This is related to Riot and synapse currently listed on your landing page.
@maxidorius welcome to PTIO forums!
I’ve always suspected the real data nightmare surrounding matrixlandia, excellent work describing and detailing it, and a real big thank you for posting this!
in your response to Aaron you state: “We did it for Matrix users who are unaware of what is going on. We did it for Grid users who want something better.”, which I do hope he fully appreciates now versus his “Much of the rest is incorrect or hyperbolic” feeble attempt at rebuttal and amount to little more than excuse making, imo, because as you also said in your notes:
“Default Settings Matter”
(and has helped my flagging faith and trust in firefox as they recently, boldly, stated their (re)newed focus towards ootb privacy friendly defaults.
Informing people is the number one goal of this paper. Me and the other authors of it are definitely thrilled you found it useful. Thank you for taking the time to let us know!
As for Aaron’s reaction, it was made in the heat of the moment. Any project founder is emotionally invested in their “baby”, so I wouldn’t hold it against him yet. Apparently, there’s going to be a blog post later, so let’s see what’s going on in a few days. I do relate to what you point at tho, I wish we were given some recognition instead of just hand waving most of it away.
Hopefully people keep reading our paper, thanking us for it, and we can write more of those!
While the security breach was not in of the Matrix protocol, other Homeservers were affected by it. As per our analysis above, we know that people hosting a typical stack would have the following services not available to them:
Additional issue you didn’t mention is that users were unable to register on other homeservers unless they were aware of identity servers being optional and if left empty email having to be empty too. I didn’t know it.
We didn’t think of that scenario, thank you very much for pointing to it and even linking an issue. We’ll update our paper to include your experience!
FYI, we also replied to Matthew’s PDF: https://gist.github.com/maxidorius/5736fd09c9194b7a6dc03b6b8d7220d0#gistcomment-2945336
After some further double-checking, Cloudflare DOES TLS termination, despite Matthew’s (ambigious) feedback with comment #38: https://gist.github.com/maxidorius/5736fd09c9194b7a6dc03b6b8d7220d0#gistcomment-2963692
I forgot to reply here. MITM verified, crimeflare is a valid name for this service. Although I wanted to believe what I have been seeing as otherwise, no doubt it is exactly what the “conspiracies” say about it.
now even more than disgusted they have convinced the world to hide behind their skirts in the name of DDOS protection guaranteed, join our new facade to Project Honeypot and get all your visitors their very own CFRay ID now!
and all of m.f/m.o/nv is behind the criminal greatCF firewall? ffs, are they really serious about anything privacy related?
And there’s a part 2 with a Personal Data Leak Disclosure: Notes on privacy and data collection of Matrix.org, Part 2