this post was submitted on 29 Oct 2024
438 points (98.7% liked)
Technology
59358 readers
5233 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Room membership and various other room state events are not currently end-to-end encrypted, which means a nosy admin on a participating homeserver could peek at them. (They're still not visible on the wire, though, nor on homeservers whose users haven't been invited.)
I don't know if Signal is actually much better here, since I haven't looked at their protocol. They hyped their Sealed Sender feature as a solution to some of this, but it can't really protect from nosy server admins who are able to alter the code, and they fundamentally cannot hide network-level meta-data like who is talking with whom. There's a brief and pretty accessible description of why in the video accompanying this paper.
I don't have a list of Matrix events that remain unencrypted in encrypted rooms. You could read the spec to find them if you're motivated enough to slog through it, but be warned that network protocol specs tend to be long and boring. :) Unfortunately, the few easy-to-digest blog posts about it that I've encountered have been both alarmist and inaccurate on important points (one widely circulated one was so bad that the author even retracted it), so not very useful for getting an objective view of the issue.
However, the maintainers have publicly acknowledged the issue as something they want to fix, both in online forums and in bug reports like this one:
https://github.com/element-hq/element-meta/issues/1214