Hacker Remix

Matrix.org Will Migrate to MAS

193 points by LorenDB 1 day ago | 142 comments

jckahn 1 day ago

Cool! I’ve recently consolidated all of my Google Chat and WhatsApp friends onto Matrix (via Element) because it’s E2EE. Gchat isn’t and I assume that Meta has a backdoor into WhatsApp conversations. So, those platforms can’t be trusted. Signal doesn’t have a web interface, so that’s a no-go for me. lol Telegram.

Matrix has been great for me and I recommend that everyone else use it!

foresto 1 day ago

> I assume that Meta has a backdoor into WhatsApp conversations

They don't need a back door when they control the front door: the app. End-to-end encryption doesn't protect the endpoints.

(In other words, your concern is warranted.)

pentagrama 1 day ago

You're absolutely right. End-to-end encryption protects message content, but WhatsApp still collects metadata, which is incredibly valuable.

Even though they can't read your messages, they know who you talk to, how often, when, and for how long. They also track your device info, IP address (which can reveal your location), network details, and app usage patterns.

And this data isn’t just sitting there—Meta uses it. For example, if you chat with a business on WhatsApp, you might start seeing ads for that business on Instagram or Facebook. They don’t need to read your messages when they can infer so much just from how you use the app.

Disclaimer: Comment translated from Spanish and corrected by Chat GPT.

ItsBob 17 hours ago

> Even though they can't read your messages

I've long wondered if this is actually true.

If I have a closed-source app and claim (and can verify!) E2EE, surely I could still read every message from my closed-source app, within the app itself, and you'd never know.

I've never been a mobile app developer but I've been a desktop and web developer since the 90s so I don't know what apps can and cannot see but in a desktop app or web app, if it's on the screen, it's decrypted and I can put code in to read/steal it.

Am I missing something here?

floralhangnail 14 hours ago

At about 2:33:15 here, Zuckerberg somewhat alludes that Meta can take screenshots of WhatsApp messages.

https://youtu.be/7k1ehaE0bdU?t=9189

robertlagrant 15 hours ago

It's true in a sense - using an iPhone or an Android phone Apple/Google could be streaming your screen contents constantly, so even e2ee wouldn't help.

I just don't know if that is actually true, or if meta doing e2ee and then pinging your messages around from the app after they're delivered is true. I've no reason to believe either is.

ranger_danger 1 day ago

And the default/largest homeserver, matrix.org, uses cloudflare, so all your data belongs to them as well.

foresto 1 day ago

It is disappointing that they use Cloudflare, especially since most Matrix metadata hasn't yet been moved to the end-to-end encrypted channel.

(Arathorn: is e2ee metadata still on the roadmap?)

But no, not all your data is exposed. The e2ee parts, like message content in encrypted rooms, are opaque to Cloudflare.

Arathorn 1 day ago

yup, encrypted metadata is very much on the roadmap. https://github.com/matrix-org/matrix-spec-proposals/pull/425... is one of the more recent proposals for it.

Steltek 1 day ago

Self-hosted Matrix with all the bridges is awesome and brings back that Pidgin/Adium life of one chat app for all of my friends. Too bad Apple has an uncanny ability to avoid consequences with iMessage.

nisa 1 day ago

It's wonderful that it seems work well for you but my experience in bridging group chats with XMPP or IRC was terrible. Lost messages, bridge crashes, puppet accounts getting randomly broken/duplicated with discarded messages.

From the bridges I've run, only the Telegram bridge is somewhat stable for me but it also has it's warts.

Might be different if you run a strictly personal server for 1:1 conversations but I'd say from an ux perspective the bridges idea largely failed IMHO.

I don't think it's the fault of element/matrix it's a difficult problem and I guess with limited resources they made a lot of progress and made things possible that weren't before but it's not plug and play, at least it wasn't for me.

In general I've found it's also difficult to communicate in group chats if there are two worlds with a slightly different view (missing reactions, some elements of the messenger are not supported like captions, polls and so on...)

kuon 1 day ago

While I generally agree, the slidge bridge for XMPP has been working quite well for me, especially whatsapp, but it is really new.

nisa 1 day ago

> slidge bridge

Didn't knew about this one. Thanks I'm looking into it!

jcul 1 day ago

Signal doesn't have a web interface, but being able to use a desktop app is OK for me.

The big downside for me is not being able to use it on two devices. All the other services, privacy concerns or not can now do this. It's one reason why I stopped donating to / advocating for signal.

nothrabannosir 1 day ago

Settings -> linked devices?

https://support.signal.org/hc/en-us/articles/360007320551-Li...

jcul 22 hours ago

This lets you use the desktop application and a phone at the same time, which I use.

It doesn't allow you to use multiple phones at the same time.

kaiken1987 14 hours ago

It's something I've just recently run into trying to set it up on an Android tablet. The funny thing is they allow it on an iPad. It'd be great if they allowed just any phone or tablet to link to the primary device. I'd complain but it's been deaf ears for the last 4 years to get them to put gifs back into the desktop app.

nothrabannosir 11 hours ago

Thanks I didn't know that

methuselah_in 8 hours ago

You should not use it ! Xmpp is the answer with its few issues and matrix requires hell of system resources as well.

jokoon 1 day ago

I set firefox to clear cookies, also using cookies to "strict"

This somehow causes a huge pain to connect to mozilla's matrix instance, and I never understood why. This is a bit ironic since firefox has that feature to clear cookies.

I had to reset password, and do other weird things, I can't remember what exactly.

I hope this MAS thing fixes it.

apples_oranges 1 day ago

So unusable for people like me who only surf in private mode

jeroenhd 22 hours ago

Putting tracking protection to strict essentially makes Firefox violate certain web standards. Developers aren't going to test against that, and if they are they're probably not going to be able to do much about the problems strict tracking protection causes.

If MAS fixes this, it'll be by accident and it'll probably break in the future. Firefox warns against this kind of breakage if you enable strict tracking protection in the settings. You can't have strict tracking protection + websites doing cross-domain authentication working.

anon7000 1 day ago

I mean, yeah, tracking prevention features basically completely break cross-domain authentication. There are a surprising number of valid use cases that need cross-domain auth (or make the user experience a lot easier). While there are workarounds these days, sometimes it does require deep changes in how auth works

jokoon 1 day ago

> There are a surprising number of valid use cases that need cross-domain auth

I am not a web developer, but I would disagree with that.

Either web standards respect privacy or they don't, but I would not sacrifice privacy for anything.

Firefox was right to prevent tracking, it highlights how webstandards are just not good. I something doesn't work properly in a firefox private window, to me it should not exist.

dwattttt 1 day ago

Authentication requires the opposite of privacy. If you don't want to be identified, you can't restrict anything to your identity.

johnmaguire 1 day ago

It kind of depends. See Kagi Privacy Pass ("Allows you to use Kagi Search with Privacy Pass, which cryptographically ensures that Kagi cannot tie that request to an account and allows for further privacy and anonymity."): https://help.kagi.com/kagi/privacy/privacy-pass.html

jeroenhd 22 hours ago

... which requires an addon to the browser, or for it to be built in specifically for that company.

That's not something companies like Matrix can use. If you're installing software already, why not skip the browser engine and install a full Matrix client instead?

johnmaguire 13 hours ago

I wasn't responding directly to Matrix's use of MAS. More generally I aimed to make the parent poster aware of a new technology that allows for private authentication, which they claimed was impossible.

Privacy Pass is currently being standardized by the IETF, so we may see more widespread adoption eventually: https://privacypass.github.io/

dwattttt 8 hours ago

Just to make the claim clearer: it can't matter what the authentication mechanism is.

If a Privacy Pass token is needed for access to your email, then redeeming the token tells the service you (the client) can access your email. That's identified you.

kevin_thibedeau 1 day ago

If I'm authenticating with server A. I shouldn't have to carry ephemera from server B. A can interact with B on its own if necessary.

Bubbling up these architectural details to the front end is a symptom of the webdev cargo cult coming up with broken ideas that get fossilized as the status quo.

johnmaguire 1 day ago

With OIDC, both occur: the client is redirected to the authentication server where they directly authenticate, then carries a token cross-domain back to the service. Finally, the service validates the token against the auth server.

The alternative would be something where I enter my Google username/password on random websites, and trust that they will forward it to Google and not do anything nefarious. This is less secure and less private.

kibwen 1 day ago

The status quo appears to involve handing over your account password to your chosen client. That's worse than this.

wkat4242 1 day ago

If you don't trust your matrix client, why use it at all?

It's also a bit disheartening to see Matrix putting all that "Log in with Google", Apple, Facebook etc so prominently on their login page. The whole idea of decentralised services was getting out of those walled gardens.

johnmaguire 1 day ago

Yeah, I would argue it's less about removing trust from the client (which will ultimately get an auth token in addition to secrets and plaintext messages) and more about allowing for centralized authentication and authorization policies.

cvwright 1 day ago

But you already trust your client with all the private keys and message plaintexts for your account.

I struggle to see why I should trust it with those things but not the account password.

tcfhgj 20 hours ago

Not necessarily, you could give restricted access to a client

lucyjojo 23 hours ago

my google account has way more power over me than whatever i ever wrote in matrix in my life (ever, ever)

nurettin 1 day ago

How do you prevent them from collecting "Interaction Data"?

https://www.mozilla.org/en-US/privacy/firefox/#bookmark-how-...

apetresc 1 day ago

I vaguely remember an old MSC or TWIM or something that described (the possibility of) a new authentication mechanism whereby I could set up either a dummy homeserver or something in .well_known that would allow me to use my own domain but without needing to use my own homeserver for the actual traffic. Sort of like an auth-only homeserver, if you will.

Is that part of MAS? Was that initiative ever fully-baked? Or am I just misremembering?

Arathorn 1 day ago

That's .well-known based delegation, which was proposed in MSC1708 in Nov 2017: https://github.com/matrix-org/matrix-spec-proposals/blob/old... and merged into the spec in Jan 2019 (prior to Matrix 1.0 in June 2019): https://github.com/matrix-org/matrix-spec/commit/0347e873efc...

So yes, fully-baked and part of Matrix since 1.0!

Next Gen Auth via OIDC is instead a key part of the (upcoming) Matrix 2.0 spec release - see https://areweoidcyet.com and https://github.com/matrix-org/matrix-spec-proposals/pull/386...

MartijnBraam 1 day ago

Afaik that's not related to this, that was already possible as a domain alias. I think that feature is called a delegation if I remember correctly.

neilv 1 day ago

* Is all matrix.org's server-side for this open source, and able to be self-hosted?

* Do all the Matrix clients need to be modified to support this authentication method?

Arathorn 1 day ago

The new authentication server (MAS) is at https://github.com/element-hq/matrix-authentication-service (AGPLv3) and entirely self-hostable - e.g. https://github.com/element-hq/ess-helm for the brand new official helm charts from Element, or https://github.com/element-hq/element-docker-demo for a very quick and dirty docker-compose setup i threw together.

MAS provides backwards compatibility for the old Matrix auth APIs for existing Matrix clients, so they do not need to be modified to keep working. However, to get the most out of all the new auth features (2FA, MFA, QR login etc. etc.) then clients will need to be upgraded to speak OIDC natively. Element X for instance is already OIDC-native.

https://areweoidcyet.com has more details.

cyberax 1 day ago

1. Yes. Even the public website is open source. The license is AGPLv3: https://github.com/element-hq/synapse

2. Yes.