I've been revisiting moving to self hosted Matrix around every 4 months now for 2 years, and every single time I failed.
The reasons vary; initially synapse refused to work, then I got stuck trying to set up a multi-domain service.
That said, this document verifies what I feared in the background: what matrix offers as self-hosted is too simple to be true, and thus it's no surprising I never got it completely running.
XMPP has it's own issues, but when I self host it, it's there, nowhere else. No identity servers, no push servers, no jitsi servers in the background.
It seems like I'm going to be with XMPP for a much longer time.
I was pretty disappointed when I learned one of my contacts on Matrix was receiving my messages on his Gmail. That's a feature I would rather the client to not even have so people don't accidentally enable it. I hope it won't take too long for a more privacy-oriented client than Riot to appear. The best thing right now is MiniVector, which is a stripped down Riot fork with fewer permissions required: https://github.com/LiMium/mini-vector-android
Interesting concern - I'm thinking I'd like the various clients to alert me back - as a message sender that the messages were being auto forwarded to a non secure place like gmail - of course I think the option to turn off notifications should be possible on both ends.
You were pretty disappointed when you learnt that recipients of your messages can do whatever they want with them? And your solution is to remove the feature altogether?
How about removing the ability to copy text? Or the ability to take screenshots?
The following stack will be used as reference, with users
connecting via web, desktop and smartphone clients:
Client: Riot-web v1.2.1,
Riot Desktop v1.2.1,
Riot Android v0.9.1
Server: Synapse v1.0.0
Version numbers are probably sufficient to in a general scientific setting. They are usually a precise reference to a specific piece of software anyone attempting to replicate the investigation should be able to find their own copy of the software and have reasonable confidence their copy is identical.
Unfortunately, it might not be a good idea to trusting that a version number consistently maps to a specific URL, or that a server will give the same file to everyone each time they ask fo a URL. We know that sending different versions to different people is common ("A/B testing"). If you're investigating the security of something or worse: you suspect you might have sentient opponents actively trying to deceive you, then version numbers are no longer sufficient: you should also include cryptographic checksums! The only way you can know that the file you received is the same is if you have e.g. SHA-2 hashes as proof. Even better, if it's important, include the RIPEMD-160, SHA-1, CRC32, and any other available hash/checksum because why not add redundancy and give people options.
Totally fair point, thank you for bringing it up. Given the numerous build types (source, pip, debian packages, etc), what would you suggest to do in this case? Give the git commit hash maybe?
Thanks for the review. I feel like I gave them too much of a trust :(
Matrix devs, instead of battling the reviewer here, please make a proper blog post and explain what is really going on here. Tell us the truth about your data handling and the data retention.
The reviewer did his own share of work. If there are mistaken parts in his reporting, please correctly explain them in a civilized way in a possible blog post.
apologies if it seems like we’re battling the reviewer; it’s just that there is a bunch of stuff which is simply incorrect, which is frustrating. did you see our pdf response, out of interest?
No, Riot/Mobile explicitly warns and prompts you to opt in if you try to discover contacts by email/phone number. It looks like this on Android:
"Riot needs permission to access your address book contacts to find other Matrix users based on their email and phone numbers. Please allow access on the next pop-up to discover address book users reachable from Riot."
That said, this analysis does have a few valid points in it, specifically:
* We should probably provide a click-thru when users interact with 3rd party identity lookup servers or integration managers
* Notary servers should eventually be removed entirely (as per MSC1228).
However, most of the rest of it is alarmist and disproportionate FUD, plus the author has sadly forgotten to disclose that he's working on a hostile fork of Matrix. A point by point response is at https://matrix.org/~matthew/Response_to_-_Notes_on_privacy_a... fwiw (apologies for the PDF, but Google Docs doesn't seem to expose a read-only view of commented docs.)
[+] [-] pmlnr|6 years ago|reply
I've been revisiting moving to self hosted Matrix around every 4 months now for 2 years, and every single time I failed.
The reasons vary; initially synapse refused to work, then I got stuck trying to set up a multi-domain service.
That said, this document verifies what I feared in the background: what matrix offers as self-hosted is too simple to be true, and thus it's no surprising I never got it completely running.
XMPP has it's own issues, but when I self host it, it's there, nowhere else. No identity servers, no push servers, no jitsi servers in the background.
It seems like I'm going to be with XMPP for a much longer time.
[+] [-] phicoh|6 years ago|reply
Matrix tries to do a lot more than XMPP. In my experience, people find XMPP too limiting, so they don't use it.
[+] [-] meruru|6 years ago|reply
[+] [-] stevenicr|6 years ago|reply
[+] [-] masterfooo|6 years ago|reply
[+] [-] ugqtq|6 years ago|reply
How about removing the ability to copy text? Or the ability to take screenshots?
[+] [-] pdkl95|6 years ago|reply
Unfortunately, it might not be a good idea to trusting that a version number consistently maps to a specific URL, or that a server will give the same file to everyone each time they ask fo a URL. We know that sending different versions to different people is common ("A/B testing"). If you're investigating the security of something or worse: you suspect you might have sentient opponents actively trying to deceive you, then version numbers are no longer sufficient: you should also include cryptographic checksums! The only way you can know that the file you received is the same is if you have e.g. SHA-2 hashes as proof. Even better, if it's important, include the RIPEMD-160, SHA-1, CRC32, and any other available hash/checksum because why not add redundancy and give people options.
[+] [-] maxidorius|6 years ago|reply
[+] [-] masterfooo|6 years ago|reply
Matrix devs, instead of battling the reviewer here, please make a proper blog post and explain what is really going on here. Tell us the truth about your data handling and the data retention.
The reviewer did his own share of work. If there are mistaken parts in his reporting, please correctly explain them in a civilized way in a possible blog post.
thanks
[+] [-] Arathorn|6 years ago|reply
[+] [-] nfoz|6 years ago|reply
[+] [-] thenaturalist|6 years ago|reply
Much to improve.
[+] [-] maxidorius|6 years ago|reply
[+] [-] olliej|6 years ago|reply
[+] [-] Arathorn|6 years ago|reply
"Riot needs permission to access your address book contacts to find other Matrix users based on their email and phone numbers. Please allow access on the next pop-up to discover address book users reachable from Riot."
That said, this analysis does have a few valid points in it, specifically:
* We should probably provide a click-thru when users interact with 3rd party identity lookup servers or integration managers
* We should hash contacts when doing bulk lookups
* Riot/Web has a bug where it talks to the integration manager too frequently (https://github.com/vector-im/riot-web/issues/5846)
* Notary servers should eventually be removed entirely (as per MSC1228).
However, most of the rest of it is alarmist and disproportionate FUD, plus the author has sadly forgotten to disclose that he's working on a hostile fork of Matrix. A point by point response is at https://matrix.org/~matthew/Response_to_-_Notes_on_privacy_a... fwiw (apologies for the PDF, but Google Docs doesn't seem to expose a read-only view of commented docs.)
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] maxidorius|6 years ago|reply
We encourage anyone who already read the initial version to check out the revisions of it for new content or re-visit the document.
[+] [-] JonathanAntBro|6 years ago|reply
[deleted]
[+] [-] dngray|6 years ago|reply
[deleted]
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] textfoo|6 years ago|reply
[deleted]
[+] [-] bitdefender001|6 years ago|reply
[deleted]
[+] [-] RL_Quine|6 years ago|reply
[+] [-] incredimail|6 years ago|reply
[deleted]