Closed Mikaela closed 4 years ago
@lampholder Could you also comment on these issues?
(Good night, it's 02 AM for me)
Sorry I missed this earlier - I will take a look and come back with responses as soon as I can.
Hi @Mikaela,
Sorry I'm only just getting to this now. Can I check what this list of issues represents to you?
In the interests of providing some hopefully useful feedback now, I'm going to assume that this list represents the set of issues you would like to see addressed in Riot/Matrix for you to be wholly comfortable with its inclusion in privacytools' set of recommended services. I'll assume that they aren't all equally weighted, but I won't worry about relative priorities for now.
First up - the ones I can handle off the top of my head. These issues are part of the current privacy work:
As for open sourcing the scalar integration manager (vector-im/riot-web#7757 - Open source the integrations server WONTFIX) we have no plan to do this today, but we are making it clearer and easier for users to control which Integrations Manager they use, and there's also Dimension which can be used as an open source alternative. Hopefully this mitigates our not having a plan to open source Scalar?
Some of the others weren't high on my agenda - I wouldn't want to consider exif stripping, private contact discovery and sticker encryption until we've got cross-signing working in Riot so that E2E encryption is finally as user friendly as it needs to be. If they're blockers to your recommending or service, though, I can make sure that is at least kept in mind as we schedule future work.
The remaining items I'll have to check the status on tomorrow (it's gotten a little later than I planned). I'll be in touch ASAP with an update.
In the interests of providing some hopefully useful feedback now, I'm going to assume that this list represents the set of issues you would like to see addressed in Riot/Matrix for you to be wholly comfortable with its inclusion in privacytools' set of recommended services. I'll assume that they aren't all equally weighted, but I won't worry about relative priorities for now.
You are correct, however I wouldn't consider some issues like the exif metadata scrubbing essential for listing Riot as as far as I am aware nothing else is doing that either. The ordering could be considered random as it's based on what I picked from other issues and then tried to search for issues based on other discussions, so towards the end it's in order of newest reported on your issue tracker.
we are making it clearer and easier for users to control which Integrations Manager they use, and there's also Dimension which can be used as an open source alternative. Hopefully this mitigates our not having a plan to open source Scalar?
I find it acceptable, especially with open source alternative existing, as opposed to the current situation where an average user doesn't even know they are using Scalar. my previous comment at prism-break
Some of the others weren't high on my agenda
In my opinion the most important issue from those I listed would be actually removing removals (https://github.com/matrix-org/synapse/issues/1287) and allowing data to expire (https://github.com/matrix-org/matrix-doc/issues/447). (As you can see I started replying without reading your comment entirely at first)
There are also the issues raised by muppeth, do you have an issue number for them?
The remaining items I'll have to check the status on tomorrow (it's gotten a little later than I planned). I'll be in touch ASAP with an update.
Thank you in advance and good night. I will try to sort the list better tomorrow.
This is very interesting ( +1 )
Just to be clear, Synapse isn't the only way to implement Matrix. There are also homeserver's like Ruma.
Matrix is just a protocol, lots of ways to use it!
Plus, you can always change your homeserver for most clients.
Therefore it may not be necessary for privacytools.io to host a full client like Riot-Web.
-
not to say it wouldn't be convenient tho.
I think I got the list in a more clear order now.
Just to be clear, Synapse isn't the only way to implement Matrix. There are also homeserver's like Ruma.
Has Ruma had stable releases yet? While it could fix some issues with Synapse, I don't think it helps very much with some issues like https://github.com/matrix-org/synapse/issues/1287 while the federation includes Synapses that are doing that.
Plus, you can always change your homeserver for most clients.
Yes, however identity server is currently not changeable after logging in (and yesterday I missed it entirely in login, if it even was there in RiotX) and currently integration server existing is not even told to the user being an option only a selfhoster can change.
ISs can and should be blocked if privacy is desired. IS is not needed for matrix chat client to function correctly (I think). See also: https://github.com/LiMium/mini-vector-android/issues/26.
Yes, however identity server is currently not changeable after logging in (and yesterday I missed it entirely in login, if it even was there in RiotX)
https://github.com/vector-im/riotX-android/issues/20
they don't want people to change it.
Thanks, there we have another issue to add to this tracking.
Plus, you can always change your homeserver for most clients.
I know, many users dislike them; However, even Purism seems to have acknowledged web based apps are no longer a first priority: https://shop.puri.sm/librem-one-thanks/
they don't want people to change it.
Hey - I just wanted to highlight that the ability to change Identity Servers after having logged in is on the roadmap for the current privacy sprint, across all clients. If you would like to see the plan and track its progress you can follow along here: https://vector-im.github.io/feature-dashboard/#/plan?label=privacy-sprint&repo=vector-im%2Friot-web&repo=vector-im%2Friot-ios&repo=vector-im%2Friot-android&repo=vector-im%2FriotX-android&repo=matrix-org%2Fmatrix-doc&repo=matrix-org%2Fsydent
(this tool just pulls issues with the same labels from across they myriad repos this work spans; you can find all the same stuff by searching each github repo manually).
Edit: Also, what is
IS
?
identity server. Sorry shouldn't have written short right away.
to change Identity Servers after having logged
Why not at login? As it is now possible in the riot android (not riotx)?
Why not at login? As it is now possible in the riot android (not riotx)?
I'm hoping we can get rid of references to identity servers at login entirely, and just have them configured by the user in user settings after they've logged in (so identity server is a configurable property of the account, rather than the session).
Once the current work has landed, no data will be processed by any identity server until the user has explicitly accepted the terms and conditions, so from a data processing standing I think it's fine to drop it from registration/login. I think it feels a lot more natural from an average user's perspective, too.
This does present a slightly tricky UX problem of how we handle the idea of a 'default' identity server, though I think that's fine, too - default identity servers can be set at the client level or in the .well-known, and all that will mean is that the default identity server is the one that your client will prompt you to accept the terms and conditions of if and when you try and do something identity-servery (e.g. invite by email or publicly link your mxid with your email).
We might want to maintain separate identity server choice states for this - i.e. "don't use an identity server" as distinct from "this is the identity server I would use, but I won't send it any data because I haven't accepted its terms and conditions". Even though they're materially the same (from a data processing perspective), it would be nice for people to feel like they're not at risk of accidentally accepting the terms and conditions of an identity server they don't want to use.
Hi all,
I've updated some of the relevant issues to get them into our privacy project tracking tool. I've tried to summarise clearly:
phase:1
phase:2
- this is not to assign it lower priority than the other issues, rather it is to say that there are more hurdles to completing this (getting the MSC agreed primarily) so we're not exactly sure when it will landThanks for the update,
vector-im/riot-web#7649 is being addressed by matrix-org/matrix-doc#2134
I added matrix-org/matrix-doc#2134 with a slash.
If this is a hard blocker for a privacytools recommendation then I understand, though are you are able to recommend alternative homeservers/self hosting instead?
I am not sure as I don't think anyone (in the team or commenting actively) is checking for Cloudflared domains and in privacytoolsIO/privacytools.io#1054 (ICANNnet DNS servers) half of the suggestions are using Cloudflare. I think a bigger issue would be Riot not exposing the default homeserver matrix.org by default, do you have an issue tracking it? From that issue I also get impression that you have a wish to shut down Matrix.org homeserver (https://github.com/matrix-org/matrix.org/issues/342#issuecomment-468958754) which I imagine would resolve these issues unless you would replace it with another homeserver that is suggested by default unless the user knows to click advanced/additional/similar settings.
Personally my main concerns with Cloudflare is
I understand this to mean that Cloudflare can one way or another read all traffic going through Matrix.org including IRC users who have never even heard of Matrix if someone happens to use Matrix on the same IRC channel? Matrix.org is quite big compared to an individual Cloudflaring their IRC client, I have heard a number 1500 connections associated with a I-line request from third party bridge admin.
I think a bigger issue would be Riot not exposing the default homeserver matrix.org by default, do you have an issue tracking it?
I think there might be crossed wires here - the queued up privacy work has a few items to better highlight the default identity server and integration manager, but the default homeserver is already pretty well highlighted:
and
Or do you mean Riot's not highlighting that the default homeserver is behind cloudflare?
Your screenshots look good to me (other than not mentioning the identity server), but they seem to be from Riot Desktop, while the currently recommended Riot Android app looks like this:
I have misremembered or am thinking of older version which had advanced settings while currently there is "edit server settings" and I don't see matrix.org/vector.im mentioned without checking it, even if I click login.
I am currently not able to get Riot X login screen as I don't want to regenerate keys yet again.
Oh, yes - I'm Delivery Manager for Riot Web, so I sometimes have something of a Riot Web bias, sorry.
It would be better if the mobile apps made it clearer you were logging into/registering on matrix.org, though of course users registering on matrix.org will be sent past the matrix.org terms and conditions before that registration is completed.
I'll make an issue for this, too.
I am currently not able to get Riot X login screen as I don't want to regenerate keys yet again.
Key backup works on Riot X, so you could back your keys up to save regenerating. The backups are encrypted locally and stored on the homeserver encrypted (without the homeserver ever having access to the encryption key).
I'll make an issue for this, too.
Please give the link here when you are done.
Key backup works on Riot X, so you could back your keys up to save regenerating. The backups are encrypted locally and stored on the homeserver encrypted (without the homeserver ever having access to the encryption key).
Doesn't this however give me a separate device ID and fingerprint that I would need to reverify with people again?
I have misremembered or am thinking of older version which had advanced settings while currently there is "edit server settings" and I don't see matrix.org/vector.im mentioned without checking it, even if I click login.
This is fixed in https://github.com/LiMium/mini-vector-android (https://github.com/LiMium/mini-vector-android/pull/27) Custom options is checked by default and Identity server set to localhost.
Yes, however identity server is currently not changeable after logging in (and yesterday I missed it entirely in login, if it even was there in RiotX)
they don't want people to change it.
@afonari There is massive confusion about this - the reason RiotX didn't expose UI for configuring the identity server is that it does not yet implement any identity functionality(!) The default setting was hanging around the codebase unused, and got removed in https://github.com/vector-im/riotX-android/pull/446.
@ara4n This is great news, thanks! Hopefully, if it is added back, it will be chageable from GUI.
of course! this has always been the plan.
Please give the link here when you are done.
Riot iOS: https://github.com/vector-im/riot-ios/issues/2614 RiotX: https://github.com/vector-im/riotX-android/issues/450 (issue already closed, RiotX actually shows the default homeserver already) Riot Android: https://github.com/vector-im/riot-android/issues/3238 - not sure we'll actually want to make the changes to Riot Android - it depends how quickly we can replace Riot Android with RiotX.
Doesn't this however give me a separate device ID and fingerprint that I would need to reverify with people again?
Sorry, yes it does. As an aside, cross signing will solve this problem and is very much inbound - the backend support is basically complete (but there's still a lot of UX to do yet).
Hi, I am not sure where this would be the most topical, but have you had time to see and read The Metadata Trap? It's very long, but interesting and included some suggestions that even Signal doesn't do yet, mainly
It’s not enough that these apps encrypt messages. They also need to do better at promptly deleting data that’s no longer needed. End-to-end encryption protects messages as they travel from one phone to another, but each phone still has a copy of the plain text of all these messages, leaving them vulnerable to physical device searches. Disappearing messages features are a great start, but they need to be improved. Users should have the option to automatically have all their chats disappear without having to remember to set disappearing messages each time they start a conversation, and they should be asked if they’d like to enable this when they first set up the app. And when all messages in a conversation disappear, all forensic traces that a conversation with that person happened should disappear too.
Are you thinking or going to think about it, or is it out-of-scope (if you are focusing more on team chat and bridging, but I guess it would be a nice addition to E2EE-by-default-private-chats though)?
If you are following this repository you may already have seen https://github.com/privacytoolsIO/privacytools.io/issues/1134 where I have been wondering how do other instant messengers treat this and linking to their issues.
vector-im/riot-web#4426 - riot does not scrub exif data from upload
I don't think anything else does this either, please correct me.
Discord does or used to do this.
https://github.com/LiMium/mini-vector-android/pull/32 was merged into mini-vector for android. I think this removes all the integrations. @maxidorius based on your research are there any other "hidden" integrations in the riot-android?
@afonari There are others like the Integration manager. I didn't dig into android specifically, but from network activity I saw, the identity server is the tip of the iceberg, as being the only configurable item.
Max, they exposed quite a few in the config.xml: https://github.com/vector-im/riot-android/blob/develop/vector/src/main/res/values/config.xml
I searched for "vector.im" in the riot-android repo, I couldn't find anything that it is leaking except those from the config.xml.
See https://matrix.org/blog/2019/09/27/privacy-improvements-in-synapse-1-4-and-riot-1-4, which solves many of the issues touched on in the OP.
so, do you guys have a estimated release date for e2ee other then Soon™ (which has been its status for what, 2 maybe 3 years now?)
@ara4n I can still reproduce https://github.com/privacytoolsIO/privacytools.io/issues/1338 with Riot-web 1.4. My config is:
{
"default_server_config": {
"m.homeserver": {
"base_url": "https://chat.privacytools.io",
"server_name": "chat.privacytools.io"
},
"m.identity_server": {
"base_url": "https://chat.privacytools.io"
}
},
"disable_custom_urls": false,
"disable_guests": false,
"disable_login_language_selector": false,
"disable_3pid_login": false,
"brand": "Riot",
"integrations_ui_url": "https://chat.privacytools.io/",
"integrations_rest_url": "https://chat.privacytools.io/api",
"integrations_widgets_urls": [
"https://chat.privacytools.io/_matrix/integrations/v1"
],
"integrations_jitsi_widget_url": "https://chat.privacytools.io/api/widgets/jitsi.html",
"bug_report_endpoint_url": "https://riot.im/bugreports/submit",
"defaultCountryCode": "GB",
"showLabsSettings": false,
"features": {
"feature_pinning": "labs",
"feature_custom_status": "labs",
"feature_custom_tags": "labs",
"feature_state_counters": "labs"
},
"default_federate": true,
"default_theme": "light",
"roomDirectory": {
"servers": [
"matrix.org"
]
},
"welcomeUserId": false,
"piwik": false,
"enable_presence_by_hs_url": {
"https://matrix.org": false
}
}
@afonari Homeservers like Synapse used to require an identity server for some operations such as adding an email. This has been fixed as part of the privacy work, but it requires both Riot 1.4 and Synapse 1.4. Synapse 1.4 is not yet released (currently in RC), so I am guessing it is not used on the privacytools.io HS yet. You can test HS support on matrix.org which includes the latest server changes if you’d like to check it out.
@jryans can you please clarify. When I add an email address from riot web 1.4 running on localhost with HS pointing to somehost1.org and IS pointing to somehost2.org, where does this request go?
Homeservers like Synapse used to require an identity server for some operations such as adding an email.
Maybe this means that my request goes to the HS and then HS creates a request to vector.im identity server?
@jryans can you please clarify. When I add an email address from riot web 1.4 running on localhost with HS pointing to somehost1.org and IS pointing to somehost2.org, where does this request go?
Riot 1.4 behaves differently when adding an email to your HS account depending on whether the HS supports the new privacy changes, currently part of Synapse 1.4.
If your HS is older (without privacy work), then Riot passes the selected IS to the HS and the HS talks to IS on your behalf to trigger the email.
If your HS includes privacy work (such as Synapse 1.4), then the IS is not involved at all. The HS handles email validation internally (or chooses to delegate email sending elsewhere and should be explained in the privacy policy of that HS).
If your HS is older (without privacy work), then Riot passes the selected IS to the HS and the HS talks to IS on your behalf to trigger the email.
Yes, I can see that:
POST to https://chat.privacytools.io/_matrix/client/r0/account/3pid/email/requestToken
What I don't understand is, how it is possible for IS to send email if IS is set to localhost (non existent IS, which is confirmed by the yellow warning at the login page). IS is set using:
"m.identity_server": {
"base_url": "https://chat.privacytools.io"
}
Identity server is not being picked up from this settings. In the Help & About it says:
Advanced
Homeserver is https://chat.privacytools.io
Identity Server is https://vector.im
Access Token: <click to reveal>
What I don't understand is, how it is possible for IS to send email if IS is set to localhost (non existent IS, which is confirmed by the yellow warning at the login page). IS is set using:
"m.identity_server": { "base_url": "https://chat.privacytools.io" }
This bit of Riot config is only a default IS suggested to users of that Riot install. Each user can pick a different IS or use no IS at all. You should check the General tab of Settings which allows editing the current IS to see what value is currently used. The user’s chosen IS overrides the default from Riot config.
It’s possible you’ve hit a bug that only occurs when setting the IS to some unreachable server? If so, it would great to have a Riot issue with more detail on the steps you are taking so we can fix that edge case.
Anyway, this is all a legacy path for an old HS, so you should move to Synapse 1.4 once available, as it won’t need the IS for these flows, which seems like what you want to achieve anyway. 😄
@jryans thanks for the explanations.
Linking another privacy case: https://github.com/vector-im/riot-web/issues/10696
It’s possible you’ve hit a bug that only occurs when setting the IS to some unreachable server? If so, it would great to have a Riot issue with more detail on the steps you are taking so we can fix that edge case.
@jryans Possibly. This is a problem I noticed on my personal account and have since confirmed with a couple people. It seems like when Riot encounters an invalid IS it appears to default to Vector.im. This is something I did not realize until this latest update where the IS is clearly displayed in settings.
I would really like to see @joepie91's suggestion at https://github.com/matrix-org/matrix-doc/pull/2284#discussion_r321686114 implemented ASAP so we can clearly recommend to our users to not use an IS at all as opposed to setting the IS field to some invalid link which is a hacky workaround (and also does not appear to work, although I was advised by @maxidorius that setting it to a blank string also doesn't seem to work, so I don't know if there is any way to disable the IS by default currently).
@JonahAragon Recent changes in Riot code regarding auto-discovery made this quite complex. I would be very cautious with any approach you take and be sure to test it before hand.
@jryans Possibly. This is a problem I noticed on my personal account and have since confirmed with a couple people. It seems like when Riot encounters an invalid IS it appears to default to Vector.im. This is something I did not realize until this latest update where the IS is clearly displayed in settings.
As far as the Riot core team is aware, when using Riot 1.4+ together with Synapse 1.4+, there should not be any case where Riot is defaulting back to https://vector.im as an IS.
If the Riot admin has supplied a default IS in Riot's config or if the HS admin has supplied a default IS in .well-known, then Riot will display that IS in Settings, but no user data is sent until the user has agreed terms.
If the Riot config supplies an invalid IS such as:
"default_server_config": {
"m.homeserver": {
"base_url": "https://chat.privacytools.io"
},
"m.identity_server": {
"base_url": "https://dev.null"
}
},
then Riot will display that IS in Settings (just like a real, working IS) and attempt to contact it to request terms, but that will of course fail.
If the HS .well-known supplies an invalid IS, we do hit the issue that https://github.com/matrix-org/matrix-doc/pull/2284 is aimed at, as currently Riot would fail on registration in that scenario, but really it should change to a warning only and behave like the previous case where the invalid IS appears in Settings but fails on use.
If both the Riot config and HS .well-known do not configure any IS, then a new account will not have any associated IS. (This appears to achieve your goal as I understand it.)
If you or others are observing behaviour different from the above, then it sounds like a bug, and the Riot team would greatly appreciate an issue describing it so we can resolve the problem. 😄
Why was this closed, @Mikaela? Are all the problems fixed?
Why was this closed, @Mikaela? Are all the problems fixed?
because @JonahAragon thought in privacytoolsIO/privacytools.io#1392 (which dngray and I approved before I merged it) that it/relisting resolves this issue. For the discussion resulting me to approve in the end, see https://github.com/privacytoolsIO/privacytools.io/issues/1389.
I am content with leaving this closed as there is that upstream privacy tracker and I am not following everything happening there and don't have the capability of keeping this up-to-date, and would consider https://github.com/privacytoolsIO/privacytools.io/issues/1395 as the successor.
Host Dimension instead of relying on vector.im
I know I said I wasn't going to do this, but I'm going to do this. I was actually going to do it tonight, but it took me too long to setup a homeserver (even though I've done it like 5 different times before), so I'll actually setup Dimension tomorrow 😴
I agree with @PopeRigby, I think this should stay open. There are many unresolved issues.
One important issue is https://github.com/vector-im/riot-web/issues/10696: Allow users to disconnect from an integration manager entirely in the same way that we support doing this for identity servers.
@privacytoolsIO/editorial Are there volunteers on keeping this up-to-date?
I will move that to privacytoolsIO/privacytools.io#1395, while another option would be to not use Riot as I think it's the only client that implements an integration manager.
chat.privacytools.io/selfhosted instance issues
Check boxes as they are fixed on PTIO
https://github.com/vector-im/riot-web/issues/7711https://github.com/vector-im/riot-web/issues/6930WONTFIX
Upstream privacy issues
major
Privacy issues that I think prevent PTIO listing:
matrix-org/synapse#1287 - actually removing removed messages from the databasefixedmajor privacy issues also with selfhosting
I consider these as major due to Cloudflare as the traffic to integration manager and identity server would go through it and so would all messages assuming the user federated with Matrix.org. These may be irrelevant to user who is on Matrix.org.
medium
I need a better word here, but these would be issues that also affect other recommended instant messengers and may not be a blocker.
nice to have
unsorted / note
WONTFIX
https://github.com/vector-im/riotX-android/issues/450Research papers
Notes on privacy and data collection of Matrix.org
Notes on privacy and data collection of Matrix.org, Part 2
These issues are mostly took from privacytoolsIO/privacytools.io#840, if you are aware of reported issues that aren't listed here, please do comment them and someone from the team will edit this issue and add them.
I was personally missing a list of things that can be done today to avoid the privacy issues that Matrix/Riot currently has and this may be helpful while considering the delisting (#1047).