Post APUEj3jfk9j2dpcasy by cy@mstdn.io
(DIR) More posts by cy@mstdn.io
(DIR) Post #APUEj3jfk9j2dpcasy by cy@mstdn.io
2022-11-11T07:11:36Z
0 likes, 0 repeats
So... #Matrix is not end to end encrypted, right? They're just lying, right? All it is, is sending unencrypted JSON over a point-to-point encrypted HTTPS session with a "homeserver." Homeservers directly connect to each other, so they use point-to-point as well, and every homeserver can monitor, alter, and override anything anyone on it says without their permission or awareness. Because I'd really like to be wrong, but I don't see how it's not like that.
(DIR) Post #APUGaGntzEM2TRXKfw by gerowen@mastodon.social
2022-11-11T07:32:26Z
0 likes, 0 repeats
@cy So your messages are encrypted in transit, but not once they're on a server. I thought they used OMEMO, though I haven't used Matrix much. I set up PGP keys for myself, wife and kids and we use that with an XMPP client (conversations.im) , and use Signal for everybody else.Are you reviewing the source for Matrix or something?
(DIR) Post #APUGbEHiq0GSx0wTqa by dt@mstdn.io
2022-11-11T07:32:38Z
0 likes, 0 repeats
@cy https://www.uhoreg.ca/blog/20170910-2110
(DIR) Post #APUHSYejpR2hTl8Xi4 by tommi@social.scambi.org
2022-11-11T07:41:47Z
0 likes, 0 repeats
@cyWait a second… whaaat? 😳Is it true, @matrix?
(DIR) Post #APUL87vZtUpkbiWiHI by matrix@mastodon.matrix.org
2022-11-11T08:21:33Z
0 likes, 0 repeats
@tommi @cy yeah, it’s not true. Matrix clients encrypt non-public rooms E2E by default since 2020, as per https://matrix.org/blog/2020/05/06/cross-signing-and-end-to-end-encryption-by-default-is-here/. The E2E payloads get sent as base64 within JSON over HTTPS from client to server to server to client. (please don’t spread FUD about Matrix; the enemy here are centralised proprietary closed services… not us 😔)
(DIR) Post #APUMzNMDMEZflOwNGq by tc@snabelen.no
2022-11-11T08:41:34Z
0 likes, 0 repeats
@matrix @tommi @cy And the great thing is that it is easy to verify since you can read the source code, rather than just trusting the vendor.
(DIR) Post #APUlEK9hwRHJ4qkeJs by soapone@pone.social
2022-11-11T13:15:34Z
0 likes, 0 repeats
@cy Matrix has the option to be end-to-end encrypted when defining a new room/channel, or enabling the option on an existing channel.As far as I know, its not SSL being used either.https://matrix.org/docs/guides/end-to-end-encryption-implementation-guide
(DIR) Post #APUogw6ajqygkNd2nY by didek@101010.pl
2022-11-11T13:54:34Z
0 likes, 0 repeats
@cy Of course servers are passing JSON data like thats because E2EE is a job on the client side.Clients encrypt messages, servers are just passing them between each other via https.It's like saying that https is not encrypted because routers are just passing unencrypted TCP/IP packets like hot potato. Yeah, but those unencrypted packets can contain encrypted infromation.
(DIR) Post #APVBIzUcn1hjFWQAFc by cy@mstdn.io
2022-11-11T18:08:01Z
0 likes, 0 repeats
@matrix @tommi @soapone @kinetix @gerowen Thanks so much, and sorry for being alarmist; I hadn't gotten any answers trying to ask *if* #Matrix is E2EE. https://matrix.org/docs/guides/end-to-end-encryption-implementation-guide#starting-a-megolm-session does a really good job of explaining how #Matrix is end-to-end encrypted (or at least can be) and I just hadn't seen it yet.
(DIR) Post #APVlzQzuW0NL48aoIy by cy@mstdn.io
2022-11-12T00:59:00Z
0 likes, 0 repeats
@tc @matrix @tommi If only that were true. These days you can pretty much assume you'll be using binaries...
(DIR) Post #APXBDj074IFSy5Yfs8 by kimitsune@social.singularity-node.net
2022-11-12T17:14:17Z
0 likes, 0 repeats
@cy No this is not true. (see @matrix reply) But as far as I know, Homeservers do have way too much control on rooms. Including encrypted ones. Keep in mind they have lots of metadata even if they can't see the messages (for example who is talking to whom, or some other unencrypted signaling). Also they can add anyone to an E2EE room (but people will be able to see it). Hopefully this will be fixed one day.Tl;dr: Not true but you still have to trust your home server to some extent.
(DIR) Post #APXVeYHt0SLEdwwPZo by matrix@mastodon.matrix.org
2022-11-12T21:03:33Z
0 likes, 0 repeats
@kimitsune @cy yup, you also have to trust your homeserver to do stuff like deliver messages too :) https://github.com/matrix-org/matrix-spec-proposals/pull/3917 is the WIP to stop servers being able to maliciously change room membership, fwiw.
(DIR) Post #APYTr70liwll3vkvPE by cy@mstdn.io
2022-11-13T08:19:58Z
0 likes, 0 repeats
@matrix @kimitsune Huh, my solution to that is just to have each member of the room keep their own list, and they have to actually talk with each other to agree on who to let in the room. So "my homeserver" adds someone, and I still have to add them before I see their messages. I like small, personal groups more than ensuring secrecy of big cults and corporations, so it actually works out alright.