🆕 Software Suggestion | Matrix (Riot/Synapse)

[jonaharagon]

Basic Information

Name: Matrix (Riot)
Category: RTC > Team Chat Platforms
URL: https://about.riot.im/

Name: Matrix (Synapse)
Category: RTC > ?
URL: https://matrix.org/docs/guides/installing-synapse
I think we need to mention Synapse specifically and encourage self-hosting over using the matrix.org homeserver, or really any public homeserver whenever possible. I don't know if this should be mentioned in the Riot listing, or if we should have a separate category for RTC servers.

Description

Since Riot was last reviewed, they have added a number of privacy-centric improvements. This is not a complete list, but these are issues we previously defined as major blockers:

• Redacted messages are now removed from the database. We need to actually censor redactions from the DB (SYN-284) matrix-org/synapse#1287
• Integration managers can now be easily controlled by the user. Store Integration Manager preferences in account data and allow user to change them somewhere sensible element-hq/element-web#10161
• The identity server now appears to be stored in account data, and more importantly can now be modified or removed in user settings. Store identity server in Account Data and support choosing identity server integration in User Settings element-hq/element-web#10094

There are a few unfixed issues, but I don't know if they are blockers to recommendation or not, so that's what I want to discuss here.

• Matrix seems to store a lot of unnecessary metadata redacted matrix-org/synapse#4565
  • Edit: The majority of this issue appears to be addressed: redacted matrix-org/synapse#4565 (comment)
• Homeserver data does not expire https://github.com/matrix-org/matrix-doc/issues/447
  • Edit: A fix for this issue has been designed and will soon be implemented: https://github.com/matrix-org/matrix-doc/issues/447#issuecomment-540321546
  • Seeing as redactions are evidently erased I don't think this is a huge issue. This is a problem for HS admins who may not want to maintain data infinitely but it doesn't seem like a privacy problem to me. Even if this was implemented it would be up to the HS admins, and one HS could choose to store data infinitely anyways (i.e. users should not assume their data will ever be erased even after implementation),
• Media is never redacted When we redact events, any mxc content they refer to should be redacted too (SYN-216) matrix-org/synapse#1263
• Private contact discovery is not implemented Feature: Private Contact Discovery (discovery without servers learning your contacts list) element-hq/element-web#7649
  • We have this listed as a blocker in #1049 but I don't see this as a major issue. This would be more of a useful feature. The privacy concern here is with using an IS, but that can now be easily disabled, correct?
  • Edit: The functionality as described in this issue doesn't sound like it will be implemented, but it appears that a more privacy-friendly contact discovery method than the old method has been implemented: Feature: Private Contact Discovery (discovery without servers learning your contacts list) element-hq/element-web#7649 (comment)

Finally, there are a few more "major" concerns we've voiced that have not yet been fixed, but that I do not think are blockers at all.

• Matrix.org uses Cloudflare
  • Services using Cloudflare has historically not been a blocker for recommendation. I personally don't see it as a "major" issue at all.
  • End-to-End Encrypted chats are not really affected by this, and should be used whenever sensitive messages are being communicated.
  • Finally, during this re-listing we definitely want to discourage the use of matrix.org anyways to promote decentralization.
• Present an aggregated terms of service dialogue at registration if possible element-hq/element-web#10167: Present an aggregated terms of service dialogue at registration if possible
  • Operators of custom Riot servers can specify ToS, Privacy Notices, etc. in config.json, no?
  • The functionality I wanted does exist, whoops!
• Riot X identity server is not configurable. Login/register: allow to set home server and identity server urls element-hq/element-android#20
  • For privacy reasons a hardcoded IS seems unacceptable, but is Riot X currently recommended for public use? I don't think we can judge the project based on an incomplete client.
  • In addition to being in beta, identity server functionality is not implemented at all.

All the other issues within https://github.com/privacytoolsIO/privacytools.io/issues/1049 are still important to monitor but I don't think the issues not mentioned above are blockers and are mostly small issues.

Anyhow, it seems clear to me that the Matrix team is at least committed to fixing their issues. For instant messengers I would still probably prefer Signal or Wire, but for a more public, large group chat use-case there does not appear to be any better alternatives to Matrix, especially from a privacy standpoint. This is why we still use it ourselves. It seems especially disingenuous to recommend XMPP over Matrix.

Also, I think that by advertising our group chat on Matrix without recommending Matrix itself we are both sending a mixed message and promoting centralization on our own server, by not demonstrating the alternatives (hosting it yourself).

[dngray]

I support this. It would make https://github.com/privacytoolsIO/privacytools.io/issues/1377 a lot simpler too.

All the other issues within #1049 are still important to monitor but I don't think the issues not mentioned above are blockers and are mostly small issues.

Anyhow, it seems clear to me that the Matrix team is at least committed to fixing their issues. For instant messengers I would still probably prefer Signal or Wire, but for a more public, large group chat use-case there does not appear to be any better alternatives to Matrix, especially from a privacy standpoint. This is why we still use it ourselves. It seems especially disingenuous to recommend XMPP over Matrix.

Also, I think that by advertising our group chat on Matrix without recommending Matrix itself we are both sending a mixed message and promoting centralization on our own server, by not demonstrating the alternatives (hosting it yourself).

Could not have put it better myself.

[ara4n]

Several of the issues listed here as unfixed are actually fixed - i've gone through updating the bugs in question to try to make it clear, but specifically:

• almost all of redacted matrix-org/synapse#4565 is addressed
• https://github.com/matrix-org/matrix-doc/issues/447 is designed & implemented (but being tested on the French matrix deployment before being merged into mainline)
• Feature: Private Contact Discovery (discovery without servers learning your contacts list) element-hq/element-web#7649 was implemented (i've closed the bug)
• Present an aggregated terms of service dialogue at registration if possible element-hq/element-web#10167 is just UX eye-candy; having the option to present the policies at registration rather than incrementally as the user stumbles across the services in question. I'm not convinced we should do it at all, given it makes the user less likely to read the policies and understand what they relate to.
• Login/register: allow to set home server and identity server urls element-hq/element-android#20 is a non-issue; the only reason that RiotX doesn't expose a configurable identity server URL is because it hasn't implemented any identity service functionality yet(!).

[jonaharagon]

Thank you @ara4n, I've updated the issue.

Re 10167 I was confused, I actually wasn't aware consent tracking existed. Don't know how that slipped by me, but since that's the case I do agree the current implementation is probably better. Sorry about that!

[blacklight447]

I REALLY don't want to recommend matrix until e2ee is turned on by default for private chats.

[dngray]

I REALLY don't want to recommend matrix until e2ee is turned on by default for private chats.

If that's the case we should not recommend any XMPP clients as they do not have it on by default either; and likely never will do.

Perhaps a warning badge and a link to step-by-step guide in enabling it in Riot would do? We know that E2EE is going to be on by default for 1:1 chats with Riot element-hq/element-web#6779 at some time in the future.

[dawidpotocki]

> I REALLY don't want to recommend matrix until e2ee is turned on by default for private chats. If that's the case we should not recommend any XMPP clients as they do not have it on by default either; and likely never will do.

Conversations uses OMEMO by default for sure.

[dngray]

Conversations uses OMEMO by default for sure.

But does everyone use conversations on Android?

[dawidpotocki]

> Conversations uses OMEMO by default for sure. But does everyone use conversations on Android?

Do you know anyone who doesn't? I'm pretty sure it's most popular XMPP client for Android and there are also few forks like Quicksy, which also use OMEMO by default.

[dngray]

Quicksy

afaik that's fork of Conversations that uses phone numbers as an identifier.

What about if you're not on Android.

[dawidpotocki]

What about if you're not on Android.

ChatSecure (iOS) is using OMEMO too.

[dngray]

What about if you're not on Android.
ChatSecure (iOS) is using OMEMO too.

Does it support E2EE by default? I can't definitively find anywhere where it says it does, i would have thought that would have been worth mentioning on their blog https://chatsecure.org/blog/

[dawidpotocki]

> ChatSecure (iOS) is using OMEMO too. Does it support E2EE by default?

Yes, I just checked it.

[dngray]

ChatSecure (iOS) is using OMEMO too. Does it support E2EE by default?
Yes, I just checked it.

And what if you want to access in a web browser (public/friends computer), a desktop or some other platform like maybe a Librem, the point is you're going to have to know where to click on all platforms (some you may not even know) when instructing friends to do things. When their client crashes, or has some issue, "works for me on my platform" isn't going to be an answer they will accept.

Nothing is perfect, (no software is), but taking the pragmatic approach and suggesting something that is just going to annoy people is not really going to help privacytools.io the likely result is that people will just stay with their offering from Facebook, Inc. or maybe consider Signal, though that requires a phone number (something plenty of people I know who are tech noobs are not happy to hand out).

What we really need to decide is, is it too difficult to show a user how to enable E2EE on a 1:1 conversation in Riot? - we can do that with pretty pictures. ie:

1. Clicking a contact's name
2. Clicking "Security & Privacy"
3. Toggling "Encryption" to the on position.

Should also be noted that once a user does that it cannot be disabled, (something that might happen if you use an XMPP client that doesn't have OMEMO on by default, "Never send encrypted messages to unverified devices in this room from this device" seems pretty explanatory too.

I would also argue that emoji fingerprint verification is far less daunting than a huge alphanumeric fingerprint. (QR only really works if you are in the same room as the person you're trying to verify).