This posts is a list of all the suspicious things Matrix/New Vector and Element (which is run by Matrix employees) have done.

Crossposted to c/opensource from c/privacy.

I want to start a civil discussion on this topic, if anyone has improvement ideas for the list or wants to debate one of the bullet points for removal, I’m all ears.

Matrix

The Cloudflare Situation

All research on the Cloudflare situation is done by me.

If you check the SSL Certificate for https://element.io you’ll see it’s by Cloudflare.

Cloudflare has MANY privacy issues, and just wanting to centralize the web.

The Element client is the most used client, with many users using the default instance, because it’s easy or they want to simply join their friends or a community on Matrix easily. This comes as worrying because Cloudflare decrypts TLS traffic and this is even more worrying because Cloudflare is a honeypot.

Even if Cloudflare cannot decrypt anything because of the Matrix protocol encrypting them beforehand, lots of metadata in the message itself is send over plaintext like who you’re talking with, channel name etc. (and this is excluding the metadata leaks that Matrix has to the main homeserver and in general). Of course, this could be mitigated by using Element on another instance that isn’t behind Cloudflare, but the average user will not know to do that or even understand the concept of federation and decentralization.

Cloudflare’s CDN can be used without using their SSL certificate which just backdoors your site, so why is Element using it? Element is run by the same people that are behind matrix.org (mostly), so they know how to do basic privacy features.

Even if we assume there’s no ill intent here, Cloudflare just wants to centralize the web (~30% of SSL traffic goes through Cloudflare, ~80% of CDN traffic goes through Cloudflare), which is obviously against Matrix’s mission of decentralized communication.

Through Cloudflare, an adversary with ill intention could target a Matrix user and be susceptible to metadata collection.

The CIA & NSA admitted that they kill people by gathering and using metadata.

I’ve took this argument in the official Matrix channels, and no one has been able to properly respond to the arguments presented. Though, they were only members, no admins were involved.

If anyone wants to bring these issues forth to the official Matrix admins, I’d be more than glad to help. Thanks for reading!

Kino Eye ☭
link
fedilink
81Y

What’s the best alternative? Jami seems good and I generally trust the FSF and I found Revolt which seems to basically aim to recreate all Discord features and is currently in public beta.

https://github.com/revoltchat

Mossy
link
fedilink
61Y

I’ve also heard about Fosscord, but it doesn’t seem like it’s at it’s first release yet

https://fosscord.com/

Fosscord aims to be compatible with Discord which is why I think it has an edge over Revolt. It will be possible to use Fosscord client as a free alternative to the proprietary Discord client while in the process of switching over to a self-hosted instance.

@Yujiri@lemmy.ml
link
fedilink
4
edit-2
1M

deleted by creator

Kino Eye ☭
link
fedilink
41Y

I’m actually not sure, nor can I see what encryption they use on the website. Maybe someone smarter than me can check out the code

Revolt currently does not have encryption but there’s an open issue https://github.com/revoltchat/revolt/issues/207

@Yujiri@lemmy.ml
link
fedilink
2
edit-2
1M

deleted by creator

Kino Eye ☭
link
fedilink
21Y

Thanks!

Create a post

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

  • Posts must be relevant to the open source ideology
  • No NSFW content
  • No hate speech, bigotry, etc

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

  • 0 users online
  • 2 users / day
  • 10 users / week
  • 36 users / month
  • 249 users / 6 months
  • 121 subscribers
  • 1.53K Posts
  • 5.2K Comments
  • Modlog