Add Riot Chat Client #613

I think Riot should have experimental label like Brave, because it warns about E2EE being experimental and https://github.com/matrix-org/synapse/issues/1287 .

ghost commented

2018-12-22 19:05:26 +00:00

(Migrated from github.com)

https://github.com/privacytoolsIO/privacytools.io/blob/master/index.html#L1280

Add this warning to the link to Wire in the worth mentioning section.

And I'll resolve the conflicts.

https://github.com/privacytoolsIO/privacytools.io/blob/master/index.html#L1280 Add this warning to the link to Wire in the worth mentioning section. And I'll resolve the conflicts.

ghost commented

2018-12-22 19:08:23 +00:00

(Migrated from github.com)

Make the warning similar to uTox's warning, but with a tooltip. Here's some sample code you can use for that:

<span class="badge badge-warning" data-toggle="tooltip" title="Brave is a good choice if you want to use a Chromium-based browser. But at this point in Brave's development&comma; it's not as good as Firefox with privacy addons.">experimental <i class="far fa-question-circle"></i>

Make the warning similar to uTox's warning, but with a tooltip. Here's some sample code you can use for that: ```html <span class="badge badge-warning" data-toggle="tooltip" title="Brave is a good choice if you want to use a Chromium-based browser. But at this point in Brave's development, it's not as good as Firefox with privacy addons.">experimental <i class="far fa-question-circle"></i> ```

ghost commented

2018-12-22 19:25:56 +00:00

(Migrated from github.com)

![screenshot from 2018-12-22 20-23-58](https://user-images.githubusercontent.com/4354706/50377957-c6c80800-0627-11e9-8145-0daa585b1dda.png)

👍 1

jonah approved these changes 2018-12-22 19:26:04 +00:00

Mikaela commented

2018-12-22 19:37:17 +00:00

(Migrated from github.com)

Did you see my comment above requesting the experimental/warning label to Riot?

ghost commented

2018-12-22 19:39:46 +00:00

(Migrated from github.com)

Sorry, didn't notice it when I was fixing the conflicts. I'll take a look at the issue you sent.

👍 1

Kcchouette commented

2018-12-22 19:45:52 +00:00

(Migrated from github.com)

Can you remove the "successor of XMPP' part too please @Shifterovich @asddsaz

👍 1

Vincevrp (Migrated from github.com) approved these changes 2018-12-22 19:49:10 +00:00

ghost commented

2018-12-22 19:51:13 +00:00

(Migrated from github.com)

Right, we should remove that and think of a longer description.

jonah requested changes 2018-12-22 19:51:24 +00:00

jonah left a comment

Change the description.

ghost commented

2018-12-22 19:54:49 +00:00

(Migrated from github.com)

@Mikaela Also the E2EE isn't enabled by default, right?

Kcchouette commented

2018-12-22 19:59:32 +00:00

(Migrated from github.com)

An example of description: "Riot.im is a client based on Matrix, a recent open protocol for real-time communication. A distributed chat client that offers E2E Encryption. It can bridge other communications via others protocols such as IRC too."

Mikaela commented

2018-12-22 20:02:44 +00:00

(Migrated from github.com)

@Mikaela Also the E2EE isn't enabled by default, right?

That is the case, it's opt-in and only very few clients support it, mainly Riot. They say that there is no point in E2EEing public rooms, which I agree, and it would also prevent the bridges from working.

Can you remove the "successor of XMPP' part too please

In case this wasn't changed yet, I don't think anyone working with IRC(v3?) has called them as successor of IRC either.

> @Mikaela Also the E2EE isn't enabled by default, right? That is the case, it's opt-in and only very few clients support it, mainly Riot. They say that there is no point in E2EEing public rooms, which I agree, and it would also prevent the bridges from working. > Can you remove the "successor of XMPP' part too please In case this wasn't changed yet, I don't think anyone working with IRC(v3?) has called them as successor of IRC either.

Mikaela commented

2018-12-22 20:05:48 +00:00

(Migrated from github.com)

Two other issues with Matrix or Riot coming to my mind:

everyone can see your Matrix ID, I don't know if that is a major issue though, but Disroot.org cites it as one reason for not liking them.
you cannot set the public device name before you login, so if your device is "John Doe's iPhone" (or ONEPLUS A3003), everyone can see that in your profile until you change it. Some other clients than Riot ask how to name the device.

Two other issues with Matrix or Riot coming to my mind: * everyone can see your Matrix ID, I don't know if that is a major issue though, but [Disroot.org cites it as one reason for not liking them.](https://disroot.org/en/blog/matrix-closure) * you cannot set the public device name before you login, so if your device is "John Doe's iPhone" (or ONEPLUS A3003), everyone can see that in your profile until you change it. Some other clients than Riot ask how to name the device.

ghost commented

2018-12-22 20:10:56 +00:00

(Migrated from github.com)

Now I'm thinking that if the E2EE is experimental, what's the basis for recommending Matrix?

😆 1

Mikaela commented

2018-12-22 21:08:54 +00:00

(Migrated from github.com)

In case anyone wishes, here are some sources on the experimentality:

All files and data transferred over Riot can be encrypted end-to-end (currently in beta), meaning no one can eavesdrop on conversations, including the service provider.
- emphasis mine, from http://about.riot.im/what-is-riot/#item8
As of May 2017 Riot’s end-to-end encryption is technically in beta, but this is due to some residual stability bugs and missing usability features. Once these are resolved we plan to get the full implementation security assessed and out of beta. End-to-end encryption will then be turned on by default for private conversations.
- emphasis mine, from http://about.riot.im/security/

The strings from Android, I imagine iOS has similar (I don't think I need to dig them?):

In case anyone wishes, here are some sources on the experimentality: * > All files and data transferred over Riot can be encrypted end-to-end *(currently in beta)*, meaning no one can eavesdrop on conversations, including the service provider. * emphasis mine, from http://about.riot.im/what-is-riot/#item8 * > As of May 2017 *Riot’s end-to-end encryption is technically in beta*, but this is due to some residual stability bugs and missing usability features. Once these are resolved we plan to get the full implementation security assessed and out of beta. End-to-end encryption will then be turned on by default for private conversations. * emphasis mine, from http://about.riot.im/security/ The strings from Android, I imagine iOS has similar (I don't think I need to dig them?): * https://github.com/vector-im/riot-android/blob/cd0612cd1557b6d6f077dc9fbee18184aa536975/vector/src/main/res/values/strings.xml#L383 * https://github.com/vector-im/riot-android/blob/cd0612cd1557b6d6f077dc9fbee18184aa536975/vector/src/main/res/values/strings.xml#L888

ghost commented

2018-12-22 21:18:11 +00:00

(Migrated from github.com)

From the first string file:

You should not yet trust it to secure data.

I think this necessarily implies "You should not yet recommend it anyone to trust it to secure data."

Maybe we should add a labels='warning:beta:The software is currently in beta and the website states "End-to-end encryption is in beta and may not be reliable. You should not yet trust it to secure data."'

From the first string file: > You should not yet trust it to secure data. I think this necessarily implies "You should not yet recommend it anyone to trust it to secure data." Maybe we should add a `labels='warning:beta:The software is currently in beta and the website states "End-to-end encryption is in beta and may not be reliable. You should not yet trust it to secure data."'`

👍 1

Mikaela commented

2018-12-22 21:33:01 +00:00

(Migrated from github.com)

Maybe we should add a labels='warning:beta:The software is currently in beta and the website states "End-to-end encryption is in beta and may not be reliable. You should not yet trust it to secure data."'

I agree otherwise, but as the string is from Android client and not findable from the website I would say:

labels='warning:beta:The software is currently in beta and the mobile client states "End-to-end encryption is in beta and may not be reliable. You should not yet trust it to secure data."'

I only changed website to mobile client from your suggestion and I ended up digging for the iOS strings just in case it would disagree, but there is at least one of the same:

"room_warning_about_encryption" = "End-to-end encryption is in beta and may not be reliable.\n\nYou should not yet trust it to secure data.\n\nDevices will not yet be able to decrypt history from before they joined the room.\n\nEncrypted messages will not be visible on clients that do not yet implement encryption.";
167bf8c124/Riot/Assets/en.lproj/Vector.strings (L274)

> Maybe we should add a `labels='warning:beta:The software is currently in beta and the website states "End-to-end encryption is in beta and may not be reliable. You should not yet trust it to secure data."'` I agree otherwise, but as the string is from Android client and not findable from the website I would say: ``labels='warning:beta:The software is currently in beta and the mobile client states "End-to-end encryption is in beta and may not be reliable. You should not yet trust it to secure data."'`` I only changed *website* to *mobile client* from your suggestion and I ended up digging for the iOS strings just in case it would disagree, but there is at least one of the same: * > `"room_warning_about_encryption" = "End-to-end encryption is in beta and may not be reliable.\n\nYou should not yet trust it to secure data.\n\nDevices will not yet be able to decrypt history from before they joined the room.\n\nEncrypted messages will not be visible on clients that do not yet implement encryption.";` * https://github.com/vector-im/riot-ios/blob/167bf8c12495f73f4ad636f3840af70589cb7adb/Riot/Assets/en.lproj/Vector.strings#L274

Kcchouette commented

2018-12-22 22:06:18 +00:00

(Migrated from github.com)

You can add too that it's not e2e by default

asddsaz commented

2018-12-23 02:37:05 +00:00

(Migrated from github.com)

Right, we should remove that and think of a longer description.

Done, I also added an experimental flag.

Now I'm thinking that if the E2EE is experimental, what's the basis for recommending Matrix?

For the time being Riot is really good for create chatrooms. Similar to Discord or Slack.
I am unaware that you can do this in any of the alternatives listed.

@Shifterovich

> Right, we should remove that and think of a longer description. Done, I also added an experimental flag. > Now I'm thinking that if the E2EE is experimental, what's the basis for recommending Matrix? For the time being Riot is really good for create chatrooms. Similar to Discord or Slack. I am unaware that you can do this in any of the alternatives listed. @Shifterovich

ghost commented

2018-12-23 09:51:29 +00:00

(Migrated from github.com)

Look at Brave in the source code, you can add the label using the code @Mikaela used in her comment.

ghost commented

2018-12-23 09:52:02 +00:00

(Migrated from github.com)

Not sure about chatrooms but Signal can do group chats.

johnstonesnow commented

2019-06-09 15:56:34 +00:00

(Migrated from github.com)

I just posted on a thread before realising it was merged with this one and closed. I will post my message here in case Infosec is reading:

"Infosec-Handbook said: "Signal requires an arbitrary phone number which you must control during the registration process. However, you don't have to use your own private cellphone number. You can use the Tor Browser to get a disposable phone number for registration, set a PIN and never need access to the phone number during normal operation."

Sorry for chipping into an old thread, but I am currently torn between Wire and Signal. Two things put me off SIgnal:

Phone number needed (I read that you have to have permanent access to the number to keep Signal Desktop working (I only use desktop).
Based in US

If I could remove downside "1", I might see SIgnal as a better option than Wire. Can you confirm if this is still true, that you don't need to use a permanently accessible phone number? If so, do you have a guide or link on how to sign up for Signal without using my own phone number?

Thanks for any help, oh and PS - Now it's 2019, if you have any other recommendations please say. I tried Tox chat and it's private, but buggy as hell and I can't get people to use it. Signal and Wire are possibles because they have decent features, run properly, and I can get people to use them. But which one? :)"

I just posted on a thread before realising it was merged with this one and closed. I will post my message here in case Infosec is reading: "Infosec-Handbook said: "Signal requires an arbitrary phone number which you must control during the registration process. However, you don't have to use your own private cellphone number. You can use the Tor Browser to get a disposable phone number for registration, set a PIN and never need access to the phone number during normal operation." Sorry for chipping into an old thread, but I am currently torn between Wire and Signal. Two things put me off SIgnal: 1. Phone number needed (I read that you have to have permanent access to the number to keep Signal Desktop working (I only use desktop). 2. Based in US If I could remove downside "1", I might see SIgnal as a better option than Wire. Can you confirm if this is still true, that you don't need to use a permanently accessible phone number? If so, do you have a guide or link on how to sign up for Signal without using my own phone number? Thanks for any help, oh and PS - Now it's 2019, if you have any other recommendations please say. I tried Tox chat and it's private, but buggy as hell and I can't get people to use it. Signal and Wire are possibles because they have decent features, run properly, and I can get people to use them. But which one? :)"

This repo is archived. You cannot comment on pull requests.

No reviewers

Vincevrp