chat.privacytools.io / Riot tracking issue about services HOT 54 CLOSED

Sorry I missed this earlier - I will take a look and come back with responses as soon as I can.

from services.

Host Dimension instead of relying on vector.im

I know I said I wasn't going to do this, but I'm going to do this. I was actually going to do it tonight, but it took me too long to setup a homeserver (even though I've done it like 5 different times before), so I'll actually setup Dimension tomorrow 😴

from services.

Oh, yes - I'm Delivery Manager for Riot Web, so I sometimes have something of a Riot Web bias, sorry.

It would be better if the mobile apps made it clearer you were logging into/registering on matrix.org, though of course users registering on matrix.org will be sent past the matrix.org terms and conditions before that registration is completed.

I'll make an issue for this, too.

from services.

I have misremembered or am thinking of older version which had advanced settings while currently there is "edit server settings" and I don't see matrix.org/vector.im mentioned without checking it, even if I click login.

This is fixed in https://github.com/LiMium/mini-vector-android (LiMium/mini-vector-android#27) Custom options is checked by default and Identity server set to localhost.

from services.

Hi, I am not sure where this would be the most topical, but have you had time to see and read The Metadata Trap? It's very long, but interesting and included some suggestions that even Signal doesn't do yet, mainly

It’s not enough that these apps encrypt messages. They also need to do better at promptly deleting data that’s no longer needed. End-to-end encryption protects messages as they travel from one phone to another, but each phone still has a copy of the plain text of all these messages, leaving them vulnerable to physical device searches. Disappearing messages features are a great start, but they need to be improved. Users should have the option to automatically have all their chats disappear without having to remember to set disappearing messages each time they start a conversation, and they should be asked if they’d like to enable this when they first set up the app. And when all messages in a conversation disappear, all forensic traces that a conversation with that person happened should disappear too.

Are you thinking or going to think about it, or is it out-of-scope (if you are focusing more on team chat and bridging, but I guess it would be a nice addition to E2EE-by-default-private-chats though)?

If you are following this repository you may already have seen https://github.com/privacytoolsIO/privacytools.io/issues/1134 where I have been wondering how do other instant messengers treat this and linking to their issues.

from services.

Yes, however identity server is currently not changeable after logging in (and yesterday I missed it entirely in login, if it even was there in RiotX)

vector-im/element-android#20

they don't want people to change it.

from services.

they don't want people to change it.

Hey - I just wanted to highlight that the ability to change Identity Servers after having logged in is on the roadmap for the current privacy sprint, across all clients. If you would like to see the plan and track its progress you can follow along here: https://vector-im.github.io/feature-dashboard/#/plan?label=privacy-sprint&repo=vector-im%2Friot-web&repo=vector-im%2Friot-ios&repo=vector-im%2Friot-android&repo=vector-im%2FriotX-android&repo=matrix-org%2Fmatrix-doc&repo=matrix-org%2Fsydent

(this tool just pulls issues with the same labels from across they myriad repos this work spans; you can find all the same stuff by searching each github repo manually).

from services.

Why not at login? As it is now possible in the riot android (not riotx)?

I'm hoping we can get rid of references to identity servers at login entirely, and just have them configured by the user in user settings after they've logged in (so identity server is a configurable property of the account, rather than the session).

Once the current work has landed, no data will be processed by any identity server until the user has explicitly accepted the terms and conditions, so from a data processing standing I think it's fine to drop it from registration/login. I think it feels a lot more natural from an average user's perspective, too.

This does present a slightly tricky UX problem of how we handle the idea of a 'default' identity server, though I think that's fine, too - default identity servers can be set at the client level or in the .well-known, and all that will mean is that the default identity server is the one that your client will prompt you to accept the terms and conditions of if and when you try and do something identity-servery (e.g. invite by email or publicly link your mxid with your email).

We might want to maintain separate identity server choice states for this - i.e. "don't use an identity server" as distinct from "this is the identity server I would use, but I won't send it any data because I haven't accepted its terms and conditions". Even though they're materially the same (from a data processing perspective), it would be nice for people to feel like they're not at risk of accidentally accepting the terms and conditions of an identity server they don't want to use.

from services.

Please give the link here when you are done.

Riot iOS: vector-im/element-ios#2614
RiotX: vector-im/element-android#450 (issue already closed, RiotX actually shows the default homeserver already)
Riot Android: vector-im/riot-android#3238 - not sure we'll actually want to make the changes to Riot Android - it depends how quickly we can replace Riot Android with RiotX.

Doesn't this however give me a separate device ID and fingerprint that I would need to reverify with people again?

Sorry, yes it does. As an aside, cross signing will solve this problem and is very much inbound - the backend support is basically complete (but there's still a lot of UX to do yet).

from services.

@jonaharagon Recent changes in Riot code regarding auto-discovery made this quite complex. I would be very cautious with any approach you take and be sure to test it before hand.

from services.

FYI the default on our Riot install is now an integration manager that is 1) controlled by me, and 2) disabled by default until you specifically use it once and check an agreement box.

from services.

@lampholder Could you also comment on these issues?

(Good night, it's 02 AM for me)

from services.

Hi @Mikaela,

Sorry I'm only just getting to this now. Can I check what this list of issues represents to you?

In the interests of providing some hopefully useful feedback now, I'm going to assume that this list represents the set of issues you would like to see addressed in Riot/Matrix for you to be wholly comfortable with its inclusion in privacytools' set of recommended services. I'll assume that they aren't all equally weighted, but I won't worry about relative priorities for now.

First up - the ones I can handle off the top of my head. These issues are part of the current privacy work:

• vector-im/element-web#10161 - Store Integration Manager preferences in account data and allow user to change them somewhere sensible
• vector-im/element-web#10167 - Present an aggregated terms of service dialogue at registration if possible
• vector-im/element-web#10087 - Prompt to accept integration manager policies on registration
• vector-im/element-web#10094 - Store identity server in Account Data and support choosing identity server integration in User Settings

As for open sourcing the scalar integration manager (vector-im/riot-web#7757 - Open source the integrations server WONTFIX) we have no plan to do this today, but we are making it clearer and easier for users to control which Integrations Manager they use, and there's also Dimension which can be used as an open source alternative. Hopefully this mitigates our not having a plan to open source Scalar?

Some of the others weren't high on my agenda - I wouldn't want to consider exif stripping, private contact discovery and sticker encryption until we've got cross-signing working in Riot so that E2E encryption is finally as user friendly as it needs to be. If they're blockers to your recommending or service, though, I can make sure that is at least kept in mind as we schedule future work.

The remaining items I'll have to check the status on tomorrow (it's gotten a little later than I planned). I'll be in touch ASAP with an update.

from services.

In the interests of providing some hopefully useful feedback now, I'm going to assume that this list represents the set of issues you would like to see addressed in Riot/Matrix for you to be wholly comfortable with its inclusion in privacytools' set of recommended services. I'll assume that they aren't all equally weighted, but I won't worry about relative priorities for now.

You are correct, however I wouldn't consider some issues like the exif metadata scrubbing essential for listing Riot as as far as I am aware nothing else is doing that either. The ordering could be considered random as it's based on what I picked from other issues and then tried to search for issues based on other discussions, so towards the end it's in order of newest reported on your issue tracker.

we are making it clearer and easier for users to control which Integrations Manager they use, and there's also Dimension which can be used as an open source alternative. Hopefully this mitigates our not having a plan to open source Scalar?

I find it acceptable, especially with open source alternative existing, as opposed to the current situation where an average user doesn't even know they are using Scalar. my previous comment at prism-break

Some of the others weren't high on my agenda

In my opinion the most important issue from those I listed would be actually removing removals (matrix-org/synapse#1287) and allowing data to expire (https://github.com/matrix-org/matrix-doc/issues/447). (As you can see I started replying without reading your comment entirely at first)

There are also the issues raised by muppeth, do you have an issue number for them?

The remaining items I'll have to check the status on tomorrow (it's gotten a little later than I planned). I'll be in touch ASAP with an update.

Thank you in advance and good night. I will try to sort the list better tomorrow.

from services.

This is very interesting ( +1 )

Just to be clear, Synapse isn't the only way to implement Matrix.
There are also homeserver's like Ruma.

Matrix is just a protocol, lots of ways to use it!

Plus, you can always change your homeserver for most clients.
Therefore it may not be necessary for privacytools.io to host a full client like Riot-Web.
- not to say it wouldn't be convenient tho.

from services.

I think I got the list in a more clear order now.

Just to be clear, Synapse isn't the only way to implement Matrix.
There are also homeserver's like Ruma.

Has Ruma had stable releases yet? While it could fix some issues with Synapse, I don't think it helps very much with some issues like matrix-org/synapse#1287 while the federation includes Synapses that are doing that.

Plus, you can always change your homeserver for most clients.

Yes, however identity server is currently not changeable after logging in (and yesterday I missed it entirely in login, if it even was there in RiotX) and currently integration server existing is not even told to the user being an option only a selfhoster can change.

from services.

ISs can and should be blocked if privacy is desired. IS is not needed for matrix chat client to function correctly (I think). See also: LiMium/mini-vector-android#26.

from services.

Thanks, there we have another issue to add to this tracking.

from services.

I'm a Fractal and Weechat fan. Although, I do use Riot.im for my aliases.

Although, I cannot confirm. But it seems like they allow you to change identity servers.

Edit: Also, what is IS?

from services.

Plus, you can always change your homeserver for most clients.

I know, many users dislike them; However, even Purism seems to have acknowledged web based apps are no longer a first priority: https://shop.puri.sm/librem-one-thanks/

from services.

Edit: Also, what is IS?

identity server. Sorry shouldn't have written short right away.

to change Identity Servers after having logged

Why not at login? As it is now possible in the riot android (not riotx)?

from services.

Hi all,

I've updated some of the relevant issues to get them into our privacy project tracking tool. I've tried to summarise clearly:

Things which have been added to the plan:

• matrix-org/synapse#1287, matrix-org/synapse#4565 and matrix-org/synapse#1263 have been added to phase:1
• https://github.com/matrix-org/matrix-doc/issues/447 has been added to phase:2 - this is not to assign it lower priority than the other issues, rather it is to say that there are more hurdles to completing this (getting the MSC agreed primarily) so we're not exactly sure when it will land

Issues from your list which I think are mitigated by other issues:

• vector-im/element-web#7649 is being addressed by matrix-org/matrix-spec-proposals#2134
• vector-im/element-android#20 there's been some discussion on that issue - RiotX doesn't support interacting with an Identity Server yet (or an integration server for that matter); there is a reference to vector.im in the codebase, though - vector-im/element-android#446 has been filed to address this though from @maxidorius' comments it sounds like there may be a bit more to do

Things which haven't been added to the plan:

• matrix-org/matrix-spec-proposals#1228 - even though we're very keen to fix this, we can't commit to it right now since it's a large and invasive change; we need to weigh it against the other objectives we're trying to achieve. If privacytools aren't comfortable recommending matrix whilst matrix IDs are baked into events, could this be mitigated by recommending users choose non-identifying IDs?
• matrix-org/synapse#1941 is relatively easy to implement, but doesn't add a lot of value until matrix-org/matrix-spec-proposals#1228 lands
• matrix-org/matrix.org#342 - we rely on Cloudflare for DoS mitigation - matrix.org can only stay online thanks to this service. If this is a hard blocker for a privacytools recommendation then I understand, though are you are able to recommend alternative homeservers/self hosting instead?
• vector-im/element-web#4426 - there's no plan to do this at this stage (users can strip their own exif data before sharing, which is not great I know - if anyone is willing to provide a PR for this it would be warmly received)
• vector-im/riot-meta#287 - we've no plans to make any tor-specific changes at this stage, though Riot Web mostly works fine in tor browser if that's of any value. Once again, though, community-provided PRs for this would be warmly received

from services.

Thanks for the update,

vector-im/element-web#7649 is being addressed by matrix-org/matrix-spec-proposals#2134

I added matrix-org/matrix-spec-proposals#2134 with a slash.

If this is a hard blocker for a privacytools recommendation then I understand, though are you are able to recommend alternative homeservers/self hosting instead?

I am not sure as I don't think anyone (in the team or commenting actively) is checking for Cloudflared domains and in privacytoolsIO/privacytools.io#1054 (ICANNnet DNS servers) half of the suggestions are using Cloudflare. I think a bigger issue would be Riot not exposing the default homeserver matrix.org by default, do you have an issue tracking it? From that issue I also get impression that you have a wish to shut down Matrix.org homeserver (matrix-org/matrix.org#342 (comment)) which I imagine would resolve these issues unless you would replace it with another homeserver that is suggested by default unless the user knows to click advanced/additional/similar settings.

Personally my main concerns with Cloudflare is

I understand this to mean that Cloudflare can one way or another read all traffic going through Matrix.org including IRC users who have never even heard of Matrix if someone happens to use Matrix on the same IRC channel? Matrix.org is quite big compared to an individual Cloudflaring their IRC client, I have heard a number 1500 connections associated with a I-line request from third party bridge admin.

from services.

I think a bigger issue would be Riot not exposing the default homeserver matrix.org by default, do you have an issue tracking it?

I think there might be crossed wires here - the queued up privacy work has a few items to better highlight the default identity server and integration manager, but the default homeserver is already pretty well highlighted:

and

Or do you mean Riot's not highlighting that the default homeserver is behind cloudflare?

from services.

Your screenshots look good to me (other than not mentioning the identity server), but they seem to be from Riot Desktop, while the currently recommended Riot Android app looks like this:

I have misremembered or am thinking of older version which had advanced settings while currently there is "edit server settings" and I don't see matrix.org/vector.im mentioned without checking it, even if I click login.

I am currently not able to get Riot X login screen as I don't want to regenerate keys yet again.

from services.

I am currently not able to get Riot X login screen as I don't want to regenerate keys yet again.

Key backup works on Riot X, so you could back your keys up to save regenerating. The backups are encrypted locally and stored on the homeserver encrypted (without the homeserver ever having access to the encryption key).

from services.

I'll make an issue for this, too.

Please give the link here when you are done.

Key backup works on Riot X, so you could back your keys up to save regenerating. The backups are encrypted locally and stored on the homeserver encrypted (without the homeserver ever having access to the encryption key).

Doesn't this however give me a separate device ID and fingerprint that I would need to reverify with people again?

from services.

Yes, however identity server is currently not changeable after logging in (and yesterday I missed it entirely in login, if it even was there in RiotX)

vector-im/riotX-android#20

they don't want people to change it.

@afonari There is massive confusion about this - the reason RiotX didn't expose UI for configuring the identity server is that it does not yet implement any identity functionality(!) The default setting was hanging around the codebase unused, and got removed in vector-im/element-android#446.

from services.

@ara4n This is great news, thanks! Hopefully, if it is added back, it will be chageable from GUI.

from services.

of course! this has always been the plan.

from services.

vector-im/element-web#4426 - riot does not scrub exif data from upload

I don't think anything else does this either, please correct me.

Discord does or used to do this.

from services.

LiMium/mini-vector-android#32 was merged into mini-vector for android. I think this removes all the integrations. @maxidorius based on your research are there any other "hidden" integrations in the riot-android?

from services.

@afonari There are others like the Integration manager. I didn't dig into android specifically, but from network activity I saw, the identity server is the tip of the iceberg, as being the only configurable item.

from services.

Max, they exposed quite a few in the config.xml: https://github.com/vector-im/riot-android/blob/develop/vector/src/main/res/values/config.xml

I searched for "vector.im" in the riot-android repo, I couldn't find anything that it is leaking except those from the config.xml.

from services.

See https://matrix.org/blog/2019/09/27/privacy-improvements-in-synapse-1-4-and-riot-1-4, which solves many of the issues touched on in the OP.

from services.

so, do you guys have a estimated release date for e2ee other then Soon™ (which has been its status for what, 2 maybe 3 years now?)

from services.

@ara4n I can still reproduce https://github.com/privacytoolsIO/privacytools.io/issues/1338 with Riot-web 1.4. My config is:

{
    "default_server_config": {
        "m.homeserver": {
            "base_url": "https://chat.privacytools.io",
            "server_name": "chat.privacytools.io"
        },
        "m.identity_server": {
            "base_url": "https://chat.privacytools.io"
        }
    },
    "disable_custom_urls": false,
    "disable_guests": false,
    "disable_login_language_selector": false,
    "disable_3pid_login": false,
    "brand": "Riot",
    "integrations_ui_url": "https://chat.privacytools.io/",
    "integrations_rest_url": "https://chat.privacytools.io/api",
    "integrations_widgets_urls": [
        "https://chat.privacytools.io/_matrix/integrations/v1"
    ],
    "integrations_jitsi_widget_url": "https://chat.privacytools.io/api/widgets/jitsi.html",
    "bug_report_endpoint_url": "https://riot.im/bugreports/submit",
    "defaultCountryCode": "GB",
    "showLabsSettings": false,
    "features": {
        "feature_pinning": "labs",
        "feature_custom_status": "labs",
        "feature_custom_tags": "labs",
        "feature_state_counters": "labs"
    },
    "default_federate": true,
    "default_theme": "light",
    "roomDirectory": {
        "servers": [
            "matrix.org"
        ]
    },
    "welcomeUserId": false,
    "piwik": false,
    "enable_presence_by_hs_url": {
        "https://matrix.org": false
    }
}

from services.

@afonari Homeservers like Synapse used to require an identity server for some operations such as adding an email. This has been fixed as part of the privacy work, but it requires both Riot 1.4 and Synapse 1.4. Synapse 1.4 is not yet released (currently in RC), so I am guessing it is not used on the privacytools.io HS yet. You can test HS support on matrix.org which includes the latest server changes if you’d like to check it out.

from services.

@jryans can you please clarify. When I add an email address from riot web 1.4 running on localhost with HS pointing to somehost1.org and IS pointing to somehost2.org, where does this request go?

Homeservers like Synapse used to require an identity server for some operations such as adding an email.

Maybe this means that my request goes to the HS and then HS creates a request to vector.im identity server?

from services.

@jryans can you please clarify. When I add an email address from riot web 1.4 running on localhost with HS pointing to somehost1.org and IS pointing to somehost2.org, where does this request go?

Riot 1.4 behaves differently when adding an email to your HS account depending on whether the HS supports the new privacy changes, currently part of Synapse 1.4.

If your HS is older (without privacy work), then Riot passes the selected IS to the HS and the HS talks to IS on your behalf to trigger the email.

If your HS includes privacy work (such as Synapse 1.4), then the IS is not involved at all. The HS handles email validation internally (or chooses to delegate email sending elsewhere and should be explained in the privacy policy of that HS).

from services.

If your HS is older (without privacy work), then Riot passes the selected IS to the HS and the HS talks to IS on your behalf to trigger the email.

Yes, I can see that:

POST to https://chat.privacytools.io/_matrix/client/r0/account/3pid/email/requestToken

What I don't understand is, how it is possible for IS to send email if IS is set to localhost (non existent IS, which is confirmed by the yellow warning at the login page). IS is set using:

"m.identity_server": {
            "base_url": "https://chat.privacytools.io"
        }

Identity server is not being picked up from this settings. In the Help & About it says:

Advanced
Homeserver is https://chat.privacytools.io
Identity Server is https://vector.im
Access Token: <click to reveal>

from services.

What I don't understand is, how it is possible for IS to send email if IS is set to localhost (non existent IS, which is confirmed by the yellow warning at the login page). IS is set using:

"m.identity_server": {
            "base_url": "https://chat.privacytools.io"
        }

This bit of Riot config is only a default IS suggested to users of that Riot install. Each user can pick a different IS or use no IS at all. You should check the General tab of Settings which allows editing the current IS to see what value is currently used. The user’s chosen IS overrides the default from Riot config.

It’s possible you’ve hit a bug that only occurs when setting the IS to some unreachable server? If so, it would great to have a Riot issue with more detail on the steps you are taking so we can fix that edge case.

Anyway, this is all a legacy path for an old HS, so you should move to Synapse 1.4 once available, as it won’t need the IS for these flows, which seems like what you want to achieve anyway. 😄

from services.

@jryans thanks for the explanations.

from services.

Linking another privacy case: vector-im/element-web#10696

from services.

It’s possible you’ve hit a bug that only occurs when setting the IS to some unreachable server? If so, it would great to have a Riot issue with more detail on the steps you are taking so we can fix that edge case.

@jryans Possibly. This is a problem I noticed on my personal account and have since confirmed with a couple people. It seems like when Riot encounters an invalid IS it appears to default to Vector.im. This is something I did not realize until this latest update where the IS is clearly displayed in settings.

I would really like to see @joepie91's suggestion at matrix-org/matrix-spec-proposals#2284 (comment) implemented ASAP so we can clearly recommend to our users to not use an IS at all as opposed to setting the IS field to some invalid link which is a hacky workaround (and also does not appear to work, although I was advised by @maxidorius that setting it to a blank string also doesn't seem to work, so I don't know if there is any way to disable the IS by default currently).

from services.

@jryans Possibly. This is a problem I noticed on my personal account and have since confirmed with a couple people. It seems like when Riot encounters an invalid IS it appears to default to Vector.im. This is something I did not realize until this latest update where the IS is clearly displayed in settings.

As far as the Riot core team is aware, when using Riot 1.4+ together with Synapse 1.4+, there should not be any case where Riot is defaulting back to https://vector.im as an IS.

If the Riot admin has supplied a default IS in Riot's config or if the HS admin has supplied a default IS in .well-known, then Riot will display that IS in Settings, but no user data is sent until the user has agreed terms.

If the Riot config supplies an invalid IS such as:

    "default_server_config": {
        "m.homeserver": {
            "base_url": "https://chat.privacytools.io"
        },
        "m.identity_server": {
            "base_url": "https://dev.null"
        }
    },

then Riot will display that IS in Settings (just like a real, working IS) and attempt to contact it to request terms, but that will of course fail.

If the HS .well-known supplies an invalid IS, we do hit the issue that matrix-org/matrix-spec-proposals#2284 is aimed at, as currently Riot would fail on registration in that scenario, but really it should change to a warning only and behave like the previous case where the invalid IS appears in Settings but fails on use.

If both the Riot config and HS .well-known do not configure any IS, then a new account will not have any associated IS. (This appears to achieve your goal as I understand it.)

If you or others are observing behaviour different from the above, then it sounds like a bug, and the Riot team would greatly appreciate an issue describing it so we can resolve the problem. 😄

from services.

Why was this closed, @Mikaela? Are all the problems fixed?

from services.

Why was this closed, @Mikaela? Are all the problems fixed?

because @jonaharagon thought in privacytoolsIO/privacytools.io#1392 (which dngray and I approved before I merged it) that it/relisting resolves this issue. For the discussion resulting me to approve in the end, see https://github.com/privacytoolsIO/privacytools.io/issues/1389.

I am content with leaving this closed as there is that upstream privacy tracker and I am not following everything happening there and don't have the capability of keeping this up-to-date, and would consider https://github.com/privacytoolsIO/privacytools.io/issues/1395 as the successor.

from services.

I agree with @poperigby, I think this should stay open. There are many unresolved issues.

from services.

One important issue is vector-im/element-web#10696: Allow users to disconnect from an integration manager entirely in the same way that we support doing this for identity servers.

from services.

@privacytoolsIO/editorial Are there volunteers on keeping this up-to-date?

I will move that to privacytoolsIO/privacytools.io#1395, while another option would be to not use Riot as I think it's the only client that implements an integration manager.

from services.

@privacytoolsIO/editorial Are there volunteers on keeping this up-to-date?

I'm OK posting here links to cases and following this thread.

not use Riot as I think it's the only client that implements an integration manager.

I agree. But currently PIO hosts riot-web.

from services.

Is there more documentation about it somewhere and what is the address that can be given to Riot user settings?

from services.

Are there any current Riot/Element clients (for Linux) that allow for proxies, VPNs, or Tor?

from services.