this post was submitted on 31 Dec 2021

40 points (90.0% liked)

Open Source

30339 readers

2482 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Posts must be relevant to the open source ideology
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago

MODERATORS

Cloak@lemmy.ml

kevincox@lemmy.ml

CrypticCoffee@lemmy.ml

Lettuceeatlettuce@lemmy.ml

I don't trust Matrix. (lemmy.ml)

submitted 2 years ago* (last edited 2 years ago) by coconuteclair@lemmy.ml to c/opensource@lemmy.ml

36 comments fedilink hide all child comments

This posts is a list of all the suspicious things Matrix/New Vector and Element (which is run by Matrix employees) have done.

Crossposted to c/opensource from c/privacy.

I want to start a civil discussion on this topic, if anyone has improvement ideas for the list or wants to debate one of the bullet points for removal, I'm all ears.

Matrix

Matrix was created inside of an Israeli Intelligence Corporation called Amdocs.
Matrix leaks lots of metadata, in many cases not fixed to date. The homeserver can and does store lots of metadata.
Even if you run your own instance, it still sends data to the main homeserver.

The Cloudflare Situation

All research on the Cloudflare situation is done by me.

If you check the SSL Certificate for https://element.io you'll see it's by Cloudflare.

Cloudflare has MANY privacy issues, and just wanting to centralize the web.

The Element client is the most used client, with many users using the default instance, because it's easy or they want to simply join their friends or a community on Matrix easily. This comes as worrying because Cloudflare decrypts TLS traffic and this is even more worrying because Cloudflare is a honeypot.

Even if Cloudflare cannot decrypt anything because of the Matrix protocol encrypting them beforehand, lots of metadata in the message itself is send over plaintext like who you're talking with, channel name etc. (and this is excluding the metadata leaks that Matrix has to the main homeserver and in general). Of course, this could be mitigated by using Element on another instance that isn't behind Cloudflare, but the average user will not know to do that or even understand the concept of federation and decentralization.

Cloudflare's CDN can be used without using their SSL certificate which just backdoors your site, so why is Element using it? Element is run by the same people that are behind matrix.org (mostly), so they know how to do basic privacy features.

Even if we assume there's no ill intent here, Cloudflare just wants to centralize the web (~30% of SSL traffic goes through Cloudflare, ~80% of CDN traffic goes through Cloudflare), which is obviously against Matrix's mission of decentralized communication.

Through Cloudflare, an adversary with ill intention could target a Matrix user and be susceptible to metadata collection.

The CIA & NSA admitted that they kill people by gathering and using metadata.

I've took this argument in the official Matrix channels, and no one has been able to properly respond to the arguments presented. Though, they were only members, no admins were involved.

If anyone wants to bring these issues forth to the official Matrix admins, I'd be more than glad to help. Thanks for reading!

all 38 comments

sorted by: hot top controversial new old

[–] dessalines@lemmy.ml 25 points 2 years ago* (last edited 2 years ago) (2 children)

You can "trust" it, because its self hostable, and buildable from source, unlike other not self hostable services. Its origins and funding are important, but less so because of those two attributes.

The metadata leaking is a problem with every federated system, xmpp included. You could even call the metadata leaking a feature, not a bug, since its what makes federation possible.

Whats important is that the metadata being leaked, isn't linked to your identity, unlike with signal. Matrix doesn't require phone numbers, or emails to sign up. You also can run an instance without turning on federation, if that's still a concern.

The cloudflare concerns aren't an issue as long as you run your own instance, or join one that doesn't use cloudflare. There's nothing requiring cloudflare built into the software or the protocol.

[–] coconuteclair@lemmy.ml 9 points 2 years ago (1 children)

The cloudflare concerns aren’t an issue as long as you run your own instance, or join one that doesn’t use cloudflare. There’s nothing requiring cloudflare built into the software or the protocol.

Yeah, but the vast majority of non-technical users don't bother to change homeservers, or even clients, so it could affect them. What puzzles me is why the Matrix/Element team chose Cloudflare for app.element.io, (matrix.org uses LetsEncrypt), when CF aims to centralize the web and is a privacy nightmare. It's more of an ethics thing, in my opinon. But sure, like I mentioned too, could be solved by switching homeservers/clients but the vast majority of users won't bother.

[–] dessalines@lemmy.ml 8 points 2 years ago* (last edited 2 years ago)

I understand it even though I also hate cloudflare, as ddos attacks are extremely difficult to thwart otherwise. But of course it stands that nothing in the code of any of the homeservers, apps, or protocol requires cloudflare.

[–] poVoq@lemmy.ml 7 points 2 years ago (1 children)

The metadata leaking is a problem with every federated system, xmpp included. You could even call the metadata leaking a feature, not a bug, since its what makes federation possible.

The problem is not mainly the leaking metadata, but that the Matrix protocol is designed to indefinitely store and freely share this metadata with every home-server joining (which even gets a full copy of everything retro-actively). XMPP does not do this.

[–] dessalines@lemmy.ml 9 points 2 years ago (1 children)

How does xmpp not store information about federated users joining a room?

[–] poVoq@lemmy.ml 8 points 2 years ago* (last edited 2 years ago) (1 children)

XMPP only does this on the single server the room resides on and does not share this info with other participating servers except for the bare minimum needed to show the users nick names.

I recommend you hosting your own Matrix home server and after joining a few federated rooms look at your database what kind of historical metadata ends up on your new server. It's honestly appalling from a privacy point of view.

Yes this is needed for room persistence across multiple servers, but IMHO that is a solution looking for a problem and also a highly over-engineered one.

[–] Ferk@lemmy.ml 7 points 2 years ago* (last edited 2 years ago)

There's ongoing work to encrypt much of the metadata. https://github.com/matrix-org/matrix-doc/pull/3414

Yes this is needed for room persistence across multiple servers, but IMHO that is a solution looking for a problem and also a highly over-engineered one.

Without this solution the transition to p2p would be much more complicated, would it not?

[–] SusPillow9328@lemmy.ml 17 points 2 years ago

Matrix is still a great project and is one of the only good and privacy-respecting Discord alternatives right now. Services like Discord don’t have any end-to-end encryption so it’s still a good alternative. And there is work being done to encrypt metadata. https://github.com/matrix-org/matrix-doc/pull/3414

[–] hun7r@lemmy.ml 11 points 2 years ago* (last edited 2 years ago) (1 children)

It would be foolish to trust any of these services blindly.

However matrix is the better alternative to many, for now.

[–] Yujiri@lemmy.ml 7 points 2 years ago (1 children)

Also the part about matrix being created for military: Most of our technology is derived from military use. Sadly the best motivator for human beings to create a new thing is “how we can use it to control/kill?”

True: even Tor was created by the US gov

[–] mp3@lemmy.ml 5 points 2 years ago* (last edited 2 years ago)

And ARPANET, basically the ancestor of the Internet itself.

[–] Yujiri@lemmy.ml 10 points 2 years ago (2 children)

The CIA & NSA admitted that they kill people by gathering and using metadata.

This is a serious claim that you just gloss over. I don't doubt that they do those things, but I'd still like to see the source for them publicly admitting it.

[–] poVoq@lemmy.ml 14 points 2 years ago

This is well sourced and known:

in April 2014, at a symposium at Johns Hopkins University, General Michael Hayden, a former director of both the CIA and the NSA, said this: “We kill people based on metadata”. He then qualified that stark assertion by reassuring the audience that the US government doesn’t kill American citizens on the basis of their metadata. They only kill foreigners.

from this source, but a google search will give you many others.

[–] coconuteclair@lemmy.ml 7 points 2 years ago

https://www.justsecurity.org/10318/video-clip-director-nsa-cia-we-kill-people-based-metadata/

And I believe there was a tweet somewhere, if I find it, I'll link it.

[–] cameraandsickle@lemmygrad.ml 8 points 2 years ago (2 children)

What's the best alternative? Jami seems good and I generally trust the FSF and I found Revolt which seems to basically aim to recreate all Discord features and is currently in public beta.

https://github.com/revoltchat

[–] mossy@lemmy.ml 5 points 2 years ago (1 children)

I’ve also heard about Fosscord, but it doesn’t seem like it’s at it’s first release yet

https://fosscord.com/

[–] adrianmalacoda@lemmy.ml 2 points 2 years ago* (last edited 2 years ago)

Fosscord aims to be compatible with Discord which is why I think it has an edge over Revolt. It will be possible to use Fosscord client as a free alternative to the proprietary Discord client while in the process of switching over to a self-hosted instance.

[–] Yujiri@lemmy.ml 3 points 2 years ago (1 children)

Is Revolt federated?

[–] cameraandsickle@lemmygrad.ml 4 points 2 years ago (3 children)

I'm actually not sure, nor can I see what encryption they use on the website. Maybe someone smarter than me can check out the code

[–] testman@lemmy.ml 8 points 2 years ago (1 children)

Revolt is not federated.

[–] cameraandsickle@lemmygrad.ml 2 points 2 years ago

Thanks!

[–] SusPillow9328@lemmy.ml 2 points 2 years ago

Revolt currently does not have encryption but there’s an open issue https://github.com/revoltchat/revolt/issues/207

[–] Yujiri@lemmy.ml 2 points 2 years ago

That's one thing I don't like about Revolt. There's no information about it either on their homepage or github

[–] HamsterDeveloper@lemmy.ml 8 points 2 years ago

I don't like that the protocol is so intertwined with a commercial company.

[–] Vera9@lemmy.ml 4 points 2 years ago

me too.

[–] CHEFKOCH@lemmy.ml 4 points 2 years ago (2 children)

I feel the same, Telegram and Matrix got hyped and whatnot but same like Signal they got millions of dollars and are light years behind the competition. Which makes me wonder what they do with the money and why they do not hire competent people, which I would do in such case to address all concerns and design flaws.

Matrix encryption is flawed too, avatars, reactions etc. are NOT encrypted. Matrix might be an alternative until all flaws are fixed, but that might take years from now.

[–] poVoq@lemmy.ml 9 points 2 years ago* (last edited 2 years ago) (1 children)

Matrix encryption is flawed too, avatars, reactions etc. are NOT encrypted.

Most messengers only encrypt the text body. There is some work underway to improve this in XMPP with a new version of the OMEMO standard, but this is not yet implemented in most clients.

IMHO the bigger problem with Matrix's OLM e2ee is that they weakened key exchange to be per account and not per device (mainly to make it more scalable in group-chats) and this requires devices to exchange the shared private key which is inherently risky.

[–] BridgeBum@lemmy.ml 7 points 2 years ago (1 children)

and this requires devices to exchange the shared private key which is inherently risky.

There is some risk, sure. I don't see how this would be any more risky than a TLS exchange. Obviously the exchange can be implemented badly, but if done correctly it seems like it would work with certs and send the key encrypted.

I think the bigger risk is the key sitting at rest on multiple devices, some of which are easily lost (cell phones) and could then compromise an account.

[–] poVoq@lemmy.ml 5 points 2 years ago* (last edited 2 years ago)

You seem to have a misunderstanding of what public and private keys are. Private keys should never leave the device they were created on.

[–] coconuteclair@lemmy.ml 7 points 2 years ago

Agreed, many people would like to use what they call "integrations" aka "bots" for those coming from Discord, which wouldn't be unencrypted, and as you mentioned stickers. Signal/XMPP is my messenger of choice at the moment.

[–] SusPillow9328@lemmy.ml 1 points 2 years ago