🆕 Software Suggestion | Matrix (Riot/Synapse)

[jonaharagon]

Basic Information

Name: Matrix (Riot)
Category: RTC > Team Chat Platforms
URL: https://about.riot.im/

Name: Matrix (Synapse)
Category: RTC > ?
URL: https://matrix.org/docs/guides/installing-synapse
I think we need to mention Synapse specifically and encourage self-hosting over using the matrix.org homeserver, or really any public homeserver whenever possible. I don't know if this should be mentioned in the Riot listing, or if we should have a separate category for RTC servers.

Description

Since Riot was last reviewed, they have added a number of privacy-centric improvements. This is not a complete list, but these are issues we previously defined as major blockers:

• Redacted messages are now removed from the database. We need to actually censor redactions from the DB (SYN-284) matrix-org/synapse#1287
• Integration managers can now be easily controlled by the user. Store Integration Manager preferences in account data and allow user to change them somewhere sensible element-hq/element-web#10161
• The identity server now appears to be stored in account data, and more importantly can now be modified or removed in user settings. Store identity server in Account Data and support choosing identity server integration in User Settings element-hq/element-web#10094

There are a few unfixed issues, but I don't know if they are blockers to recommendation or not, so that's what I want to discuss here.

• Matrix seems to store a lot of unnecessary metadata redacted matrix-org/synapse#4565
  • Edit: The majority of this issue appears to be addressed: redacted matrix-org/synapse#4565 (comment)
• Homeserver data does not expire https://github.com/matrix-org/matrix-doc/issues/447
  • Edit: A fix for this issue has been designed and will soon be implemented: https://github.com/matrix-org/matrix-doc/issues/447#issuecomment-540321546
  • Seeing as redactions are evidently erased I don't think this is a huge issue. This is a problem for HS admins who may not want to maintain data infinitely but it doesn't seem like a privacy problem to me. Even if this was implemented it would be up to the HS admins, and one HS could choose to store data infinitely anyways (i.e. users should not assume their data will ever be erased even after implementation),
• Media is never redacted When we redact events, any mxc content they refer to should be redacted too (SYN-216) matrix-org/synapse#1263
• Private contact discovery is not implemented Feature: Private Contact Discovery (discovery without servers learning your contacts list) element-hq/element-web#7649
  • We have this listed as a blocker in #1049 but I don't see this as a major issue. This would be more of a useful feature. The privacy concern here is with using an IS, but that can now be easily disabled, correct?
  • Edit: The functionality as described in this issue doesn't sound like it will be implemented, but it appears that a more privacy-friendly contact discovery method than the old method has been implemented: Feature: Private Contact Discovery (discovery without servers learning your contacts list) element-hq/element-web#7649 (comment)

Finally, there are a few more "major" concerns we've voiced that have not yet been fixed, but that I do not think are blockers at all.

• Matrix.org uses Cloudflare
  • Services using Cloudflare has historically not been a blocker for recommendation. I personally don't see it as a "major" issue at all.
  • End-to-End Encrypted chats are not really affected by this, and should be used whenever sensitive messages are being communicated.
  • Finally, during this re-listing we definitely want to discourage the use of matrix.org anyways to promote decentralization.
• Present an aggregated terms of service dialogue at registration if possible element-hq/element-web#10167: Present an aggregated terms of service dialogue at registration if possible
  • Operators of custom Riot servers can specify ToS, Privacy Notices, etc. in config.json, no?
  • The functionality I wanted does exist, whoops!
• Riot X identity server is not configurable. Login/register: allow to set home server and identity server urls element-hq/element-android#20
  • For privacy reasons a hardcoded IS seems unacceptable, but is Riot X currently recommended for public use? I don't think we can judge the project based on an incomplete client.
  • In addition to being in beta, identity server functionality is not implemented at all.

All the other issues within https://github.com/privacytoolsIO/privacytools.io/issues/1049 are still important to monitor but I don't think the issues not mentioned above are blockers and are mostly small issues.

Anyhow, it seems clear to me that the Matrix team is at least committed to fixing their issues. For instant messengers I would still probably prefer Signal or Wire, but for a more public, large group chat use-case there does not appear to be any better alternatives to Matrix, especially from a privacy standpoint. This is why we still use it ourselves. It seems especially disingenuous to recommend XMPP over Matrix.

Also, I think that by advertising our group chat on Matrix without recommending Matrix itself we are both sending a mixed message and promoting centralization on our own server, by not demonstrating the alternatives (hosting it yourself).

[dngray]

I support this. It would make https://github.com/privacytoolsIO/privacytools.io/issues/1377 a lot simpler too.

All the other issues within #1049 are still important to monitor but I don't think the issues not mentioned above are blockers and are mostly small issues.

Anyhow, it seems clear to me that the Matrix team is at least committed to fixing their issues. For instant messengers I would still probably prefer Signal or Wire, but for a more public, large group chat use-case there does not appear to be any better alternatives to Matrix, especially from a privacy standpoint. This is why we still use it ourselves. It seems especially disingenuous to recommend XMPP over Matrix.

Also, I think that by advertising our group chat on Matrix without recommending Matrix itself we are both sending a mixed message and promoting centralization on our own server, by not demonstrating the alternatives (hosting it yourself).

Could not have put it better myself.

[ara4n]

Several of the issues listed here as unfixed are actually fixed - i've gone through updating the bugs in question to try to make it clear, but specifically:

• almost all of redacted matrix-org/synapse#4565 is addressed
• https://github.com/matrix-org/matrix-doc/issues/447 is designed & implemented (but being tested on the French matrix deployment before being merged into mainline)
• Feature: Private Contact Discovery (discovery without servers learning your contacts list) element-hq/element-web#7649 was implemented (i've closed the bug)
• Present an aggregated terms of service dialogue at registration if possible element-hq/element-web#10167 is just UX eye-candy; having the option to present the policies at registration rather than incrementally as the user stumbles across the services in question. I'm not convinced we should do it at all, given it makes the user less likely to read the policies and understand what they relate to.
• Login/register: allow to set home server and identity server urls element-hq/element-android#20 is a non-issue; the only reason that RiotX doesn't expose a configurable identity server URL is because it hasn't implemented any identity service functionality yet(!).

[jonaharagon]

Thank you @ara4n, I've updated the issue.

Re 10167 I was confused, I actually wasn't aware consent tracking existed. Don't know how that slipped by me, but since that's the case I do agree the current implementation is probably better. Sorry about that!

[blacklight447]

I REALLY don't want to recommend matrix until e2ee is turned on by default for private chats.

[dngray]

I REALLY don't want to recommend matrix until e2ee is turned on by default for private chats.

If that's the case we should not recommend any XMPP clients as they do not have it on by default either; and likely never will do.

Perhaps a warning badge and a link to step-by-step guide in enabling it in Riot would do? We know that E2EE is going to be on by default for 1:1 chats with Riot element-hq/element-web#6779 at some time in the future.

[blacklight447]

Thing is, end to end is the default on all other platforms we basically recommend. I wouldn't see why riot deserve an exception here. Plus, they announced to make it default very soon, so it cannot hurt to wait for it a little longer.

[dngray]

Thing is, end to end is the default on all other platforms we basically recommend.

Well except for the current XMPP clients, we recommend. Do we know if Monal supports E2EE by default? I don't think it uses E2EE for it's jingle transport https://github.com/anurodhp/Monal/issues/10 https://github.com/anurodhp/Monal/issues/267

I am pretty sure Gajim doesn't.

Perhaps we should consider a warning badge?

The rocky road to OMEMO by default probably a bit outdated, but it does talk about this issue.

I wouldn't see why riot deserve an exception here. Plus, they announced to make it default very soon, so it cannot hurt to wait for it a little longer.

I guess we can always wait.

[dawidpotocki]

Thing is, end to end is the default on all other platforms we basically recommend. I wouldn't see why riot deserve an exception here. Plus, they announced to make it default very soon, so it cannot hurt to wait for it a little longer.

There is Rocket.chat also in Team Chat category which seems to have E2EE with real Alpha quality (no support on Mobile app, no forward secrecy)

[blacklight447]

Maybe @ara4n will be able to give us an estimated time until e2ee will be turned on by default for private chats?

[Mikaela]

I think we need to mention Synapse specifically and encourage self-hosting over using the matrix.org homeserver, or really any public homeserver whenever possible. I don't know if this should be mentioned in the Riot listing, or if we should have a separate category for RTC servers.

I wish we could recommend a non-Synapse and non-Riot option also as currently there is only New Vector.

There are a few unfixed issues,

I have some more:

• Communities are centralized on a single server and often broken flashing the screen too fast for clicking join or not loading at all. There is also no way to grant other users permissions in a community, so they also get centralized on a single user. They are also Riot-only as far as I am aware. I am told that communities are being rewritten, so maybe it should be a blocker before calling Riot a team chat application.
• The direct chats system is weird and from what I understand getting more sense in MSC2199: Canonical DMs matrix-org/matrix-spec-proposals#2199 so I would also be waiting for it.
• There is no indepedent security audit (other than the OLM one and E2EE is again not enabled by default).

Media is never redacted matrix-org/synapse#1263

Not something I would like to see in our recommendation.

End-to-End Encrypted chats are not really affected by this, and should be used whenever sensitive messages are being communicated.

Is E2EEd media also media? What about when technology is powerful enough to break todays encryption?

Finally, during this re-listing we definitely want to discourage the use of matrix.org anyways to promote decentralization.

Blocker: matrix-org/matrix.org#586

Also, I think that by advertising our group chat on Matrix without recommending Matrix itself we are both sending a mixed message and promoting centralization on our own server, by not demonstrating the alternatives (hosting it yourself).

https://github.com/privacytoolsIO/privacytools.io/issues/987

Perhaps a warning badge

Will we have a warning about it not having been indepedently audited?

afaik that's fork of Conversations that uses phone numbers as an identifier.

No, it's a build variant of Conversations.

What we really need to decide is, is it too difficult to show a user how to enable E2EE on a 1:1 conversation in Riot? - we can do that with pretty pictures. ie:

How about we just wait for New Vector to enable it default as they have said that they are going to do it? element-hq/element-web#6779

[Mikaela]

While assigning labels I noticed the Tor one and would like to ask @ara4n what is the status with element-hq/riot-meta#287 and related issues and mark it as a blocker.

We are currently recommending Tor for anonymity instead of a VPN and you generally don't send all your traffic through Tor and instead Torify only specific applications, possibly even with SOCKS isolation and currently all Riots make that non-trivial.

[jonaharagon]

I REALLY don't want to recommend matrix until e2ee is turned on by default for private chats.

Just for clarification my proposed solution at #1392 would only "recommend" Riot as a team chat platform, mainly for this reason.

[Mikaela]

And I wouldn't list Riot even as a team chat application until the communities are rewritten (and when matrix-org/matrix-spec-proposals#2199 is fixed I think it may be listed also as a direct chat client). See also my other concerns above.

Edit: I think this is matrix-org/matrix-spec-proposals#1513 (meta/tracker) + worked upon at matrix-org/matrix-spec-proposals#1772.

[jonaharagon]

I probably disagree that the "communities" feature are an integral part to either the "team chat" or the "Matrix" experience in general. They seem to be mostly useful as flairs designating certain memberships, somewhat akin to IRC vanity vhosts...

[ara4n]

This thread makes my head hurt. It seems to be devolving into a weird list of personal gripes against Matrix, saying “we can’t possibly relist Riot until... ‘all phase 3 (ie nice-to-have) privacy bugs are closed’ or ‘it has native Tor support’ or ‘communities get rewritten’ or ‘because both it and Synapse are mainly written by the same team’ or ‘it doesn’t have latex support’ (or whatever the next complaint will be)”. This feels bizarre in the extreme, and honestly makes privacytools look bad. It feels like we are being judged by a totally different and arbitrary standard to the other tools, despite demonstrably prioritising privacy and freedom.

We hope to turn on E2E by default in the coming months - ideally by end of year. Possibly sooner, given pantalaimon and seshat are almost ready; it’s only the E2EE cross signing that remains because... we prioritised it behind addressing the privacy concerns which had been highlighted. It is genuinely hard to get it right, and we don’t want to force it on until it’s perfect otherwise it will just screw over all the users who are used to the existing behaviour. Meanwhile, just as XMPP doesn’t mandate E2EE, nor does Matrix.

At this point, we are going to keep plugging away improving Matrix, and hope that you consider it worth promoting at some point.

[Mikaela]

My understanding is that Matrix communities are best compared to Discord servers/guilds or IRC servers, and the flair is a side-effect.

Example

I am an operator on PirateIRC which is IRC network intended only for international Pirate Parties. IRC clients generally list all servers under specific servers and there are currently 115 channels that would appear under it, while anything joined on another server would appear under that server.

This is what I understand Discord to be replicating as if I joined a Discord server, I would see server/guild bubbles on the left and next to them the list of channels on that server (I would be autojoined to everything that I have permission to unlike at IRC).

I understand that Matrix is attempting to directly imitate Discord, so everything would not appear as belonging to a single IRC server, but belong to the releated community/communities such as Pirate Parties or Pirate Party Finland.

Thinking while finishing this comment, IPFS could have been a better example, but I haven't followed them recently due to having been on a IRC break and trying to avoid IRC-bridged Matrix rooms.

[Mikaela]

It feels like we are being judged by a totally different and arbitrary standard to the other tools, despite demonstrably prioritising privacy and freedom.

I think you have a worse track record than many of the other tools, but I hope everything in real time communication is judged similarly.

Meanwhile, just as XMPP doesn’t mandate E2EE, nor does Matrix.

It will probably warm you to hear that @jonaharagon has proposed delisting XMPP on our team chat and I expect him to be opening an issue soon.

My personal view on this is that you have history of storing messages forever even when they have been removed by the user and you are currently storing media messages forever, while XMPP has (as far as I know of) always had expiry time for messages. I am also confused on how file uploads sent in a direct chat can be posted elsewhere as easily as by copying the URL, which to me hints that they aren't actually private.

[jonaharagon]

This feels bizarre in the extreme, and honestly makes privacytools look bad. It feels like we are being judged by a totally different and arbitrary standard to the other tools, despite demonstrably prioritising privacy and freedom.

@ara4n Uh, yeah, I agree 🤔 None of the issues anyone else has brought up outside the original post appear to have actual privacy implications to users.

[jonaharagon]

Plus, they announced to make it default very soon, so it cannot hurt to wait for it a little longer.

@blacklight447-ptio Will it be the default for large group chats? E2EE is highly irrelevant for large groups which is primarily what Riot is being recommended here for, to be clear. It is not a recommended instant messenger for this reason but seeing as E2EE exists we can mention it.

[Mikaela]

Will it be the default for large group chats?

I don't think so, element-hq/element-web#6779.

[ara4n]

I think you have a worse track record than many of the other tools

Speaking as objectively as possible: I think this is untrue. For instance, thinking about the tools which actually claim a security focus, Wire claimed their VoIP calls were E2EE when they simply weren't; Signal has had a series of basic security screwups (free-for-all XSS and acting as an audio bug etc.)

Whereas the worst complaint levelled against us seems to be that we set a default value for the phone book & integration manager for convenience (which we then went and fixed), and that configurable history retention and e2e-by-default hasn't been merged yet (despite clearly warning in the message composer that messages are unencrypted in non-E2E rooms). It feels like folks have been dazzled by the sheer number of words put out by the libremonde 'research'.

It will probably warm you to hear that @jonaharagon has proposed delisting XMPP

I have absolutely nothing against XMPP. We're working this week on turning Bifrost back on for XMPP<->Matrix bridging, and I really appreciated the XSF team reaching out to say congrats on our funding announcement today. The enemy here is FB/Google/Discord/Slack etc - not XMPP!!!

My personal view on this is that you have history of storing messages forever even when they have been removed by the user

...which was always on the todo-list to fix - since 2015, and has now been solved. It's not like we were doing this maliciously.

and you are currently storing media messages forever

Yes, this needs to be fixed, but is it really a privacy disaster? Especially if the file is E2EE?

I am also confused on how file uploads sent in a direct chat can be posted elsewhere as easily as by copying the URL, which to me hints that they aren't actually private.

The filenames are random. All you're doing is swapping a random access_token for a random file name. It would take longer than the heat death of the universe to guess one of the filenames. So the fact that you can copy the URLs between rooms is not a massive vulnerability. That said, we're going to fix it anyway (just to stop having this conversation, if nothing else) - just as we're providing deletion APIs for attachments.

Will it (E2EE) be the default for large group chats?

E2EE will be turned on by default for rooms created as private chats - either DMs or private group chats.

[Mikaela]

For instance, thinking about the tools which actually claim a security focus, Wire claimed their VoIP calls were E2EE when they simply weren't; Signal has had a series of basic security screwups (free-for-all XSS and acting as an audio bug etc.)

I was only thinking of security audits of those two.

I have absolutely nothing against XMPP. We're working this week on turning Bifrost back on for XMPP<->Matrix bridging.

I am happy to hear that.

The enemy here is FB/Google/Discord/Slack etc - not XMPP!!!

You are correct and I am not taking my own words from https://github.com/privacytoolsIO/privacytools.io/issues/1377#issuecomment-540152967. While I have lost a lot of trust towards Matrix, it's not Discord (which is the instant messenger enemy that I cannot get to peace with (some may know of my Telegram cases)) and thus I am willing to come towards you and apologise for my behaviour.

...which was always on the todo-list to fix - since 2015, and has now been solved. It's not like we were doing this maliciously.

And now it's 2019, but you don't need to reply to this.

Yes, this needs to be fixed, but is it really a privacy disaster? Especially if the file is E2EE?

In the light of the enemy being Discord with their ToS and privacy policy, I guess it doesn't qualify as a disaster. I am not assured that your E2EE will be unbroken forever and thus I wish to have even the encrypted copies removed after a time.

That said, we're going to fix it anyway (just to stop having this conversation, if nothing else) - just as we're providing deletion APIs for attachments.

👍

[ara4n]

While I have lost a lot of trust towards Matrix, it's not Discord (which is the instant messenger enemy that I cannot get to peace with (some may know of my Telegram cases)) and thus I am willing to come towards you and apologise for my behaviour.

thank you - the apology is appreciated & accepted. i'm hoping it will become even clearer that Matrix is worthy of trust, even if the core development is still largely funded by one company (under the governance of the Foundation).