Feature request: App for E2E-encrypted Cryptpad.fr

[eX00r]

Description

Etherpad App within Riot.im is pretty nice but following the privacy attempt I propose to also add an app for the e2e-encrypted pad at https://cryptpad.fr. cryptpad also offers more nice to have collaboration tools that could be useful.

[michaelsmoody]

I'd like to add my +1. Cryptpad is really a superior solution in many ways, and at the very least should be an optional integration.

[MTRNord]

This works already with a custom widget:

[michaelsmoody]

Thank you, this is extraordinarily helpful. From a Metadata perspective, how much of it is leaked? I know that in the case of Cryptpad, encryption keys are partially contained in the URL, so by sharing them as an integration in the room, would that then open it to anyone on the homeserver to which the room belonged?

[MTRNord]

I have no idea what security stuff happens in this share function but everyone with that link can read (but not edit) it. And I think widgets are not e2ee encrypted events so I would expect it to stay in the HomeServer Database.

[michaelsmoody]

I totally understand. It's very likely that, since there's a lot of metadata leakage in E2EE in Matrix (usernames, users inside of rooms, room integrations, etc), that this would fall into that same category. Given that encryption keys in Cryptad follow the # in the URLs (which aren't passed onto the server, in general), I would use this with significant caution. I suspect that the implementation as provided would enable potential leakage of those keys. I would LOOOVE better E2EE integration support. I know there's a proxy that can allow integration bots to participate in E2EE rooms, but something that might allow a Cryptpad pad to exist in an E2EE (or non-E2EE) room without exposing the keys. Essentially some sort of metadata encryption.

Nonetheless, thank you very much for this. It has utility, though more limited if you have really sensitive information. At least it prevents drive-by disclosure in the way that etherpad does.