vector.im used to register account even when specifying custom id server

[stone212]

Description

After installing a private matrix/synapse server and following the instructions to register an account with riot-web on my private server, I am told I have successfully created an account.

I check my email and I find that I am asked to verify this account with vector.im!!! But I did not want to touch vector.im or share any identity information with a 3rd party.

Steps to reproduce

Install a Matrix/Synapse server using these directions: https://blog.cryptoaustralia.org.au/2017/03/21/run-your-end-to-end-encrypted-chat-server-matrix-riot/

Under "Time to Riot," follow the instructions to create a new account on your new private server.

Note that if you use https://myserver.com for the id server, you get this bug: https://github.com/vector-im/riot-web/issues/6332

If you leave off the https:// and simply type "myserver.com" for the id server, you are shown the screen that says an email confirmation has been sent.

Go to your email and you will see a link to "Complete email verification" on vector.im!!!!

Describe how what happens differs from what you expected.

I expected to be asked to confirm this on my own server, not a 3rd party! (vector.im) There should not be any reason to touch a 3rd party with my id information.

For the desktop app:

riot-web Debian 9 Matrix/Synapse server on Ubuntu 16.04

[MTRNord]

Vector.im is a identity server not your homeserver aka. Synapse. It's function is to provide a user directory. It does NOT get passwords. It only links your mxid to the Email.

[stone212]

@MTRNord This should be made clear in many places. There should be a warning before leaking this very sensitive data (username and email) to a 3rd party. I specifically set my own server as the identity server because I do not want any data leaks to 3rd parties.

Not only do you take data but you also don't warn the user. This is a dangerous combination. I will stop using Riot.

[ara4n]

@MTRNord is just a member of the community trying to help (thanks @MTRNord).

So your actual bug here is that if you put a URL into the 'identity server' field which isn't actually an identity server, Riot defaults to the default identity server of vector.im?

[stone212]

@ara4n

No one said there is a bug. But there are two issues.

1. Your install docs do say or imply that when you are done you have an identity server.

2. if you put a URL into the 'identity server' field which isn't actually an identity server, Riot defaults to the default identity server of vector.im instead of warning you that you made a mistake and that if you proceed your data will be leaked.

How are you not seeing how terrible 2 is?

[t3chguy]

2. Is a bug and not the intended behaviour.

[the-moog]

This may be related to this issue

I'm using a private home server, hosting (in different domains) Riot, Synapse and mxisd. We find the following:

1: A new user is invited to a room 2: They click the invite email link 3: They are asked for their registration details 4: They are sent a validation email 5: The click the new link 6: goto 3

i.e. an infinate loop

The setting (in Riot config.json) for both default_hs_url and default_is_url is the same and set to the URL of the private server.

We have found that if the user clicks "Custom Server" rather than "Default Server" during registration then the validation email link works.

Strangely when "Custom Server" is selected the URLs default to the correct setting

Conclusion the configured default setting is ignored and some other setting ??vector.im?? used instead.

I've looked at the source code but I can't find where the error stems from.

[miztizm]

the same here, i think vector.im is frustrating a lot of users

When i remove a vector.im it uses still vector.im , i dont know why.

Currently the only public matrix identity servers are matrix.org and vector.im. In future identity servers will be decentralised.

When?

Solutions: Tell a user how to setup a own identity server, instead of public and give a options.

[aaronraimist]

@devcline https://github.com/kamax-matrix/mxisd is a usable identity server you can setup and use.

[miztizm]

@aaronraimist yeah thanks i saw this, maybe its need to added to the readme ?

[aaronraimist]

@devcline Well, Riot is a client so this isn't really the right place. It is already on the matrix.org website and this PR would add it to the Sydent README. https://github.com/matrix-org/sydent/pull/88

[jayavanth]

What's the status of this issue right now? Riot still uses vector.im identity server as the default identity server and doesn't let me use an empty field or a fake identity server (a url for identity server that doesn't exist or isn't actually an identity server).

Is mxisd/sydent a reliable self-hosted identity server that doesn't leak identities to vector.im or other centralized identity servers?

[maxidorius]

@jayavanth I am the author of mxisd - mxisd is the only self-hostable Identity server currently, and it is made that by default, your data is just not leaked. Your data is only sent to other servers if you either 1) confirm the action and give consent or 2) explicitly configured mxisd that way. We'll be happy to answer more questions in our Matrix room (#mxisd:kamax.io) or in our repo: https://github.com/kamax-matrix/mxisd

[turt2live]

I'm not able to reproduce this on riot.im/app right now. We've done some work in the area, so it may very well have been fixed by one of those changes. If the issue persists, please open a new issue and submit debug logs if at all possible.