TL;DR: I agree that messages and media retention should be mentioned in a warning. Centralization (or rather the proposition of matrix.org as the default homeserver) is not an issue that merits a warning I think, but it would be nice to add a sentence in the description to highlight that it is possible to use a custom server address (the best would be to link to a list of instances, such as this one or this one). I would also suggest warning about enabling URL previews as they can leak information/identity. It could be nice to mention it can work with Tor Browser.
Ah well, they just added your issue on centralization on this month's todo list for their website changes.
Also pre-redacted messages are deleted after 7 days now (I consider this linked with the messages retention issue).
Ephemeral/self-destructive messages are also supported (but not for media - media seem to be a weak point of Matrix/Riot currently): https://github.com/matrix-org/synapse/pull/6409
PS: @Mikaela :
My bad, I remembered Matrix being a mention instead of a featured suggestion, but I must have looked at an old version of the page. I am not suggesting that Matrix should be suggested above Signal, as you write, they are in different categories, and suit different needs, it's fine to me like that, but I agree the description should be updated according to the issues you raised.
I wish this issue could focus on the actual issue which is the centralization, but
no, the URL previews are generated on server-side by Synapse and if you look into logs of anything fetching a preview, you will see the homeserver address rather than Riot address so it doesn't matter. Or what information are you talking about?
This
Would you mind opening a new issue about that?
Session warns you about the same when you try to enable it.
Riot also shows a warning now, so should we open an issue to mention this anyway or is it fine as long as the software warns about it itself?
I would vote that the new in software warning is good enough.
I'm going to close this now that it has been added to the 2020-02 milestone https://github.com/matrix-org/matrix.org/issues/586 that's really the right place for it.