privacytools / privacytools.io

🛡🛠 You are being watched. Protect your privacy against global mass surveillance.
https://www.privacyguides.org
Creative Commons Zero v1.0 Universal
3.12k stars 384 forks source link

RTC/Riot: warn about media and centralization on matrix.org? #1395

Closed Mikaela closed 4 years ago

Mikaela commented 5 years ago

Currently the warning links to https://github.com/vector-im/riot-web/issues/6779 on the E2EE being experimental.

I think there are other issues that should be mentioned together with it, mainly:

The list is shorter than I thought while I was reading my complaints from #1389, I guess I am over-eager at judging what is a team chat application (with my rare use-case) and what a private chat.

This will likely be resolved by https://github.com/privacytoolsIO/privacytools.io/issues/1377#issuecomment-540152967. Maybe it should go directly to upstream privacy tracker? https://vector-im.github.io/feature-dashboard/#/plan?label=privacy-sprint&repo=vector-im/riot-web&repo=vector-im/riot-ios&repo=vector-im/riot-android&repo=vector-im/riotX-android&repo=matrix-org/matrix-doc&repo=matrix-org/sydent

jonaharagon commented 5 years ago

only matrix.org is named

Notably, other homeservers are somewhat prominently displayed in Riot (which is what we link to, not the two pages in that issue) during registration, at least in a way that makes it clear to the end-user that other homeservers are available IMO.

I don't think these issues warrant warning badges in the same fashion that other warning badges have been implemented, but I do think if we rework the instant messenger page entirely like in #1377 they should be mentioned 👍

Mikaela commented 5 years ago

Notably, other homeservers are somewhat prominently displayed in Riot

Where? I opened riot.im/app and wanted to register and I am offered only matrix.org for free, modular.im for a pay (both by New Vector) or if I am advanced, then I can enter something (what?) by myself.

kuva

dngray commented 5 years ago

Where? I opened riot.im/app and wanted to register and I am offered only matrix.org for free, modular.im for a pay (both by New Vector) or if I am advanced, then I can enter something (what?) by myself.

I would say the characterization of this #1395 is disingenuous:

Most email clients don't list every email server you could possibly use.

They have taken a pragmatic approach of suggesting "a server": matrix.org for people to use. You could also purchase a subscription to Modular if you want to use your own domain and cannot be bothered maintaining a server yourself.

This serves to do two things, generate some money for the project, (developers need to eat) and something as complex as Matrix requires full time development. Additionally it provides businesses who may not have their own IT staff a ready-to-go system they can use. Many small businesses rely on SaSS options to minimize costs.

I can see the reason why they may not want to endorse any particular server, that could be due to unknowns about the reliability of their hosting. There is the Hello Matrix project and there are a number of servers on there listed, perhaps we could make a suggestion the user selects one of those?

If I recall correctly XMPP did a similar thing to this with jabber.org.

dngray commented 5 years ago

When making a suggestion of what server to use, this isn't a one size fits all;

We should educate the user to select a choice appropriate to their needs. A server locally close to their origin may provide better performance but may be less desirable if that country has poor privacy protections.

Mikaela commented 5 years ago

I can see the reason why they may not want to endorse any particular server, that could be due to unknowns about the reliability of their hosting. There is the Hello Matrix project and there are a number of servers on there listed, perhaps we could make a suggestion the user selects one of those?

Sure.

If I recall correctly XMPP did a similar thing to this with jabber.org.

I am not aware of any client pointing to jabber.org though.

ilmaisin commented 5 years ago

Can matrix/riot be even considered a privacy tool at all? They seem to promote decentralization, which is great too at least if done properly, but that's not really the same thing. I mean, not only they still haven't got e2ee by default, but until very recently they snooped a lot of data even when the user was using a third-party server.

Mikaela commented 5 years ago

They have imoroved and will hopefully keep on improving and I guess they are important to list as an alternative to Discord.

dngray commented 5 years ago

There is the Hello Matrix project and there are a number of servers on there listed, perhaps we could make a suggestion the user selects one of those?

There is also this list public homeserver list.

lrq3000 commented 4 years ago

E2EE by default and cross-signing are being rolled out for 1on1 and private group chats: https://github.com/vector-im/riot-web/issues/6779#issuecomment-580001333

lrq3000 commented 4 years ago

A few more recent security updates pertaining to Riot/Matrix, that you may already know here but I think it's good to write here for reference:

Given these security improvements, and if the currently rolling E2EE by default with cross-signing goes well, I would suggest that Riot could be promoted as one of the main chat options on PTIO.

Indeed, compared to other great solutions like Signal, I would argue anonymity is a lot easier to achieve with Riot/Matrix: use E2EE by default to encrypt messages and voice calls, and access the web app through Tor Browser. Whereas for Signal, one needs to register on a smartphone first, and without a rooted phone, it's unclear how Signal could be fully piped through Orbot and Orwall (and anyway Signal could still gather lots of metadata about the phone if it becomes evil).

Now I'm not saying that Signal is evil, I don't think so, but that how Riot is designed right now allows the user to have more control on their own metadata and IP address (notably by passing through Tor Browser, which can be used since the very start of the registration process), whereas other solutions such as Signal often requires some degree of trust to an authority. And it's not simply because Riot/Matrix is federated (although this forces the devs to decouples from a design point of view some things like servers which is a good thing), but also because it provides a web app that can be used through Tor Browser (which I think is better than if the desktop app would offer a Tor proxy option, because here you don't need to trust the app to redirect all events through Tor, which may not happen due to bugs, here Tor Browser kind of acts like a shield, so the app anyway doesn't have direct access to the user's system but only to the webbrowser infos, hence not only shielding IP address but also metadata).

Of course, webbrowser exploits and such are always a possibility (although the opensource nature of the Riot webapp should hopefully allow for quick fixes of any exploit), but from a design standpoint, I think it's a quite robustly secure and anonymous approach for an instant messenger.

dngray commented 4 years ago

There were some interesting lectures at FOSDEM 2020 this year:

Mikaela commented 4 years ago

I think the three previous comments are offtopic here (and so is this response), but I am not certain where they belong as we cannot promote Riot above Signal as they are in two different categories, centralized and federated.

I guess Riot would be competitive with Signal if it supported self-destructing messages and didn't store media uploads forever.

If we did suggest Riot as an alternative to Signal, it wouldn't matter if everyone registered on Matrix.org as Signal is also centralized service. As I still view everyone registering on Matrix.org as a undesired event, I view these two issues separately.

ilmaisin commented 4 years ago

I wouldn't put the self-destructing message feature to a very high priority, since it is impossible to do well anyway. It's the same problem as with other types of DRM: the attacker and the intended recipient are the same.

Does Matrix encrypt those media uploads? If so, it probably isn't a very big issue. Of course, if "forever" is long enough, the encryption might become obsolete and vulnerable to attacks.

Mikaela commented 4 years ago

Does Matrix encrypt those media uploads? If so, it probably isn't a very big issue.

Depends on whether the room in question is encrypted.

Of course, if "forever" is long enough, the encryption might become obsolete and vulnerable to attacks.

This is my concern and also that deleted uploads are not deleted in reality. https://github.com/matrix-org/synapse/issues/1263

dngray commented 4 years ago

I wouldn't put the self-destructing message feature to a very high priority, since it is impossible to do well anyway. It's the same problem as with other types of DRM: the attacker and the intended recipient are the same.

:+1:

I expect if this becomes a feature in Matrix we will disable it for the public chat room. Very annoying and pointless to delete comments posted publicly, it provides absolutely no privacy when it's been indexed, cached, locally logged and possibly screen shotted by other users.

It's highly irritating when people set exploding messages on Keybase as we don't check that as frequently as Matrix. All it does is destroy the flow of conversation.

Public is public, if you don't want it public don't say it in public, people need to not get caught up in "message destruction" features and remember that.

Does Matrix encrypt those media uploads?

Yes, in encrypted rooms.

If so, it probably isn't a very big issue. Of course, if "forever" is long enough, the encryption might become obsolete and vulnerable to attacks.

This rule applies to any kind of cryptography no matter where it is.

There's also nothing stopping people from pasting a link to a file on a server they do control, or that they can delete, eg how we did in the days of IRC.

Mikaela commented 4 years ago

To clarify, I am missing self-destructing messages in private Matrix/Riot conversations, just like I have them in private Signal group/chats.

I am not personally using Signal for anything public and I don't view Signal suitable for public chats, as I am not willing to share my phone number and even more importantly it has no group moderation.

Also https://github.com/privacytoolsIO/privacytools.io/pull/1701 is the only answer I have to the offtopic conversation in this issue.

lrq3000 commented 4 years ago

Yes and not it's not really off topic, I'll clarify why tomorrow when I'll get access to a computer (but basically it's not centralized anymore on matrix.org because you can change or disable all servers, although messages are still indefinitely retained on the homeserver you chose, but there are discussions to change this, but the issue is that this would add more metadata on e2e encrypted messages, so they need to figure out an elegant solution)

Le mar. 11 févr. 2020 à 10:00, Mikaela Suomalainen notifications@github.com a écrit :

To clarify, I am missing self-destructing messages in private Matrix/Riot conversations, just like I have them in private Signal group/chats.

I am not personally using Signal for anything public and I don't view Signal suitable for public chats, as I am not willing to share my phone number and even more importantly it has no group moderation.

Also #1701 https://github.com/privacytoolsIO/privacytools.io/pull/1701 is the only answer I have to the offtopic conversation in this issue.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/privacytoolsIO/privacytools.io/issues/1395?email_source=notifications&email_token=AAIRFXV6GMLV4RIQBE7HXDTRCJSLBA5CNFSM4I7THP4KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOELLUN4I#issuecomment-584533745, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAIRFXT63USQY75YV4RK63LRCJSLBANCNFSM4I7THP4A .

Mikaela commented 4 years ago

If I now installed Riot on a new device, would it tell me that other homeservers than Matrix.org exist or ask me which homeserver I want to use giving me choice of others than Matrix.org without deciding that I am an experienced/advanced user by entering a custom homeserver address?

lrq3000 commented 4 years ago

You would have to manually enter a custom server (and this can also be done later on). This was covered by other answers above, it's not an illegitimate thing for them to do commercially wise (it's not like Wire who offered free accounts to then become paid only services).

The thing is that with Riot, you can choose what server will store your messages, and you can still have access to the whole federated network. Whereas with Signal and others, you can't. I didn't check if signal server is opensource, but even if it is and you self host it, then you can't access other users on the main Signal server. Whereas here you can.

That's not to say that Riot should not have warnings or instructions to properly configure it to make it more secure. But out of all currently available messengers, it has one of the most decentralized design, so if a warning about centralization is added, pretty much all other messengers will have it (including p2p such as Jami, who uses several servers to offer several services).

Le mar. 11 févr. 2020 à 11:00, Mikaela Suomalainen notifications@github.com a écrit :

If I now installed Riot on a new device, would it tell me that other homeservers than Matrix.org exist or ask me which homeserver I want to use giving me choice of others than Matrix.org without deciding that I am an experienced/advanced user by entering a custom homeserver address?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/privacytoolsIO/privacytools.io/issues/1395?email_source=notifications&email_token=AAIRFXUAQWMWVUUGCL4EPS3RCJZLTA5CNFSM4I7THP4KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOELL2BXA#issuecomment-584556764, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAIRFXUQZLLR756CD3ZPEHDRCJZLTANCNFSM4I7THP4A .

lrq3000 commented 4 years ago

@Mikaela To reply in more details, in your opening post, point 4 vector-im/riot-web#10696 is now done (I checked in the app, the integration manager can be disabled).

For the rest, I won't repeat myself, but yeah I agree Riot could do better in terms of decentralization by linking to a list of instances, instead of just showing an option to enter a custom homeserver address. But still, the possibility exists, and is not that hard to do, and there are pros and cons to using a custom server anyway, so for the lambda user, what matters more is E2EE by default and expiring messages IMO.

E2EE by default is being deployed right now as I wrote above.

For messages expiration, I had to do a bit of research to track down the pertinent info, but it seems it's now implemented, both at the server level and room level, although not easily changeable (ie, no button on the GUI in the room's options, you need to send a custom state event) because it's not yet part of the Matrix specification:

However, this is only true for messages, not for media, for which an issue was opened recently.

Also, about what you wrote in https://github.com/privacytoolsIO/privacytools.io/issues/1389#issuecomment-540826288:

I am also confused on how file uploads sent in a direct chat can be posted elsewhere as easily as by copying the URL, which to me hints that they aren't actually private.

I remember reading a github issue on riot or matrix repo about this indeed, where the devs were aware that encrypted medias could be accessed by anyone with the handle because the medias were not attached to a particular room or permission, and they were thinking about how to elegantly fix this while minimizing the addition of meta-data. But unfortunately I can't find the issue where I have read that, I will post it here if I ever stumble on it again.

Also, URL previews are a weak point that can be used to subvert E2EE, but they are disabled by default and when enabling in the options you get a warning.


TL;DR: I agree that messages and media retention should be mentioned in a warning. Centralization (or rather the proposition of matrix.org as the default homeserver) is not an issue that merits a warning I think, but it would be nice to add a sentence in the description to highlight that it is possible to use a custom server address (the best would be to link to a list of instances, such as this one or this one). I would also suggest warning about enabling URL previews as they can leak information/identity. It could be nice to mention it can work with Tor Browser.

lrq3000 commented 4 years ago

Ah well, they just added your issue on centralization on this month's todo list for their website changes.

lrq3000 commented 4 years ago

Also pre-redacted messages are deleted after 7 days now (I consider this linked with the messages retention issue).

lrq3000 commented 4 years ago

Ephemeral/self-destructive messages are also supported (but not for media - media seem to be a weak point of Matrix/Riot currently): https://github.com/matrix-org/synapse/pull/6409

PS: @Mikaela :

but I am not certain where they belong as we cannot promote Riot above Signal as they are in two different categories, centralized and federated.

My bad, I remembered Matrix being a mention instead of a featured suggestion, but I must have looked at an old version of the page. I am not suggesting that Matrix should be suggested above Signal, as you write, they are in different categories, and suit different needs, it's fine to me like that, but I agree the description should be updated according to the issues you raised.

Mikaela commented 4 years ago

I wish this issue could focus on the actual issue which is the centralization, but

I would also suggest warning about enabling URL previews as they can leak information/identity. It could be nice to mention it can work with Tor Browser.

no, the URL previews are generated on server-side by Synapse and if you look into logs of anything fetching a preview, you will see the homeserver address rather than Riot address so it doesn't matter. Or what information are you talking about?

lrq3000 commented 4 years ago

Or what information are you talking about?

This

Mikaela commented 4 years ago

Would you mind opening a new issue about that?

ian-tedesco commented 4 years ago

Session warns you about the same when you try to enable it.

lrq3000 commented 4 years ago

Riot also shows a warning now, so should we open an issue to mention this anyway or is it fine as long as the software warns about it itself?

blacklight447 commented 4 years ago

I would vote that the new in software warning is good enough.

dngray commented 4 years ago

I'm going to close this now that it has been added to the 2020-02 milestone https://github.com/matrix-org/matrix.org/issues/586 that's really the right place for it.