You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Riot desktop 1.6.2 makes three outbound connections, serving as telemetry (whether intended as such or not) to three different hostnames on startup.
Due to pervasive passive government surveillance, and the fact that SNI does not encrypt the hostname in TLS connections, it is obvious to my ISP and national military that I am a Matrix/Riot user as a result of these connections. These connections are unnecessary, as I am using my own homeserver. I would expect the client to connect only to my homeserver unless explicitly configured otherwise.
Steps to reproduce
Download Riot 1.6.2 and launch it
Expected
Sitting at the login/signup screen, I would not expect any network traffic whatsoever from the client, and when I log in, I would expect network traffic only to the homeserver which I am using.
Actual
Instead, it makes three unauthorized connections which serve as inadvertent telemetry:
1: matrix.org
2: vector.im
3: riot.im
None of these were authorized, nor did the application notify me that it was using the network in any way—I'm not even logged in to anything. (The screenshots are from a third party program.)
The app should be obtaining explicit opt-in permission before making connections to third-party servers. As Matrix is a federated protocol and Riot is not tightly coupled to matrix.org, any connection to a homeserver not explicitly configured by a user is a third-party connection and requires advance, opt-in consent.
Version information
1.6.2, desktop macOS
The text was updated successfully, but these errors were encountered:
As a product requirement, riot first thing it does as part of boot ensures that its config.json is valid, which means confirming all the default services specified there.
Description
Riot desktop 1.6.2 makes three outbound connections, serving as telemetry (whether intended as such or not) to three different hostnames on startup.
Due to pervasive passive government surveillance, and the fact that SNI does not encrypt the hostname in TLS connections, it is obvious to my ISP and national military that I am a Matrix/Riot user as a result of these connections. These connections are unnecessary, as I am using my own homeserver. I would expect the client to connect only to my homeserver unless explicitly configured otherwise.
Steps to reproduce
Expected
Sitting at the login/signup screen, I would not expect any network traffic whatsoever from the client, and when I log in, I would expect network traffic only to the homeserver which I am using.
Actual
Instead, it makes three unauthorized connections which serve as inadvertent telemetry:
1: matrix.org
2: vector.im
3: riot.im
None of these were authorized, nor did the application notify me that it was using the network in any way—I'm not even logged in to anything. (The screenshots are from a third party program.)
The app should be obtaining explicit opt-in permission before making connections to third-party servers. As Matrix is a federated protocol and Riot is not tightly coupled to matrix.org, any connection to a homeserver not explicitly configured by a user is a third-party connection and requires advance, opt-in consent.
Version information
1.6.2, desktop macOS
The text was updated successfully, but these errors were encountered: