What I’m looking for ultimately is a universal chat type app like Beeper that can handle Signal and SMS, however, reading this about it gives me pause. It would be nice if I could get all my peeps on matrix, but since it was so hard to get them on to Signal, I think the best I can hope for is something than can handle matrix, signal, and sms. Which brings me back to the title, how exactly do Matrix bridges work and are they secure?

EDIT: SMS is insecure by its very nature, yes?

  • Skull giver@popplesburger.hilciferous.nl
    link
    fedilink
    English
    arrow-up
    39
    ·
    edit-2
    1 year ago

    A bridge receives messages from one service, extracts the necessary content (text, images, video, etc.) and submits it to your Matrix server. It also works the other way around, of course, sending your Matrix messages to other services. The bridge bots can usually exchange messages through encrypted chat rooms but the exact workings of encryption differ per bridge.

    For encrypted messenger services, Matrix bridges do decrypt messages inside the bridge. They can be re-encrypted with Matrix’s encryption, but somewhere along the chain they need to be decrypted, or the bridges literally cannot work.

    If you run your own bridges, like many technically minded people do, this isn’t much of a problem; you remain in control of your messages. Your messages are stored on your server, and they can be as secure as you can make them.

    If you rely on an external party to run your bridges (a.k.a. “the normal use case”), you need to trust that party with all of your messages. I would probably trust an company like Element.io because they’re based in the UK which is subject to a GDPR-like law and they don’t make money off of message analysis or ads. Beeper probably isn’t that bad either but I haven’t looked into them.

    You’ll have to decide how bad you feel about your messages being decrypted. For unencrypted apps (Discord, Slack, Telegram in 99.999% of cases, Skype, Teams, GChat, SMS) I don’t think it matters that much. You are adding an extra party in the middle of your communications, but they’re not leeching off you like Google would be. They could get hacked, of course, but so could the super special alternative app you may find.

    SMS is one of the least secure methods of message exchange. It’s sent unencrypted, often inspected and logged at every ISP the message travels through, and can be redirected on a whim by someone on the other side of the planet through SS7 hacks. SMS is attached to a phone number and ISPs usually have some kind of ID check for phone numbers, and it’s guaranteed to work on any phone out there. Those are the only advantages of SMS. Only use them for things like 2FA if you have no other reasonable alternative!

    Back in the day, when mobile messaging was in its infancy, we used to have various chat services (AIM/MSN/AOL) and chat clients that spoke all protocols. These fat clients have gone out of fashion because everyone flocked to mobile messengers. These days Pidgin still exists and has support for all kinds of protocols (even more than Matrix!) but it’s lacking encryption support for many of them. If you run Linux (UBTouch/Phosh/Plasma Mobile/etc.) on your phone then there’s no technical reason why you couldn’t just run Pidgin, but it would probably be quite disappointing if you’re used to modern chat apps.

    I don’t know of any mobile app that works in the same style, speaking a tonne of different protocols instead of relying on a server that manages it all. The problem is usually that many of these chat systems don’t have any idea about multi device chat, chat groups, or other they have been implemented in their own weird way (Discord “servers” are one example of an extra layer most external apps struggle with, though Matrix has spaces which do the job quite well). That means message history isn’t always available, or read receipts and notifications are wonky, or messages may get decrypted on one device but not any others, and so on, and so forth. Matrix bridges act as a middle man for these services, being the “single device” that does all the talking, while using Matrix to make modern features available to your phone and desktop.

    But, there is hope! Next year, the EU Digital Markets Act goes into effect for many large companies, which mandates that they have to offer their messengers (and app stores!) to outsiders if they have more than a certain amount of users inside the EU. That means Apple, Signal, WhatsApp, and a whole bunch of other services will have to interoperate by law. That means that smaller devs should be able to make apps that talk to all platforms without having to reverse engineer the API (and have their apps break with every update). The IETF is even working on a standard to make this possible without sacrificing encryption (MIMI) which will hopefully be taken up quickly, though there’s no guarantee that that specific protocol will be used.

    • AccountForStuff@beehaw.org
      link
      fedilink
      English
      arrow-up
      14
      ·
      1 year ago

      I fucking love it every time I hear about some random thing that the EU decides is unacceptable and forces corporations to be much more consumer friendly as a result

    • noodlejetski@geddit.social
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      1 year ago

      That means Apple, Signal, WhatsApp, and a whole bunch of other services will have to interoperate by law

      I don’t think Signal is big enough to be included in the requirement. and in addition to that, while the premise is pretty great I’m not that enthusiastic about Whatsapp being able to mine metadata from my conversations as a Signal user :/

  • Glowing Lantern@feddit.de
    link
    fedilink
    English
    arrow-up
    7
    ·
    edit-2
    1 year ago

    There are many different types of bridges, but the most seamless one is a type of Man In The Middle (MITM). You give the bridge full access to your other services, which allows them to copy everything to Matrix and vice versa. Naturally, this circumvents E2EE as the bridge needs to access and manipulate the content somehow (E2EE only exists up to the bridge, not the whole way to your client). The bridge can theoretically do anything, as it is a MITM. However, because most bridges are open source and you can host them yourself, the risk that unauthorised parties can gain access to the data is fairly low. If it’s hosted by a third party, you have to trust them that they won’t abuse their power.

    • pitninja@lemmy.pit.ninja
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 year ago

      E2EE only exists up to the bridge, not the whole way to your client

      I just want to clarify that most bridges can be set up to have E2EE between the Matrix client and the bridge (regardless of whether the bridge supports encrypted chats on the bridged service because not all do, e.g. Facebook), but it is true that the bridge itself has to decrypt and translate between Matrix and the 3rd party chat service, so as you mentioned trusting who hosts bridges or doing it yourself is really important.

    • jarfil@beehaw.org
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      most bridges are open source and you can host them yourself, the risk that unauthorised parties can gain access to the data is fairly low

      …as long as you keep them up to date and follow some basic security practices. There is nothing stopping you from self-hosting an outdated vulnerable version exposed to the public.

      Third parties are a risk of unauthorized access, but may be more likely to follow security practices in order to avoid getting fined (according to the legislation of wherever they’re hosted).

    • hedge@beehaw.orgOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Oh boy. I think I’m really out of my depth here. I just downloaded Element and was fiddling with it a bit and found it to be kind of confusing. Maybe I oughta just stick with Signal despite centralization and signalcoin. Would be nice to be able to get SMS on the desktop tho, so I don’t have to go hunting for my phone everytime I have to do 2FA (which, admittedly, is not that often). In any event, thanks to @[email protected] & @[email protected].

      • iamak@infosec.pub
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        What did you find confusing about Element? The most confusing part for most people is the federation but since you’re on Lemmy, I assume that’s not the case for you.

        • hedge@beehaw.orgOP
          link
          fedilink
          English
          arrow-up
          4
          ·
          1 year ago

          I’m gettin’ old, and it’s an “old dog new tricks” type thing. However, I’ve still got it installed and probably just need to fiddle around with it some more. Getting Mrs. Hedge and my peeps to switch is going to be tough tho, hence me asking about the Signal bridge . . . Are “rooms” the same as “groups”?

          • Glowing Lantern@feddit.de
            link
            fedilink
            English
            arrow-up
            3
            ·
            1 year ago

            There are a few more settings you can tweak than your standard messenger (e.g. message bubbles or timeline), but the day-to-day interaction should be fairly similar. Chat rooms allow you to chat with any number of participants. Matrix doesn’t really differentiate between “direct” chats and group chats, as you can always add more participants later. Spaces are a way to organise rooms, like a folder.

          • iamak@infosec.pub
            link
            fedilink
            English
            arrow-up
            3
            ·
            1 year ago

            Why do you want them to switch from Signal? Federation? Other than that Signal’s great. Idk specifically about Signal bridge but I’m in a room with Telegram and IRC bridged and both bridges work pretty well. The room was bridged to XMPP as well but XMPP bridge was weird (resent random messages sometimes) so we removed it. Give it a try though and if possible tell me how it works? I’m curious :p

      • jarfil@beehaw.org
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        so I don’t have to go hunting for my phone everytime I have to do 2FA

        Automatically forwarding the SMS to the desktop, could turn that 2FA into 1FA.

  • wxboss@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    7
    ·
    edit-2
    1 year ago

    This is a great point that you bring up. I subscribe to an IRC channel that has bridges to both Telegram and Matrix. My feelings at this point, is that the weakest link is going to be of the most concern. But how all this technology interoperate with each other and how they actually handle privacy/security together is a question I cannot answer.