• 2 Posts
  • 7 Comments
Joined 2Y ago
cake
Cake day: Dec 25, 2021

help-circle
rss

This is a tricky question that can’t be answered on computers either even if you run Linux since the package manager can be compromised etc. In case of phones, best bet would be GrapheneOS with verified boot so there isn’t a chance it’d get infected.


The cloudflare concerns aren’t an issue as long as you run your own instance, or join one that doesn’t use cloudflare. There’s nothing requiring cloudflare built into the software or the protocol.

Yeah, but the vast majority of non-technical users don’t bother to change homeservers, or even clients, so it could affect them. What puzzles me is why the Matrix/Element team chose Cloudflare for app.element.io, (matrix.org uses LetsEncrypt), when CF aims to centralize the web and is a privacy nightmare. It’s more of an ethics thing, in my opinon. But sure, like I mentioned too, could be solved by switching homeservers/clients but the vast majority of users won’t bother.


Signal has done their fair share of shady things like not releasing the source code for a year to implement some cryptocurrency and the closed-source anti-spam program running on their servers, but that can be mitigated anyhow since Signal works without trusting the server. It’s far better than other alternatives, anyways.


Agreed here, but Matrix had centralized password verification for example, which is plain horrible. They’ve begun fixing things, but it’s still very much lacking.


Yeah, even with various patches, it’s still lacking.



Agreed, many people would like to use what they call “integrations” aka “bots” for those coming from Discord, which wouldn’t be unencrypted, and as you mentioned stickers. Signal/XMPP is my messenger of choice at the moment.


I don't trust Matrix.
This posts is a list of all the suspicious things Matrix/New Vector and Element (which is run by Matrix employees) have done. Crossposted to c/opensource from c/privacy. I want to start a civil discussion on this topic, if anyone has improvement ideas for the list or wants to debate one of the bullet points for removal, I'm all ears. ## Matrix - Matrix was created [inside of an Israeli Intelligence Corporation called Amdocs](https://web.archive.org/web/20201219014215/https://samba.noblogs.org/post/2018/08/27/matrix-org-a-federated-app-funded-by-a-mossad-company/). - Matrix [leaks lots of metadata](https://gitlab.com/libremonde-org/papers/research/privacy-matrix.org), in many cases not fixed to date. The homeserver can and does store lots of metadata. - Even if you run your own instance, it still sends [data](https://gitlab.com/libremonde-org/papers/research/privacy-matrix.org/-/blob/master/part1/README.md) to the main homeserver. ## The Cloudflare Situation All research on the Cloudflare situation is done by me. If you check the SSL Certificate for https://element.io you'll see it's by Cloudflare. Cloudflare has [MANY](https://git.disroot.org/dCF/deCloudflare) privacy issues, and just wanting to centralize the web. The Element client is the most used client, with many users using the [default instance](https://app.element.io), because it's easy or they want to simply join their friends or a community on Matrix easily. This comes as worrying because [Cloudflare decrypts TLS traffic](https://git.disroot.org/dCF/deCloudflare/media/branch/master/image/cfhelp204144518.jpg) and this is even more worrying because [Cloudflare is a honeypot](https://git.disroot.org/dCF/deCloudflare/media/branch/master/image/dhssaid.jpg). Even if Cloudflare cannot decrypt anything because of the Matrix protocol encrypting them beforehand, lots of metadata in the message itself is send over plaintext like who you're talking with, channel name etc. (and this is excluding the metadata leaks that Matrix has to the main homeserver and in general). Of course, this could be mitigated by using Element on another instance that isn't behind Cloudflare, but the average user will not know to do that or even understand the concept of federation and decentralization. Cloudflare's CDN can be used without using their SSL certificate which just backdoors your site, so why is Element using it? Element is run by the same people that are behind matrix.org (mostly), so they know how to do basic privacy features. Even if we assume there's no ill intent here, Cloudflare just wants to centralize the web (~30% of SSL traffic goes through Cloudflare, ~80% of CDN traffic goes through Cloudflare), which is obviously against Matrix's mission of decentralized communication. Through Cloudflare, an adversary with ill intention could target a Matrix user and be susceptible to metadata collection. The CIA & NSA admitted that they [kill people by gathering and using metadata](https://www.justsecurity.org/10318/video-clip-director-nsa-cia-we-kill-people-based-metadata/). I've took this argument in the official Matrix channels, and no one has been able to properly respond to the arguments presented. Though, they were only members, no admins were involved. If anyone wants to bring these issues forth to the official Matrix admins, I'd be more than glad to help. Thanks for reading!
fedilink

I don't trust Matrix.
This posts is a list of all the suspicious things Matrix/New Vector and Element (which is run by Matrix employees) have done. Crossposted to c/Open Source I want to start a civil discussion on this topic, if anyone has improvement ideas for the list or wants to debate one of the bullet points for removal, I'm all ears. ## Matrix - Matrix was created [inside of an Israeli Intelligence Corporation called Amdocs](https://web.archive.org/web/20201219014215/https://samba.noblogs.org/post/2018/08/27/matrix-org-a-federated-app-funded-by-a-mossad-company/). - Matrix [leaks lots of metadata](https://gitlab.com/libremonde-org/papers/research/privacy-matrix.org), in many cases not fixed to date. The homeserver can and does store lots of metadata. - Even if you run your own instance, it still sends [data](https://gitlab.com/libremonde-org/papers/research/privacy-matrix.org/-/blob/master/part1/README.md) to the main homeserver. ## The Cloudflare Situation All research on the Cloudflare situation is done by me. If you check the SSL Certificate for https://element.io you'll see it's by Cloudflare. Cloudflare has [MANY](https://git.disroot.org/dCF/deCloudflare) privacy issues, and just wanting to centralize the web. The Element client is the most used client, with many users using the [default instance](https://app.element.io), because it's easy or they want to simply join their friends or a community on Matrix easily. This comes as worrying because [Cloudflare decrypts TLS traffic](https://git.disroot.org/dCF/deCloudflare/media/branch/master/image/cfhelp204144518.jpg) and this is even more worrying because [Cloudflare is a honeypot](https://git.disroot.org/dCF/deCloudflare/media/branch/master/image/dhssaid.jpg). Even if Cloudflare cannot decrypt anything because of the Matrix protocol encrypting them beforehand, lots of metadata in the message itself is send over plaintext like who you're talking with, channel name etc. (and this is excluding the metadata leaks that Matrix has to the main homeserver and in general). Of course, this could be mitigated by using Element on another instance that isn't behind Cloudflare, but the average user will not know to do that or even understand the concept of federation and decentralization. Cloudflare's CDN can be used without using their SSL certificate which just backdoors your site, so why is Element using it? Element is run by the same people that are behind matrix.org (mostly), so they know how to do basic privacy features. Even if we assume there's no ill intent here, Cloudflare just wants to centralize the web (~30% of SSL traffic goes through Cloudflare, ~80% of CDN traffic goes through Cloudflare), which is obviously against Matrix's mission of decentralized communication. Through Cloudflare, an adversary with ill intention could target a Matrix user and be susceptible to metadata collection. The CIA & NSA admitted that they kill people by gathering and using metadata. I've took this argument in the official Matrix channels, and no one has been able to properly respond to the arguments presented. Though, they were only members, no admins were involved. If anyone wants to bring these issues forth to the official Matrix admins, I'd be more than glad to help. Thanks for reading!
fedilink