User Tools

Site Tools


matrix:security

Matrix: Security & Privacy

The actual security and privacy policies for matrix can often be confusing for new users. We will analyze the various ways that your privacy can be threatened or improved by various steps.

Part 1: The initial connection

When connecting with a server, it is necessary that the server knows how to reply to the client. Matrix is a federated network, meaning that users connect to servers, and servers connect to other servers. It's like e-mail. The first step in being secure involves (a) picking the right server, and (b) taking necessary precautions when interacting with the server. We will be using the terms “server” and “node” interchangeably as well as the terms “client” and “user”.

Ideally, as many people as possible host their own Matrix servers. If every affinity group hosts their own server, or every cause, or simply more “general purpose” servers are available, this improves the security of the network. Why is having multiple servers a good thing?

  1. Multiple servers provide resiliency. When only one server is available for use, the dangers of the entire communications network becoming compromised or unavailable are much greater than if many servers were available. In a hypothetical network of 10 “node,” no single node controls or “owns” a shared chatroom. If a node goes offline, the chatroom will continue to operate, and the node that went offline will get the missed messages when it returns online.
  2. Multiple servers keep you safer. The amount of information that a server receives from you is fairly standard in public and unencrypted rooms: username, IP address. Simply logging onto a server will provide them with your IP address. While no server has any knowledge of your encrypted communications, one server will have knowledge of your IP address. Imagine hypothetically if there are 100 users on 1 node, vs 100 users across 10 nodes. In the first example, in the event the server is compromised, the adversary has the connection details for 100 users. In the latter example, in the event a server is compromised, the adversary can only see 10% of connection details. While an IP address is not too dangerous in and of itself, we advise you to read up more on the subject of IP addresses.

Brickshop.io is not the only Matrix server. The servers provided by https://matrix.org, https://privacytools.io are recommended by our team. A more complete list of servers can be viewed on The-Federation.info, which claims to index several thousand servers.

Along with selecting a good server (or hosting your own!) and potentially masking your IP address, we suggest not assigning your e-mail address or phone number to your account, and also picking a unique username. A lot of instances in doxxing are due to people picking the wrong username. While it's your choice whether you use your Twitter name or pick a punny name relating to your political orientation, picking short, unique, and generic names reveals the least to potential adversaries. The author prefers randomly generated, 3-6 letter nouns, which can be easily randomly generated online.

In addition to selecting a good server and good username, it's also recommended to create a secondary account. As mentioned earlier, a big feature of Matrix is that it allows for multiple servers to seamlessly link. As also mentioned, limiting yourself & your affinity group to one server alone comes with security pitfalls. By creating accounts with multiple usernames on multiple servers, you can enhance your OPSEC by limiting what your accounts say in the places where they say them. If you use one account on one server for public and unencrypted messages, and a second account on a second server for private and encrypted messages, it is very difficult for adversaries to link the accounts together.

Part 2: Public chatrooms

It needs to be constantly repeated: whatever is said in a public chatroom may as well be said on Telegram, Twitter, Facebook, Instagram, or any other chat protocol that is not end to end encrypted and private. In the context of security, what is said from your account cannot be “plausibly denied.” While what someone claims you said in a private and encrypted chatroom can be denied, what your account posts in a public room cannot be denied so easily, especially not if you do not take care to hide your IP Address.

To be as safe as you can be in a public chatroom:

  1. Connect via a server that you trust.
  2. Mask your IP Address via Tor or VPN.
  3. Don't say anything illegal or incriminating.
  4. Don't recycle an old username.
  5. Consider using multiple accounts on multiple servers.
  6. Be wary of how much you trust strangers.
  7. Assume there is at least one Fed, nazi, or other bad actor present.

Public chatrooms are not inherently dangerous and we should not shy away from reaching out to the masses, especially with important or “high level” ideas. However, when discussing very specific occasions or individuals, consider creating a private message with encryption or rotating to a private and secret chatroom. A general rule of thumb for the more wild side of the internet is this: “If you wouldn't like to see your message next to your name and face in a newspaper or court record, don't say it.” No matter how much a server promises security (whether it's Telegram, any Matrix server, Discord, etc) you should always be very cautious about any message you send across unencrypted lines.

Private and encrypted chatrooms on Matrix are about as safe as end2end encrypted rooms on Telegram, Whatsapp, and Signal. When in doubt, communicate face to face with cell phones and other devices (Smart TVs, tablets) in another room.

Part 3: High-trust chat

A “high trust” chat means a chatroom where you are able to “vet” every member of the room; that is, you've “verified the key” of the devices of the users. Unlike Signal, Matrix uses interface patterns to encourage that you verify the identities of the users you're talking with.

In the Riot client, there is a feature to prevent sending messages to devices that you have not verified. Imagine you are in an encrypted chatroom with 40 people and you have personally verified 10 of their identities. If you toggle this setting, it means only 10 members of the room will see your message and the other 30 will be left in the dark. While the other 30 may be able to guess what you said based on context clues, this is still a much safer method of communication than sending a “sensitive” message to the entire room, and only limits your sensitive message to the people that you have decided to trust on your own criteria.

This special feature:

Room → Privacy →
Never send encrypted messages to unverified sessions in this room from this session

is unique to Matrix/Riot to our knowledge.

When in doubt, again consider face-to-face communication in an electronics-free area in a safe location. Operational security is never so simple as just trusting an algorithm. The best we can hope for in the realm of digital communications is “plausible deniability” and even that has its drawbacks.

Part 4: Account recovery

Part 5: What others know

Appendix A: Matrix vs other chat systems

  • Matrix vs Signal:
    • Signal is actually a great system. It only has two downsides: it depends on sharing phone numbers, and rooms cannot be moderated – you can't set a topic, kick an old user, or give a stranger a username rather than your cell number. Another downside of Signal is that it's not very easy to write bots for it, in contrast with Matrix, Telegram, Discord, IRC, Slack, etc etc etc. Whether or not Signal being “invite only” is a pro or con depends on your understanding of security.
  • Matrix vs Telegram:
    • The level of security outside of 1on1 encrypted chats on Telegram (eg: in chatrooms or normal chats) is exactly identical to the level of security provided in a public, unencrypted Matrix chat: essentially none & users are at the mercy of the server. Even worse than Matrix, which logs IP address, Telegram logs phone number and IP address. If your chats are not 1on1, “end to end” encrypted, you are essentially using Facebook, Twitter, Snapchat, or other non-safe communication methods.
  • Matrix vs Discord:
    • Discord is a fucking joke and I'll explain why later.
matrix/security.txt · Last modified: 2020/06/22 20:07 by acab