Differences

This shows you the differences between two versions of the page.

--- security [2026/03/26 06:05] – [Treat As Public Chats] admin
+++ security [2026/03/30 02:34] (current) – admin
@@ Line 12: / Line 12: @@
   * Keybase - Supports multiple profiles, allows managing teams. Roughly an alternative to discord/slack. Currently owned by Zoom. Keybase has access to metadata to understand who is talking to who. https://book.keybase.io/docs/chat/crypto#metadata
-===== Treat As Public Chats  =====
+  * Matrix
-  * Matrix - Fluffychat client is recommended, as it supports multiple profiles. Setup a home server and disable federation to prevent metadata being copied around.
+      * Configuration Steps:
+        * Setup a home server and disable federation to prevent metadata being copied around to other servers,  This option is also configurable by the room creator, which is helpful and can decide when to use it.
-Note Homeserver owners can join encrypted chats and impersonate users by adding their own device key to the target users account.  This is a bug that is being fixed in 2026 by requiring clients to confirm device keys of other users. https://element.io/blog/verifying-your-devices-is-becoming-mandatory-2/
+        * Enable End To End Encryption (E2EE) for sensitive rooms.
+      * Security And Privacy Notes:
+        * While messages are encrypted in E2EE rooms, privacy leaks are possible. Metadata is not encrypted and currently not supported by the protocol, although it' being worked on.This includes usernames of who are in encrypted chat rooms, who created the room, and the title of the room.
+        * Homeserver owners can join encrypted chats technically. They would have to impersonate users by adding their own device key to the targeted user account.  This is a bug that is being mitigated in 2026 by requiring users to confirm new devices added to their account https://element.io/blog/verifying-your-devices-is-becoming-mandatory-2/. Note users will be notified that a new device was added, and they should not validate it to avoid having messages sent to it.
+        * A stolen domain for homeserver can gain rights as any user that has joined the room from the homeserver, This is due to Matrix stores permissions as user@homeserverDomain.com for rooms.
+        * Fluffychat client is recommended, as it supports multiple profiles.
+        * Users joining E2EE encrypted rooms can not see past messages. This is being worked on currently (https://github.com/matrix-org/matrix-spec-proposals/pull/4268).