About matrix and riot

Hardware Librem 5
62

Indeed amazing news! Congratulations @matthew

Can’t wait for a more stable version of Riot with better PP so that I could introduce it to friends. :heart:

2 Likes
63

I totally back this. I managed to get somehow most of my friends on Signal because I’m concerned about privacy, and Signal’s interface is simple enough for Average Joe.

I think the most important things to address for Matrix to gain traction are:

  1. Fix the privacy policy, because the early adopters and the most willing to give Matrix another chance when a changelog appears are people concerned with privacy
  2. Improve the UI, so the early adopters can bring in their family and friends along the way

Thanks for your great work :slight_smile:

2 Likes
64

I just managed to self-host some home server on a raspberry pi with yunohost, and will be able to serve a matrix-synapse node soon https://github.com/YunoHost-Apps/synapse_ynh. That + matrix on phone :slight_smile:

2 Likes
65

Signal has some privacy issues. And well, by starting my research here I understood that Signal has no intent fixing them. github link (Signal developer nickname: moxie0)

So again, I hope soon to jump ships and focus only on a single platform, the closest to my ideologies.

1 Like
66

In my understanding, the main concerns are:

  • Signal uses Google Cloud Messages to push notifications (while the notifications themselves are empty, it is “only” meta-data)
  • The Signal application has an auto-update mechanism that could allow silent replacement by a backdoored app

In a purely selfish way:

  • I currently have a phone with LineageOS and no GApps nor MicroG, which prevents Signal from being reached by GCM. My Signal app does active polling against Signal servers using websockets
  • I use Noise, the rebranded app built by Copperhead and distributed through F-Droid, which I think does not suffer the auto-update issue (to be confirmed).

m0xie has been known to be incredibly stubborn when confronted to privacy issues raised by users. More than 5 years in, and he still refuses to produce a 100% free build of Signal, which would allow it to be distributed by F-Droid. Moreover, he has stated that he wants a no opt-out feature of telemetry, so he can provide a quality app.

Long story short, the code is open source and anyone willing to put enough energy into it could fork Signal. I am one of the critics of m0xie for some aspects (the main concerns raised about Signal are valid in my opinion), but I do not have the time nor energy to fork it and provide an alternative.

To get back to the topic: as a heavy user of Signal, my hopes and expectations are very high about Matrix. I am willing to spend much time to test it and provide feedback, so a polished app could surface. This could be a total game changer for me.

4 Likes
67

Hi, I just found this interesting app called Ring. What is interesting in this open-source app is that it works P2P, with E2E encryption without any server.
If I understood well, the server is your phone/desktop. I know that this feature about Matrix is kind of vapourwave for the moment, but I would like to share anyway, maybe this can help to get such feature in Matrix :

1 Like
68

Given that running one’s own server for Matrix is not currently possible, is it better to use Conversations(XMPP)?

This is slightly off-topic: currently, I run my own Asterisk server and clients use SRTP+TLS. I believe I am only managing hop by hop encryption since the clients are behind a carrier grade NAT. Is there any way to get true end-to-end encryption using SIP? I hear ZRTP is the way to go but I’m not sure.

69

Given that running one’s own server for Matrix is not currently possible

?

is it better to use Conversations(XMPP)?

XMPP is it’s own bag of problems. Mostly revolving around E2E encryption, which requires a plugin to work (OTR) and federation of rooms with different servers.

70

Running one’s own matrix server is absolutely possible. What isn’t possible is running that server on your phone. But you can definitely run your own server.

71

So is this no longer true or am I missing something?

72

I believe that @matthew was referring to running a homeserver on a phone. That does not exist. Running your own homeserver on an actual always on computer has existed for a while now.

2 Likes
73

Now I know a bit more, what I am talking about, since I used Riot more intensively. I fortunately managed to bring the whole family to Matrix/Riot for testing (also even incredible WhatsApp Noops :slight_smile: )

From ease and usability point of view - of course this is also related to personal taste - I find it superior against Jabber
(It even convinced our ,Family-WhatsApp-Terrorist’ in using it daily, which already means something)
Also the reliability for me looks better than Jabber/XMPP. To be frank, I’d like to stay with Riot.

But there are still 2 major Points which bother me and which currently let me think staying at Jabber, accepting its disadvantages:

  • Why Matrix must stay with the creepy privacy policy ?
  • Why is it not possible for a Room-Owner, to fully and securely delete a complete Room ?

That looks pretty odd to me. I can throw out any member out of my rooms and can delete any single message - which is a lot of work and actually the same as if terminating and shutting down a room.
What is the strange idea sticking behind that ?

It looks a bit, as my data should be kept and as if it is the approach to make it a bit more complicated to stay the Master of my data …

74

ftr we’re currently working on rewriting our privacy policy and fixing the mess that we inherited there, thanks to the impulse provided by GDPR deadlines.

GDPR deadline - May 25

76

okay, I shut up :smile:

Can you also explain, why deleting rooms isn’t possible ?

77

Nope, but I’m sure one person out of 7.2k, will be able to answer you that https://riot.im/app/#/room/#riot:matrix.org

78

you can neither delete your own message, someone on matrix chat explained me, when you will revision/delete the message, this is not a MUST DO for the server, it’s just a request a server could ignore, and i don’t like it too, because this means, you have no control on your message, and if the room is on more servers, this means your message is spread across the servers room belong to

imho you should have a one click option “delete all my message on this room” and the single message delete to be really deleted

79

You can be interested in Matrix’s blog post about GDPR compliance and right to erasure.

The following paragraph is kind of interesting:

The key question boils down to whether Matrix should be considered more like email (where people would be horrified if senders could erase their messages from your mail spool), or should it be considered more like Facebook (where people would be horrified if their posts were visible anywhere after they avail themselves of their right to erasure).

80

From a technical standpoint how will this be implemented? Anybody could save a copy of your message on there own server or device. How will you ensure that a device actually deletes your messages?

You cannot force somebody else to delete your messages unless you use a DRM scheme. And obviously Matrix will not be implementing DRM.

1 Like
81

@thib thanks for the link is an interesting reading

@blendergeek
i understand how difficult is deal with this situation, i have no problem if one user inside a room take screenshot, it’s a “risk” when you write something to someone else, if i’m in a pubblic room i do not write or share personal data, but i could do it in private room, with trusted people, my concern is how server deal with it, maybe @matthew could say something about it, because i don’t know how the server manage messages, my kind of solution should be to make the server store all the message with encryption, so a malicious server admin or an hacker who gain the control of the server, do not have a clear text messages, and this is obviously good, then i’d like to implement in the matrix code when a owner of message click to delete the message, the server must delete it, another good option should be the autodelete, where you can send autodestroying messages

they should also make a stronger privacy policy with their server
for example

all messages are encrypted

when you press delete, the message is gone from the server

you can delete a chat room if you are the room admin, and all messages will be destroyed from server

no ip address logging

account information as user mail and password encrypted with hashing

i think the most people will use the matrix.org server for private conversations, with no other server who manage the room, and knowing your room and data belong just to matrix.org server with a strong privacy policy should also be a good solution

if is hard to technically implement something could be easyer to do it with privacy policy and configuration of their own server

82

It goes far beyond screenshots. In Matrix, rooms are distributed across many servers. Any person can run a homeserver. If you allow somebody from a different homeserver to connect to your room, the room is automatically mirrored to their server. Their server could then save logs even if the “delete” button is pressed. You CANNOT control somebody else’s server. That is the nature of federated communications.

Obviously, using E2E encryption will solve much of this. Home servers will then only have encrypted messages and will not have the contents of the messages themselves.

That could be in the specification for the home server software. However anybody can implement their own code and there is no way to verify that any specific homeserver follows the rules.

3 Likes