20 July 2019 - 11 minute read

"Wait... what!?"

You heard me. It was recently brought to light (for me at least) a truly colossal fuck-up that not only renders Matrix a bad idea for privacy-respecting chat right now, but generates enough concern to question whether it will ever be safe and usable as a means of communication.

So, what's the problem? Well, by far the largest homeserver - matrix.org - runs through Cloudflare's spyware. All traffic going through matrix.org is leaked, no matter where it comes from or where it's going. If you're an unsuspecting user in a public room, then your privacy is not being respected. In order to speak in public, you must sacrifice everything you say to Cloudflare for collection, analysis, and tracking. That then makes E2EE the only option for communication with any user on matrix.org. The problem then is that the current UX for E2EE is horrendous. The only client that fully supports E2EE is Riot, which requires manual verification from every device to every other device individually. If you have a room with 5 friends, each of which has 3 devices, each person needs to carry out 36 (!!!!) verifications with friends, which requires about a minute each and a second means of communication and for both to be online at the same time on the given devices. It could take days or weeks to get that ordeal over with. Obviously, I've never managed to get such a process complete.

The claim is that they're working on "cross-signing", which should make that whole process easier, for instance if you have an untrusted device, but lots of devices you already trust trust it, then you automatically trust it and so on. That would definitely solve that problem, but Cloudflare is still there. Even if they can't see the messages themselves, they can see the message size, source, destination, time, and any and all other information that would otherwise be protected by https.

"But Matrix is decentralised, so just use a different homeserver". Sure, but I'd need to be on a homeserver that refuses to federate with matrix.org to protect its users. The issue you then get is with Matrix's centralisation with its identity servers. I tried creating an account with privacytools.io with the centralised anti-privacy identity server vector.im blocked thorough uMatrix. I was able to create the account, but then couldn't log in, despite it saying I'd be able to. It was only by removing the block to the identity server that I could connect. It's this vital encryption combined with lacking clients, centralised components, and exposure to Cloudflare's MITM attack on the internet that make Matrix an incredibly hostile platform to try and communicate with. In unencrypted rooms, privacy is exposed in a similar manner to that with any spyware platform such as Discord.

That alone is easily enough to drive away many people, but with Riot's UX otherwise being fairly good, I could probably tolerate that failing and move to a different homeserver and block matrix.org. However, it was not at all everything that was wrong. Upon questioning a few core developers, it became apparent that they simply don't care about their horrendous privacy and security hole. There was a fundamental lack of understanding of what privacy really is, and their claim was that because it was a public room it didn't matter that all traffic through it was automatically siphoned off by Cloudflare's attack. This disgusting refusal to recognise the problem and complete lack of respect for users made the issue too much and so I'm moving away from the platform and do not intend to ever return to it.

I think the worst part is that when I found Matrix and was told about it, the general view was that it was this decentralised and (importantly) privacy-respecting platform, making it a great option for privacy-minded people to comfortably communicate with friends and family. What is arguably the cherry on top was that some 2 million people were led to believe exactly that, only for there to be centralised components built in and this massive security breach affecting the majority of users. It's a scam, and I strongly recommend people keep as far from it as possible - for their own good and for the good of those around them.

So, what to use instead? I've been trying out a number of chat protocols and platforms recently and so I thought I'd give some quick thoughts on which ones I tried and then my overall thoughts on what to use. I will be posting a rundown of my new communications setup soon. To give you an idea of what I was after, most of my friends are not technically minded and my family definitely isn't. My friends are used to centralised spyware platforms such as Facebook messenger and Discord (a platform I now regret pulling them all over to from Skype before I really started to learn about privacy and the dangers to it). They expect to be able to see chat history, send pictures, do group voice chat, and so on and expect it to "just work" - which is quite amusing considering Discord had some of the most hilarious stability and uptime issues. These friends are unfortunately the "i HaVe NoThInG tO hIdE" type, so the only real things I can use to argue in favour of a platform are conveniences - short of just up and leaving and waiting patiently for them to very gradually move over one at a time which is what has been happening with Discord over to Matrix. In that respect, I'm glad only a couple of them have come over so far as it means less hassle for them as a group going from Matrix to XMPP (oops, spoilers!).


IRC isn't something I tried in light of this event. In fact, it was still only very shortly after joining Matrix that I tried IRC as I knew it was very popular and wanted to see what it was like. IRC doesn't so much have the concept of accounts, but more just password-protected usernames. It still resembles an account in that you have a username, password, and an associated email address, but no other data is held. You can create and join channels and you chat in them and then you disconnect. It's wonderfully simple to use. IRC supports 1-to-1 and group chat, but no voice or video. It's also worth noting that IRC servers do not store any messages - they just "relay" it between all connected peers. As a result, no chat history is saved. You don't get any context immediately upon joining a channel, and when you disconnect, nothing is left behind. In that regard, it respects privacy. Considering IRC is a decades old system and hasn't really changed much in that time, it's visibly dated, with only very simple features to it. That made it very fun to use, but considering the people I most need to reach, it's not very accessible.


Tox is a completely P2P system, meaning there are no central servers that manage accounts. Your account is - in its entirety - stored on your own machine, and only the required details are shared with people you communicate with and only those people. Tox has support for 1-to-1 and group chat, 1-to-1 and group voice chat, and 1-to-1 video calls. I tried both the qTox and uTox clients.

My verdict on P2P systems like Tox is that for communicating among like-minded people with regards to privacy, it's great. These more technical people don't need flashy nonsense; we need it to work and to do nothing else. Spyware will not be tolerated, but ugly UIs are fine up to a point. What matters is how well it works. In my case though, it wasn't a great option, because my privacy-blind friends would've hated it and likely just mocked it for missing "important" features like offline messaging and chat history. Multi-device usage is also a key thing that even I couldn't do without. P2P is undoubtedly the way forward, but some serious hurdles need to be dealt with first before it can be both comfortable to use and accessible to those without adequate technical ability.


XMPP - like IRC - is a very old system. XMPP goes back to the late 90s. The difference from IRC though is that XMPP has been built upon tremendously. It's designed to be extensible (even the name says so), and there are a large number of extra specifications that build on the core of XMPP. These things are called "XEPs" and are nothing more than documentation. Any client can very easily implement any or none of the specifications and then just use them without issue. Having tried XMPP, it is considerably faster than Matrix. As it is extensible, it supports chat, voice, and video, all 1-to-1 or in groups - it's just a matter of finding a client to do it. I'll go into more detail on how I've set myself up in another post.

Unlike Tox and similar to Matrix, XMPP is federated, meaning there are still servers that you need to rely on, but it's not centralised in that there can be many servers and you may create an account on any of them, and you may communicate with anyone even if you are on separate servers. This system means there is an incentive to be a good host as if you want people to use your server you need to have good policies and privacy measures, because if you don't then users can trivially go elsewhere without losing contact with anyone. Having servers involved also means that you get all the niceties of a server-client system, like simple multi-device, offline messages, chat history, and so on. I found a list of XMPP servers to browse through and found plenty that not only were clear of things like Cloudflare or Google analytics, but also had clear and readable privacy policies that respected the user. With that, I decided this would be what I'd switch to.

It's a terrible shame that the Matrix community had to fail so tremendously at such a simple thing as respecting users, but on the bright side, there are plenty more chat platforms, many of which do respect users. It's just a matter of going and finding them.


Internet - Thoughts


Copyright Oliver Ayre 2019. Site licensed under the GNU Affero General Public Licence version 3 (AGPLv3).