RTC/Riot: warn about media and centralization on matrix.org?

[Mikaela]

Currently the warning links to element-hq/element-web#6779 on the E2EE being experimental.

I think there are other issues that should be mentioned together with it, mainly:

• When we redact events, any mxc content they refer to should be redacted too (SYN-216) matrix-org/synapse#1263 - media never removed
• Neither Try Matrix Now or Clients mention that there are other homeservers than Matrix.org matrix-org/matrix.org#586 - only matrix.org is named, and we should probably address it due to https://github.com/privacytoolsIO/privacytools.io/issues/987
• Options to strip EXIF metadata from media uploads. element-hq/element-web#4426 - exif medata removal (in our previous tracker it was nice to have, but I think it deserves getting up as Discord, Signal and Wire have it)
• 20191011: Allow users to disconnect from an integration manager entirely in the same way that we support doing this for identity servers element-hq/element-web#10696 - allow disabling integration manager entirely

The list is shorter than I thought while I was reading my complaints from #1389, I guess I am over-eager at judging what is a team chat application (with my rare use-case) and what a private chat.

This will likely be resolved by https://github.com/privacytoolsIO/privacytools.io/issues/1377#issuecomment-540152967. Maybe it should go directly to upstream privacy tracker? https://vector-im.github.io/feature-dashboard/#/plan?label=privacy-sprint&repo=vector-im/riot-web&repo=vector-im/riot-ios&repo=vector-im/riot-android&repo=vector-im/riotX-android&repo=matrix-org/matrix-doc&repo=matrix-org/sydent

[jonaharagon]

only matrix.org is named

Notably, other homeservers are somewhat prominently displayed in Riot (which is what we link to, not the two pages in that issue) during registration, at least in a way that makes it clear to the end-user that other homeservers are available IMO.

I don't think these issues warrant warning badges in the same fashion that other warning badges have been implemented, but I do think if we rework the instant messenger page entirely like in #1377 they should be mentioned 👍

[Mikaela]

Notably, other homeservers are somewhat prominently displayed in Riot

Where? I opened riot.im/app and wanted to register and I am offered only matrix.org for free, modular.im for a pay (both by New Vector) or if I am advanced, then I can enter something (what?) by myself.

[dngray]

Where? I opened riot.im/app and wanted to register and I am offered only matrix.org for free, modular.im for a pay (both by New Vector) or if I am advanced, then I can enter something (what?) by myself.

I would say the characterization of this #1395 is disingenuous:

Most email clients don't list every email server you could possibly use.

They have taken a pragmatic approach of suggesting "a server": matrix.org for people to use. You could also purchase a subscription to Modular if you want to use your own domain and cannot be bothered maintaining a server yourself.

This serves to do two things, generate some money for the project, (developers need to eat) and something as complex as Matrix requires full time development. Additionally it provides businesses who may not have their own IT staff a ready-to-go system they can use. Many small businesses rely on SaSS options to minimize costs.

I can see the reason why they may not want to endorse any particular server, that could be due to unknowns about the reliability of their hosting. There is the Hello Matrix project and there are a number of servers on there listed, perhaps we could make a suggestion the user selects one of those?

If I recall correctly XMPP did a similar thing to this with jabber.org.

[dngray]

When making a suggestion of what server to use, this isn't a one size fits all;

We should educate the user to select a choice appropriate to their needs. A server locally close to their origin may provide better performance but may be less desirable if that country has poor privacy protections.

[Mikaela]

I can see the reason why they may not want to endorse any particular server, that could be due to unknowns about the reliability of their hosting. There is the Hello Matrix project and there are a number of servers on there listed, perhaps we could make a suggestion the user selects one of those?

Sure.

If I recall correctly XMPP did a similar thing to this with jabber.org.

I am not aware of any client pointing to jabber.org though.

[dngray]

There is the Hello Matrix project and there are a number of servers on there listed, perhaps we could make a suggestion the user selects one of those?

There is also this list public homeserver list.

[ilmaisin]

I wouldn't put the self-destructing message feature to a very high priority, since it is impossible to do well anyway. It's the same problem as with other types of DRM: the attacker and the intended recipient are the same.

Does Matrix encrypt those media uploads? If so, it probably isn't a very big issue. Of course, if "forever" is long enough, the encryption might become obsolete and vulnerable to attacks.

[Mikaela]

Does Matrix encrypt those media uploads? If so, it probably isn't a very big issue.

Depends on whether the room in question is encrypted.

Of course, if "forever" is long enough, the encryption might become obsolete and vulnerable to attacks.

This is my concern and also that deleted uploads are not deleted in reality. matrix-org/synapse#1263

[dngray]

I wouldn't put the self-destructing message feature to a very high priority, since it is impossible to do well anyway. It's the same problem as with other types of DRM: the attacker and the intended recipient are the same.

👍

I expect if this becomes a feature in Matrix we will disable it for the public chat room. Very annoying and pointless to delete comments posted publicly, it provides absolutely no privacy when it's been indexed, cached, locally logged and possibly screen shotted by other users.

It's highly irritating when people set exploding messages on Keybase as we don't check that as frequently as Matrix. All it does is destroy the flow of conversation.

Public is public, if you don't want it public don't say it in public, people need to not get caught up in "message destruction" features and remember that.

Does Matrix encrypt those media uploads?

Yes, in encrypted rooms.

If so, it probably isn't a very big issue. Of course, if "forever" is long enough, the encryption might become obsolete and vulnerable to attacks.

This rule applies to any kind of cryptography no matter where it is.

There's also nothing stopping people from pasting a link to a file on a server they do control, or that they can delete, eg how we did in the days of IRC.

[lrq3000]

Yes and not it's not really off topic, I'll clarify why tomorrow when I'll get access to a computer (but basically it's not centralized anymore on matrix.org because you can change or disable all servers, although messages are still indefinitely retained on the homeserver you chose, but there are discussions to change this, but the issue is that this would add more metadata on e2e encrypted messages, so they need to figure out an elegant solution) Le mar. 11 févr. 2020 à 10:00, Mikaela Suomalainen <[email protected]> a écrit :

…

To clarify, I am missing self-destructing messages in private Matrix/Riot conversations, just like I have them in private Signal group/chats. I am not personally using Signal for anything public and I don't view Signal suitable for public chats, as I am not willing to share my phone number and even more importantly it has no group moderation. Also #1701 <https://github.com/privacytoolsIO/privacytools.io/pull/1701> is the only answer I have to the offtopic conversation in this issue. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <https://github.com/privacytoolsIO/privacytools.io/issues/1395?email_source=notifications&email_token=AAIRFXV6GMLV4RIQBE7HXDTRCJSLBA5CNFSM4I7THP4KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOELLUN4I#issuecomment-584533745>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAIRFXT63USQY75YV4RK63LRCJSLBANCNFSM4I7THP4A> .

[Mikaela]

If I now installed Riot on a new device, would it tell me that other homeservers than Matrix.org exist or ask me which homeserver I want to use giving me choice of others than Matrix.org without deciding that I am an experienced/advanced user by entering a custom homeserver address?

[lrq3000]

You would have to manually enter a custom server (and this can also be done later on). This was covered by other answers above, it's not an illegitimate thing for them to do commercially wise (it's not like Wire who offered free accounts to then become paid only services). The thing is that with Riot, you *can* choose what server will store your messages, and you can still have access to the whole federated network. Whereas with Signal and others, you can't. I didn't check if signal server is opensource, but even if it is and you self host it, then you can't access other users on the main Signal server. Whereas here you can. That's not to say that Riot should not have warnings or instructions to properly configure it to make it more secure. But out of all currently available messengers, it has one of the most decentralized design, so if a warning about centralization is added, pretty much all other messengers will have it (including p2p such as Jami, who uses several servers to offer several services). Le mar. 11 févr. 2020 à 11:00, Mikaela Suomalainen <[email protected]> a écrit :

…

If I now installed Riot on a new device, would it tell me that other homeservers than Matrix.org exist or ask me which homeserver I want to use giving me choice of others than Matrix.org without deciding that I am an experienced/advanced user by entering a custom homeserver address? — You are receiving this because you commented. Reply to this email directly, view it on GitHub <https://github.com/privacytoolsIO/privacytools.io/issues/1395?email_source=notifications&email_token=AAIRFXUAQWMWVUUGCL4EPS3RCJZLTA5CNFSM4I7THP4KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOELL2BXA#issuecomment-584556764>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAIRFXUQZLLR756CD3ZPEHDRCJZLTANCNFSM4I7THP4A> .

[lrq3000]

@Mikaela To reply in more details, in your opening post, point 4 element-hq/element-web#10696 is now done (I checked in the app, the integration manager can be disabled).

For the rest, I won't repeat myself, but yeah I agree Riot could do better in terms of decentralization by linking to a list of instances, instead of just showing an option to enter a custom homeserver address. But still, the possibility exists, and is not that hard to do, and there are pros and cons to using a custom server anyway, so for the lambda user, what matters more is E2EE by default and expiring messages IMO.

E2EE by default is being deployed right now as I wrote above.

For messages expiration, I had to do a bit of research to track down the pertinent info, but it seems it's now implemented, both at the server level and room level, although not easily changeable (ie, no button on the GUI in the room's options, you need to send a custom state event) because it's not yet part of the Matrix specification:

• Message retention policies at the room and server levels matrix-org/synapse#5815
• https://github.com/matrix-org/synapse/blob/master/docs/message_retention_policies.md

However, this is only true for messages, not for media, for which an issue was opened recently.

Also, about what you wrote in https://github.com/privacytoolsIO/privacytools.io/issues/1389#issuecomment-540826288:

I am also confused on how file uploads sent in a direct chat can be posted elsewhere as easily as by copying the URL, which to me hints that they aren't actually private.

I remember reading a github issue on riot or matrix repo about this indeed, where the devs were aware that encrypted medias could be accessed by anyone with the handle because the medias were not attached to a particular room or permission, and they were thinking about how to elegantly fix this while minimizing the addition of meta-data. But unfortunately I can't find the issue where I have read that, I will post it here if I ever stumble on it again.

Also, URL previews are a weak point that can be used to subvert E2EE, but they are disabled by default and when enabling in the options you get a warning.

---

TL;DR: I agree that messages and media retention should be mentioned in a warning. Centralization (or rather the proposition of matrix.org as the default homeserver) is not an issue that merits a warning I think, but it would be nice to add a sentence in the description to highlight that it is possible to use a custom server address (the best would be to link to a list of instances, such as this one or this one). I would also suggest warning about enabling URL previews as they can leak information/identity. It could be nice to mention it can work with Tor Browser.

[lrq3000]

Ah well, they just added your issue on centralization on this month's todo list for their website changes.

[lrq3000]

Also pre-redacted messages are deleted after 7 days now (I consider this linked with the messages retention issue).

[lrq3000]

Ephemeral/self-destructive messages are also supported (but not for media - media seem to be a weak point of Matrix/Riot currently): matrix-org/synapse#6409

PS: @Mikaela :

but I am not certain where they belong as we cannot promote Riot above Signal as they are in two different categories, centralized and federated.

My bad, I remembered Matrix being a mention instead of a featured suggestion, but I must have looked at an old version of the page. I am not suggesting that Matrix should be suggested above Signal, as you write, they are in different categories, and suit different needs, it's fine to me like that, but I agree the description should be updated according to the issues you raised.

[Mikaela]

I wish this issue could focus on the actual issue which is the centralization, but

I would also suggest warning about enabling URL previews as they can leak information/identity. It could be nice to mention it can work with Tor Browser.

no, the URL previews are generated on server-side by Synapse and if you look into logs of anything fetching a preview, you will see the homeserver address rather than Riot address so it doesn't matter. Or what information are you talking about?

[lrq3000]

Or what information are you talking about?

This

[Mikaela]

Would you mind opening a new issue about that?

[ian-tedesco]

Session warns you about the same when you try to enable it.

[lrq3000]

Riot also shows a warning now, so should we open an issue to mention this anyway or is it fine as long as the software warns about it itself?

[blacklight447]

I would vote that the new in software warning is good enough.

[dngray]

I'm going to close this now that it has been added to the 2020-02 milestone matrix-org/matrix.org#586 that's really the right place for it.