Dept of Social Good 🙆

spaetz says

The German Data Protection Officer is creating a catalogue of criteria to assess messengers. They still take feedback till Nov 15. List of criteria is available in German and English.

Toot: https://social.bund.de/@bfdi/113306169664247379

English criterion pdf link is: https://www.bfdi.bund.de/SharedDocs/Downloads/EN/Konsultationsverfahren/3_Messengerdienste/Katalog-SMA-Front-End.pdf?__blob=publicationFile&v=2

Dept of Spec 📜

TravisR says

Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at https://spec.matrix.org/proposals.

MSC Status

New MSCs:

• MSC4213: Remove server_name parameter
• MSC4211: WebXDC on Matrix

MSCs in Final Comment Period:

• No MSCs are in FCP.

Accepted MSCs:

• MSC4170: 403 error responses for profile APIs

Closed MSCs:

• MSC3060: Room labels
• MSC4214: Embedding Widgets in Messages

Spec Updates

Matrix 1.12 went out last week! This release contains a few Trust & Safety improvements, bug fixes for authenticated media, an ability to mark rooms as unread, and several other quality of life features. Check it out, and get an early preview for what the next release might look like 👀

If there's something you'd like the Spec Core Team to take a look at, let us know in our office room: #sct-office:matrix.org

Continue reading…

Hi all,

We are disclosing two high-severity vulnerabilities in matrix-js-sdk and matrix-react-sdk related to MSC3061, which specifies sharing room keys with newly invited users for message history access.

Affected versions

• matrix-js-sdk ≥ 9.11.0, < 34.8.0 (CVE-2024-47080 / GHSA-4jf8-g8wp-cx7c). Fixed in 34.8.0.
• matrix-react-sdk ≥ 3.18.0, < 3.102.0 (CVE-2024-47824 / GHSA-qcvh-p9jq-wp8v). Fixed in 3.102.0.

Vulnerability details

When inviting a user to an encrypted room, in the legacy (pre-Rust) encryption implementation, matrix-react-sdk forwarded existing message keys to the newly invited user so they could decrypt shared message history as per MSC3061. The implementation is provided by matrix-js-sdk, which incorrectly applied the same rules for sending existing keys to the invited user as for sending new keys, which allows them to be sent to unverified devices and unverified users. While there's always some risk of key exposure to a server-side attacker when you're interacting with unverified users, the risk is higher for historical keys.

Root cause and remediation

The root cause of the matrix-react-sdk vulnerability is a function call into vulnerable functionality implemented in the matrix-js-sdk. The matrix-react-sdk vulnerability was addressed earlier, in matrix-react-sdk version 3.102.0, by removing the call. The matrix-js-sdk vulnerability will be addressed in version 34.8.0 to remove the vulnerable functionality completely. Because of these differences, two separate advisories were warranted.

Note that the vulnerability is only present in the matrix-js-sdk when running the old, non-Rust encryption stack. The vulnerable functionality was never implemented in the Rust-based stack. As a result, clients using the matrix-js-sdk in Rust crypto mode (i.e. calling initRustCrypto rather than initCrypto) are not vulnerable, even if on a nominally vulnerable version.

Furthermore, matrix-android-sdk2 and matrix-ios-sdk have similar functionality that is gated behind an experimental setting—we recommend avoiding use of this setting, though there are no specific advisories since the feature has only been available in an experimental state.

Proposed specification changes

To fix this functionality in terms of the specification process, we will open an MSC to explicitly clarify that MSC3061 key forwarding should only forward keys to verified devices owned by verified users, ensuring that historical keys are never shared with untrusted devices. This also encourages users to verify each other to enable reading message history, thereby improving Matrix security against interception.

Note on project ownership

The matrix-react-sdk is no longer a Foundation project but that of Element and has been moved to https://github.com/element-hq/matrix-react-sdk. However, the vulnerability in question was introduced, found and patched while it was still under Foundation ownership. For this reason, the Matrix.org Security team decided to treat this as a Foundation advisory. Future advisories for matrix-react-sdk (if any) will come from Element.

Matrix Live

Continue reading…

Hey all,

Welcome to the Matrix 1.12! It’s been just over 3 months since Matrix 1.11 introduced authenticated media, and today we’re bringing more Trust & Safety features to the ecosystem, alongside the normal clarifications and general improvements to the protocol. This release is also technically a few days late on the quarter, but it’s for good reason! Folks from across the ecosystem got together in Berlin for the Matrix Conference, and after things wrapped up we were busy following up on ideas started on site. We can’t wait to see all of these ideas materialize as MSCs, but in the meantime, back to the honorary Q3 release of the spec:

Matrix 1.12 marks the recommended date for all servers to enable their media freeze, similar to matrix.org’s back in early September 2024. Servers which haven’t yet enabled their media freeze are strongly encouraged to do so, if it makes sense for their users. Matrix 1.12 also brings some improvements and clarifications to authenticated media, and a total of 9 MSCs covering a wide range of features.

Read on for a few highlights, and the full changelog at the end of this post.

Continue reading…

Matrix Live

Dept of Spec 📜

The weekly spec update

Andrew Morgan (anoa) {he/him} announces

Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at https://spec.matrix.org/proposals.

MSC Status

New MSCs:

• MSC4210: Remove legacy mentions
• MSC4209: Updating endpoints in-place
• MSC4208: Adding User-Defined Custom Fields to User Global Profiles
• MSC4207: Media identifier moderation policy
• MSC4206: Moderation policy auditing and context
• MSC4205: Hashed moderation policy entities
• MSC4204: m.takedown moderation policy recommendation
• MSC4203: Sending to-device events to appservices
• MSC4202: Reporting User Profiles
• MSC4201: Profiles as Rooms v2
• MSC4198: Usage of OIDC login_hint
• MSC4197: Copy Paste Hints

MSCs in Final Comment Period:

• MSC4170: 403 error responses for profile APIs (merge)

Accepted MSCs:

• MSC4189: Allowing guests to access uploaded media

Closed MSCs:

• No MSCs were closed/rejected this week.

Spec Update

Lots of interesting MSCs came in this week! Note that last week's are also listed as the spec update was skipped.

A swath are looking to improve moderation in Matrix, while others aiming to improve the story around notifications and end-to-end encrypted bridges. There's also been lots of discussion on the hot MSC4133: Extending User Profile API with Key:Value pairs, which can be built upon with spec'd profile fields such as m.timezone (MSC4175).

MSC4208 is the result of splitting out the custom fields portion of that MSC, as it was determined that that portion of MSC4133 needed further discussion before merging.

Finally, MSC4189: Allowing guests to access uploaded media being merged closes one of the final gaps with the authenticated media epic.

Continue reading…

Dept of Servers 🏢

Synapse (website)

Synapse is a Matrix homeserver implementation developed by Element

Devon Dmytro announces

This week we released v1.116.0rc2. Here are a few of the highlights:

• Guests can now use the new media endpoints to download media, as described by MSC4189
• Add initial implementation of delayed events as proposed by MSC4140
• Add implementation of restricting who can overwrite a state event as proposed by MSC3757
• Add an asynchronous Admin API endpoint to redact all of a user's events, and an endpoint to check on the status of that redaction task

...and a whole lot more. Check out the release notes for the full set of changes! Thank you to all our contributors for helping to make Synapse the best it can be. As always, feel free to stop by #synapse:matrix.org to join in on the discussion and if you encounter a bug make sure to report it here.

Continue reading…

Dept of Status of Matrix 🌡️

Josh Simmons (m.org) announces

We had our first Governing Board gathering today at the Matrix Conference in Berlin, with 17 of the 20 members present (4 of which joined remotely)! We got to know each other a little better and discussed many things including Trust & Safety and how we communicate with each other and with the community.

Since this wasn't an official meeting, no votes were taken. The first official meeting of the Governing Board will be taking place soon!

Matrix Conference 2024

The Matrix Conference 2024 is over, the videos are being cooked and the slides are being uploaded. We'll be sharing the recordings with you as soon as they're ready.

In the meantime, a big thanks to everyone who attended, spoke, and helped make it happen. We hope you had a great time and learned a lot about Matrix and the community. We hope to see as many or more of you next year!

Continue reading…

Hi all,

Back at FOSDEM in February we showed off how Matrix could be used for E2EE-preserving messaging interoperability as required by the Digital Markets Act messaging interoperability - and we announced that Element had been working with Meta on integrating with its DMA APIs in order to connect WhatsApp to Matrix. You can see the video here, and we also demoed interop working at the technical level to the European Commission a few days beforehand.

Subsequently WhatsApp launched its DMA portal on March 8th, and the proposed Reference Offer (i.e. the terms you have to accept as a Requesting Party in order to interoperate) was revealed. The Reference Offer for Facebook Messenger was launched on September 6th. At the time of the WhatsApp launch we flagged up some significant unresolved questions - the main points being that:

1. WhatsApp would require their users to manually enable DMA in settings before they can receive any traffic from interconnecting service providers (e.g. Element) - meaning that WhatsApp users would not be reachable by default.

2. WhatsApp would require the client IP of any interconnecting users, in order to apply ‘platform integrity’ anti-abuse / trust & safety controls.

3. WhatsApp would not allow an interconnecting service to buffer messages serverside.

4. WhatsApp would require each Matrix server provider to sign a separate agreement in order to interconnect - i.e. you can’t bridge other server’s users unless those servers have signed a contract with Meta.

Continue reading…

Matrix Live

Dept of Spec 📜

Andrew Morgan (anoa) {he/him} says

Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at https://spec.matrix.org/proposals.

MSC Status

New MSCs:

• Comparison of proposals for ignoring invites
• MSC4191: Account management deep-linking
• MSC4190: Device management for application services

MSCs in Final Comment Period:

• No MSCs are in FCP.

Accepted MSCs:

• No MSCs were accepted this week.

Closed MSCs:

• MSC4018: Reliable call membership
  • Succeeded by MSC4140: Cancellable delayed events.

Spec Updates

A further call to developers, protocol designers, and future MSC writers to attend the "Authenticated media & how to ship spec features" and MSC Process Guidance talks in LAB 4 at this year's Matrix Conference! We'll be discussing the spec process itself, as well as how large features (and breaking changes in the spec) get designed, developed, and deployed with support from the MSC process.

If you're thinking about how to get your idea for a feature out in the hands of users, these talks are for you!

Continue reading…

Matrix Live

Dept of Spec 📜

TravisR announces

Earlier in the week matrix.org started requiring authentication to access media, and it looks like most users didn't notice (a good thing)! Smooth rollouts like this are thanks in large part to the developer ecosystem preparing users for the change with code - thank you to everyone who has been working hard at improving how media is shared in Matrix ❤️.

There's always going to be problems which reveal themselves after the deployment happens, and it looks like most of the issues we're tracking have workarounds or patches on the way. If you're seeing errors for images/files, please update your client. Web users may need to refresh the page multiple times before things start working because of how browsers (don't) work. If you're still seeing issues, it may be a bug in your client: please report it to the developers so they can take a look.

Developers, protocol designers, and future MSC writers may also be interested in "Authenticated media & how to ship spec features" in LAB 4 at this year's Matrix Conference in just a couple of weeks! We'll be discussing how such a massive feature (and technically breaking change in the spec) gets designed, developed, and deployed with support from the MSC process - if you're thinking about how to get your idea for a feature out in the hands of users, this talk is for you. The advice should be transferable to features smaller than authenticated media too, hopefully 😇

Continue reading…