Post A7ZEcgjbpPDkXQuYNc by Ninjatrappeur@social.alternativebit.fr
(DIR) More posts by Ninjatrappeur@social.alternativebit.fr
(DIR) Post #A7QtmbTLWHu8rsCTLM by Ninjatrappeur@social.alternativebit.fr
2021-05-20T06:55:00.420154Z
2 likes, 4 repeats
Privacy-wise, Matrix is worse than Slack for public rooms.Don't hit respond yet, read further.With this whole freenode mess, some of the online communities I'm part of moved to Matrix. Despite how much I personally love IRC (that's top-notch privacy-wise for public rooms), I have to admit the overall Matrix UX is order of magnitude better and more in line withthe 2021 standards. It lowers the barrier of entry, and I'm all in for that!However, there's a *massive* catch: the read status. Every time you can see a message on a public room, Matrix will show your avatar next to the said message to materialize you "read" (at least saw) it,There's currently no way to disable this feature, be it on synapse or dendrite. The read status gets broadcasted to *all the room participants*, including bots.Some bots are autojoining all the big room as soon as your open them. It's not clear who operate them, they don't ask nobody's consent before joining. You can assume this presence data is actively getting stored and mined by them, it's trivial to do. I implemented such a POC in a couple of hours yesterday night (I obviously turned it off and deleted the data after showing it to some friends).Back to my initial punch line: this situation is worse than it it is with Slack. At least, with Slack, my read status stays between me, Slack corp and the people they decide to share the data with. With Matrix, it's open bar, private data for everyone.The Vector team seem not to care too much [1] and are not considering this situation as urgent.We absolutely need a way to disable these read status on a per room (or space?) level. As free software devs, we should be able to protect our peers and users privacy. My presence status, be it on a public chat is definitely *not* a public data that should carelessly be shared.[1] https://github.com/vector-im/element-web/issues/2527
(DIR) Post #A7QuQLykXl5eOnqLNg by collappsar@kiwifarms.cc
2021-05-20T07:02:11.939895Z
1 likes, 0 repeats
@Ninjatrappeur Just stop ghosting your friends like a faggot.
(DIR) Post #A7Qwe3pP1YkA4H8RBQ by teslas_moustache@sunbeam.city
2021-05-20T07:01:00Z
0 likes, 0 repeats
@Ninjatrappeur is the read status important information? Why?
(DIR) Post #A7Qwe4Lf5cY1gKECSu by Ninjatrappeur@social.alternativebit.fr
2021-05-20T07:27:04.312962Z
0 likes, 0 repeats
@teslas_moustache It publicly broadcast the fact you have a particular webpage open.
(DIR) Post #A7QwhucvAzlkgm8LPU by Ninjatrappeur@social.alternativebit.fr
2021-05-20T07:27:47.801194Z
0 likes, 0 repeats
Haha. Can I ghost my enemies then?
(DIR) Post #A7Qwjel98qWK3YoRE0 by parisni@social.interhop.org
2021-05-20T07:22:16.652324Z
1 likes, 0 repeats
@Ninjatrappeur fully agreed. Those presence tracker is an abject shame
(DIR) Post #A7QzJ8Qp0rXU7vLpLM by lewo@mamot.fr
2021-05-20T07:51:39Z
1 likes, 0 repeats
@Ninjatrappeur Do you know how this read status works with client notifications?I would suppose it is not updated (i sometimes read my notification history instead of switching to the Matrix client).
(DIR) Post #A7QzkiJ9jXSXDKuqno by Ninjatrappeur@social.alternativebit.fr
2021-05-20T08:01:53.712840Z
0 likes, 0 repeats
@lewo I'm not 100% sure. I only used the web client so far. All I can tell is that I failed to find a read status-specific message in the webconsole.I'm a total noob with the protocol. The complexity seems to be order of magnitude higher than XMPP...
(DIR) Post #A7R0R2RjFZS3pn6kT2 by Ninjatrappeur@social.alternativebit.fr
2021-05-20T08:09:32.583862Z
0 likes, 0 repeats
@lewo https://matrix.org/docs/spec/client_server/latest#post-matrix-client-r0-rooms-roomid-read-markersI guess we could spoof that with a user script? 🤔That's not a real fix though. It'd require some action from the user instead of being a default.
(DIR) Post #A7RAob2VnYkxKFBWJE by waweic@chaos.social
2021-05-20T09:10:44Z
1 likes, 0 repeats
@Ninjatrappeur @lewo I wasn't even able to read the specification
(DIR) Post #A7RInVr8Nt94aorDDk by Ninjatrappeur@social.alternativebit.fr
2021-05-20T11:35:18.033017Z
0 likes, 0 repeats
@lewo I read a bit more the spec and the proposed fix: https://github.com/matrix-org/matrix-doc/pull/2285TL;DR: at the moment, they use the read receipts to both materialize the public read status and the private read status (ie. telling all your clients whether a message has already been read or not).Not sending those will mess with the notifications...
(DIR) Post #A7RVqnHZLgOiue7Ixc by penguin42@mastodon.org.uk
2021-05-20T14:01:27Z
1 likes, 0 repeats
@Ninjatrappeur Isn't the read-status a protocol level thing that the client can not-send? i.e. if you were using a different matrix client, (or a fork of element) just not send it? I have vague memories of it not happening on some other clients. It's important to distinguish the element client from Matrix as a whole.
(DIR) Post #A7RWRrXIUqPUot9JWC by Ninjatrappeur@social.alternativebit.fr
2021-05-20T14:08:15.915290Z
0 likes, 0 repeats
@penguin42 There are several problems leading to this issue. It's a protocol issue.Overall, the matrix protocol do not make any distinction between the "public read status" (ie. notify others what you did read and whatnot) and the "technical read status" (notify your other clients/devices what you read and whatnot). If you stop sending these statuses to the server, you'll break the multi-client support and the notifications.A proper fix to that would be to separate these two concepts in two technical entities. You can read [1] for more details.If you want to fix that, you'll need to first implement the fix in the popular severs and clients, open an RFC while preventing these implementations to bitrot, convince people to adopt the RFC, then wait for the ecosystem to move on.TL;DR: it's a protocol issue, it's not trivial to fix.[1] https://github.com/matrix-org/matrix-doc/pull/2285#discussion_r436383889
(DIR) Post #A7RWkPmdu5zkFVAo64 by teslas_moustache@sunbeam.city
2021-05-20T14:00:16Z
0 likes, 0 repeats
@Ninjatrappeur It publicly broadcasts that Ninjatrappeur has a webpage open (or an app, as may be the case). But idk who Ninjatrappeur is.
(DIR) Post #A7RWkQDEJFGJZxc2XQ by Ninjatrappeur@social.alternativebit.fr
2021-05-20T14:11:36.578361Z
0 likes, 0 repeats
@teslas_moustache you need to aggregate more data and cross-reference it.I've been in that business, trust me, this kind of data has value.
(DIR) Post #A7RWwplX82d0J2ZnGq by penguin42@mastodon.org.uk
2021-05-20T14:13:48Z
1 likes, 0 repeats
@Ninjatrappeur Ah, yes that's more subtle. I guess if you're assuming all your devices are connected to the same server (otherwise you're federating and you can't do private anyway) then you could filter the read receipts so they don't propagate to other servers; but that's hairy.
(DIR) Post #A7RcszpKNYTO4pu8EC by mobian@fosstodon.org
2021-05-20T15:18:01Z
0 likes, 0 repeats
@Ninjatrappeur @federico3 Apologies, I have never used slack. The help page lists 3 options to 'mark as read' but no 'turn it off'. Is there such a thing?https://slack.com/help/articles/360043037853-Manage-your-Mark-as-Read-preference
(DIR) Post #A7Rct0I2enRRVtL3z6 by Ninjatrappeur@social.alternativebit.fr
2021-05-20T15:20:21.402941Z
0 likes, 0 repeats
@mobian Your read status is not shared to the other users on slack. It's just a convenient way for you to know what you already read.And I guess for slack to get some more tracking data.
(DIR) Post #A7RljbnHGNMAWMXmMK by reto@pleroma.labrat.space
2021-05-20T16:59:32.086067Z
0 likes, 0 repeats
you can disable presence certainly on the homeserver, it's a setting there
(DIR) Post #A7T4Ea3pkUQuSMAMCm by timokoesters@mastodon.social
2021-05-21T07:41:16Z
1 likes, 0 repeats
@NinjatrappeurI can think of a few solutions:- global/per-room read receipt disabling- only sending read receipts to users you have a DM with- a button that sends the read receipt instead of sending it automatically when opening the room
(DIR) Post #A7T4EaRwIriPf7RbmK by Ninjatrappeur@social.alternativebit.fr
2021-05-21T08:01:31.247651Z
0 likes, 0 repeats
@timokoesters It's not that easy.See https://social.alternativebit.fr/notice/A7RWRl35i9tYjWtaNs
(DIR) Post #A7T4lmervusx5BJzea by Ninjatrappeur@social.alternativebit.fr
2021-05-21T08:07:32.905762Z
0 likes, 0 repeats
@timokoesters Ah! Your nick was vaguely familiar, I get why now :)If you're up to tackle this, I'm up to help you with some technical writing and some coding provided you manage to clearly show the way forward. I'm not familiar enough with the Matrix protocol to move that forward, you might be at the perfect place to lead that effort though :)
(DIR) Post #A7T4t7coNSao8YrH7I by timokoesters@mastodon.social
2021-05-21T08:08:30Z
0 likes, 1 repeats
@Ninjatrappeur I'm writing a comment for the MSC right now :)
(DIR) Post #A7T4tcIKLfcvG0VqzY by Ninjatrappeur@social.alternativebit.fr
2021-05-21T08:08:58.543309Z
0 likes, 0 repeats
@timokoesters <3
(DIR) Post #A7TPBLQLoGnnEIzqCG by Agris@tailswish.industries
2021-05-21T11:40:24.506743Z
1 likes, 0 repeats
@Ninjatrappeur Would you please show me your POC? I want to know just what the implications are because I have a few matrix users that federate onto my XMPP server mucs. I am concerned about the privacy implications of matrix users effect on XMPP.
(DIR) Post #A7TPBMSVxi7wRJ15Cy by Agris@tailswish.industries
2021-05-21T11:42:28.122838Z
1 likes, 0 repeats
@Ninjatrappeur being electron based, what about the privacy implications of Google Chrome?
(DIR) Post #A7TPTatX1rAGQKLcCe by Ninjatrappeur@social.alternativebit.fr
2021-05-21T11:59:33.578159Z
0 likes, 0 repeats
@Agris I'm not really willing to make the situation worse by spreading ready to use code.All you need is a thin wrapper around the SDK of your favorite language.See https://matrix.org/sdks/
(DIR) Post #A7TPUZaVNDBqeyumW0 by Ninjatrappeur@social.alternativebit.fr
2021-05-21T11:59:45.321055Z
0 likes, 0 repeats
@Agris There's a webapp, you can use firefox.
(DIR) Post #A7TPZbBSrmXr3fbBnk by Ninjatrappeur@social.alternativebit.fr
2021-05-21T12:00:39.766766Z
0 likes, 0 repeats
@Agris Tthere are also native clients good enough for public rooms. Look at fractal and the weechat plugin.
(DIR) Post #A7TSzDFKmvJaD0JXLU by Agris@tailswish.industries
2021-05-21T12:04:58.469880Z
1 likes, 0 repeats
@Ninjatrappeur no thanks, I'm not interested in investing in matrix at this time. I just want to know if it's a liability for XMPP users.
(DIR) Post #A7TbR2QxNisQPqWtto by Agris@tailswish.industries
2021-05-21T12:01:56.686569Z
1 likes, 0 repeats
@Ninjatrappeur no i'm not asking for that. I don't want to run I'm asking if you could share the data with me that you showed to your friends to warn them about the severity of the issue.But for others generally if you tell the developers and they refuse to to anything about it then you release the proof of concept as a CVE.
(DIR) Post #A7TdWocVqwufDfojya by downey@floss.social
2021-05-21T14:25:47Z
1 likes, 0 repeats
@Ninjatrappeur I think it's disingenous to say that the team doesn't care about read receipts ... there have been many issues both opened and resolved on this topic, and it's an ongoing stream of work, according to the dates at: https://github.com/vector-im/element-web/labels/A-Read-Receipts
(DIR) Post #A7TdWp3SEmSoZEQFyC by Ninjatrappeur@social.alternativebit.fr
2021-05-21T14:36:59.768538Z
0 likes, 0 repeats
@downey Most of the issues you linked are stalled for more than 1y. Only 6 of them had any activity in 2021. None besides the duplicate who's been created yesterday are about this privacy issue.The RFC trying to fix that https://github.com/matrix-org/matrix-doc/pull/2285 has been opened 2 years ago before getting abandoned.This issue is clearly not a high priority one for the vector team.I'm not trying to blame people but rather trying to attract attention to this issue. Let's ack the issue and move forward.
(DIR) Post #A7VksumBoEvQcc3kyu by Ninjatrappeur@social.alternativebit.fr
2021-05-22T15:08:51.489406Z
0 likes, 0 repeats
@timokoesters I slept on that issue and spent some time reading the matrix spec to have a rough idea about how this system works. I read the original proposal, I think I'm up to implement and push that proposal forward.So, if I understand your comment correctly, you'd be more inclined to implement this private RM systemm as the original MSC author proposed instead of introducing a new event type?If I understand correctly, you're not affiliated in any way with the new vector team and part of another sub-community gravitating around matrix. How do you reach consensus in cases like that? The MSC contributor guide is a bit unclear about that. Does that mean we're doomed to see this issue stall?Would me implementing both options in prosody and matrix-{js,react}-sdk help moving things forward?
(DIR) Post #A7VlLAKRZxjsxuYKyO by timokoesters@mastodon.social
2021-05-22T15:12:59Z
0 likes, 0 repeats
@Ninjatrappeur Yeah what I described is what the MSC proposes. I recommend asking in the #matrix-spec room how you can help move it forward.
(DIR) Post #A7VlLAoZlvqGTMeOwK by Ninjatrappeur@social.alternativebit.fr
2021-05-22T15:13:57.732457Z
0 likes, 0 repeats
@timokoesters đź‘Ť will do. Thanks.
(DIR) Post #A7VmDdpk64KU6uAW6S by timokoesters@mastodon.social
2021-05-22T15:14:39Z
1 likes, 0 repeats
@Ninjatrappeur So in your matrix client join #matrix-spec:matrix.org
(DIR) Post #A7VmHA2ineF8sHuxbE by Ninjatrappeur@social.alternativebit.fr
2021-05-22T15:24:28.166315Z
0 likes, 0 repeats
@timokoesters already did, I posted a message there :) Thanks for pointing me this!
(DIR) Post #A7YxiL3ld4ffpcRroe by js@mstdn.io
2021-05-24T04:16:44Z
1 likes, 0 repeats
@Ninjatrappeur @lewo I suppose you can change synapse to not send it to other users. Could probably be made an option. Personally, I don’t see an issue with other people knowing that I read their message, though.
(DIR) Post #A7ZEcgjbpPDkXQuYNc by Ninjatrappeur@social.alternativebit.fr
2021-05-24T07:26:13.983240Z
0 likes, 0 repeats
@js @lewo We need to alter the matrix protocol a tiny bit https://github.com/matrix-org/matrix-doc/pull/2285But yeah, that's the current plan.