Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

3 automatic privacy leaks on startup in Riot 1.6.2 #13942

Closed
sneak opened this issue Jun 6, 2020 · 3 comments
Closed

3 automatic privacy leaks on startup in Riot 1.6.2 #13942

sneak opened this issue Jun 6, 2020 · 3 comments
Labels
T-Defect

Comments

@sneak
Copy link

sneak commented Jun 6, 2020
edited

Description

Riot desktop 1.6.2 makes three outbound connections, serving as telemetry (whether intended as such or not) to three different hostnames on startup.

Due to pervasive passive government surveillance, and the fact that SNI does not encrypt the hostname in TLS connections, it is obvious to my ISP and national military that I am a Matrix/Riot user as a result of these connections. These connections are unnecessary, as I am using my own homeserver. I would expect the client to connect only to my homeserver unless explicitly configured otherwise.

Steps to reproduce

  • Download Riot 1.6.2 and launch it

Expected

Sitting at the login/signup screen, I would not expect any network traffic whatsoever from the client, and when I log in, I would expect network traffic only to the homeserver which I am using.

Actual

Instead, it makes three unauthorized connections which serve as inadvertent telemetry:

1: matrix.org

Screen Shot 2020-06-06 at 06 30 39

2: vector.im

Screen Shot 2020-06-06 at 06 30 41

3: riot.im

Screen Shot 2020-06-06 at 06 31 09

None of these were authorized, nor did the application notify me that it was using the network in any way—I'm not even logged in to anything. (The screenshots are from a third party program.)

The app should be obtaining explicit opt-in permission before making connections to third-party servers. As Matrix is a federated protocol and Riot is not tightly coupled to matrix.org, any connection to a homeserver not explicitly configured by a user is a third-party connection and requires advance, opt-in consent.

Version information

1.6.2, desktop macOS
@sneak sneak added the T-Defect label Jun 6, 2020
@sneak
Copy link
Author

sneak commented Jun 6, 2020

Latest-version tracking related to #11655.

@sneak sneak mentioned this issue Jun 6, 2020
Open
@sneak sneak changed the title Privacy Leak in Riot 1.6.2 3 automatic privacy leaks on startup in Riot 1.6.2 Jun 6, 2020
@t3chguy
Copy link
Member

t3chguy commented Jun 6, 2020

As a product requirement, riot first thing it does as part of boot ensures that its config.json is valid, which means confirming all the default services specified there.

For riot desktop you can change the config as per the docs. https://github.com/vector-im/riot-desktop#user-specified-configjson to point at your own services instead.

@t3chguy
Copy link
Member

t3chguy commented Jun 6, 2020

Closing in favour of higher priority #11655 which is now tracking the overarching issue.

@t3chguy t3chguy closed this as completed Jun 6, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
T-Defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sneak @t3chguy