Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remarks regarding matrix/Riot #64

Closed
muppeth opened this issue Nov 27, 2019 · 2 comments
Closed

Remarks regarding matrix/Riot #64

muppeth opened this issue Nov 27, 2019 · 2 comments

Comments

@muppeth
Copy link

@muppeth muppeth commented Nov 27, 2019

Requires phone/email should be set to depends on client/user/server as it is an option during the signup. So since for some reason xmpp has this option not set to no I would then think that option in riot should be set to at least optional if not yes since a lot of people do put it in during the signup and there is no clear way of removing such data afterwards. Additionally, that data will be shared with a for profit third party company who operates the main ID server which as well should be noted.

Puddle test Hammer test - Since e2ee is not set by default one needs to assume all data is stored on the server plaintext. Since all data at all times (even e2ee) is store on the server indefinatelly by default (there is no history retention server wide), this should be set to yes.

Leaks files: No - Not sure what it means exactly, but all files can be obtain if you know URL. No need to be part of the room. Also no files by default are encrypted.

Additional notes:

  • All contact are stored on the server in plain text
  • Server keeps track of every time you login/logout/open client without any retention time indefinatelly since the moment you created an account (that data consists of timestamp, user agent, your ip and your token
  • Server keeps track of your activity in each room indefinatelly. Each server is aware of all room participants since the inception of the room. Even if the room was not originally created on the server (as soon as user of another server joins in, the state of the room such as member list, joins and leaves etc is synced to that server)
  • Server keeps indefinatelly even things like which line/post you have read last time.
  • Server keeps indefinatelly every IP address you have used since you created account

All this data is stored on the database indefinatelly and not in logs and it is stored plaintext. As much as I find matrix usefull for some cases, it is definatelly not built with privacy in mind since it is logging your every move at all times (writing this as a matrix server administrator who has access to the database which means I can see exactly what is stored).

@Perelandra0x309

This comment has been minimized.

Copy link
Owner

@Perelandra0x309 Perelandra0x309 commented Nov 27, 2019

Lots of good points here. I have been less satisfied with Matrix lately, bumping it down off my recommendations list. The Riot review is up for a re-evaluation, my it's been almost 2 years now. There may need to be some qualifications added to these categories, as in distinguishing what data could be available for unencrypted verses encrypted rooms. I shall make this a priority to redo, it's about time and E2EE is now officially out of beta. I do use Riot but as you say for some cases, and I certainly don't count on it to provide any level of privacy.

@Perelandra0x309

This comment has been minimized.

Copy link
Owner

@Perelandra0x309 Perelandra0x309 commented Dec 1, 2019

Thanks for the comments, I have updated my Riot review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.