Notes on privacy and data collection of Matrix.org

notes.md

Notes on privacy and data collection of Matrix.org

---

This version of the document is no longer canonical. You can find the canonical version hosted at Gitlab and Github.

PART 2 IS OUT, INCLUDING THE DISCLOSURE OF A GLOBAL FEDERATION DATA LEAK, AND THE ANATOMY OF A GDPR DATA REQUEST HANDLED BY MATRIX.ORG. SEE THE REPOS ABOVE.

So after double-checking again, it seems like Comment 38 is not factually correct and that Cloudflare DOES TLS termination, directly having access to all the data in clear.

Here is a Client request done now:

$ curl -sv https://matrix.org/_matrix/client/r0/login
*   Trying 2606:4700:10::6814:15ec...
* TCP_NODELAY set
* Connected to matrix.org (2606:4700:10::6814:15ec) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS Unknown, Certificate Status (22):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS change cipher, Client hello (1):
* (304) (OUT), TLS Unknown, Certificate Status (22):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using unknown / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=www.matrix.org
*  start date: Jun 11 11:32:44 2019 GMT
*  expire date: Sep  9 11:32:44 2019 GMT
*  subjectAltName: host "matrix.org" matched cert's "matrix.org"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* (304) (OUT), TLS Unknown, Unknown (23):
* (304) (OUT), TLS Unknown, Unknown (23):
* (304) (OUT), TLS Unknown, Unknown (23):
* Using Stream ID: 1 (easy handle 0x55974db54580)
* (304) (OUT), TLS Unknown, Unknown (23):
> GET /_matrix/client/r0/login HTTP/2
> Host: matrix.org
> User-Agent: curl/7.58.0
> Accept: */*
> 
* (304) (IN), TLS Unknown, Certificate Status (22):
* (304) (IN), TLS handshake, Newsession Ticket (4):
* (304) (IN), TLS handshake, Newsession Ticket (4):
* (304) (IN), TLS Unknown, Unknown (23):
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
* (304) (OUT), TLS Unknown, Unknown (23):
* (304) (IN), TLS Unknown, Unknown (23):
* (304) (IN), TLS Unknown, Unknown (23):
< HTTP/2 200 
< date: Sun, 07 Jul 2019 09:39:09 GMT
< content-type: application/json
< set-cookie: __cfduid=dc79ff628c73af629e2cb1ccbe2c117be1562492349; expires=Mon, 06-Jul-20 09:39:09 GMT; path=/; domain=.matrix.org; HttpOnly
< cache-control: no-cache, no-store, must-revalidate
< access-control-allow-origin: *
< access-control-allow-methods: GET, POST, PUT, DELETE, OPTIONS
< access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept, Authorization
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< server: cloudflare
< cf-ray: 4f28d9820c6bd4b4-BRU
< 
{
    "flows": [
        {
            "type": "m.login.password"
        }
    ]
}
* (304) (IN), TLS Unknown, Unknown (23):
* Connection #0 to host matrix.org left intact

Here is a Federation request done now:

$ curl -sv https://matrix.org:8443/_matrix/federation/v1/version
*   Trying 2606:4700:10::6814:14ec...
* TCP_NODELAY set
* Connected to matrix.org (2606:4700:10::6814:14ec) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS Unknown, Certificate Status (22):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS change cipher, Client hello (1):
* (304) (OUT), TLS Unknown, Certificate Status (22):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using unknown / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=www.matrix.org
*  start date: Jun 11 11:32:44 2019 GMT
*  expire date: Sep  9 11:32:44 2019 GMT
*  subjectAltName: host "matrix.org" matched cert's "matrix.org"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* (304) (OUT), TLS Unknown, Unknown (23):
* (304) (OUT), TLS Unknown, Unknown (23):
* (304) (OUT), TLS Unknown, Unknown (23):
* Using Stream ID: 1 (easy handle 0x56503e398580)
* (304) (OUT), TLS Unknown, Unknown (23):
> GET /_matrix/federation/v1/version HTTP/2
> Host: matrix.org:8443
> User-Agent: curl/7.58.0
> Accept: */*
> 
* (304) (IN), TLS Unknown, Certificate Status (22):
* (304) (IN), TLS handshake, Newsession Ticket (4):
* (304) (IN), TLS handshake, Newsession Ticket (4):
* (304) (IN), TLS Unknown, Unknown (23):
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
* (304) (OUT), TLS Unknown, Unknown (23):
* (304) (IN), TLS Unknown, Unknown (23):
* (304) (IN), TLS Unknown, Unknown (23):
< HTTP/2 200 
< date: Sun, 07 Jul 2019 09:36:05 GMT
< content-type: application/json
< set-cookie: __cfduid=db97ca0304b4159c2ac95eb7e37e734851562492163; expires=Mon, 06-Jul-20 09:36:03 GMT; path=/; domain=.matrix.org; HttpOnly
< cache-control: no-cache, no-store, must-revalidate
< access-control-allow-origin: *
< access-control-allow-methods: GET, POST, PUT, DELETE, OPTIONS
< access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept, Authorization
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< server: cloudflare
< cf-ray: 4f28d4f6fcf5442b-BRU
< 
{
    "server": {
        "name": "Synapse",
        "version": "1.1.0rc1 (b=matrix-org-hotfixes,43e01be15)"
    }
}
* (304) (IN), TLS Unknown, Unknown (23):
* Connection #0 to host matrix.org left intact

Edit: vector.im as an identity server:

$ curl -sv https://vector.im/_matrix/identity/api/v1 | jq
*   Trying 2606:4700:30::681f:475f...
* TCP_NODELAY set
* Connected to vector.im (2606:4700:30::681f:475f) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
} [5 bytes data]
* (304) (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* (304) (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* (304) (IN), TLS Unknown, Certificate Status (22):
{ [1 bytes data]
* (304) (IN), TLS handshake, Unknown (8):
{ [15 bytes data]
* (304) (IN), TLS handshake, Certificate (11):
{ [2170 bytes data]
* (304) (IN), TLS handshake, CERT verify (15):
{ [80 bytes data]
* (304) (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* (304) (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* (304) (OUT), TLS Unknown, Certificate Status (22):
} [1 bytes data]
* (304) (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using unknown / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=CA; L=San Francisco; O=CloudFlare, Inc.; CN=vector.im
*  start date: Feb 14 00:00:00 2019 GMT
*  expire date: Feb 14 12:00:00 2020 GMT
*  subjectAltName: host "vector.im" matched cert's "vector.im"
*  issuer: C=US; ST=CA; L=San Francisco; O=CloudFlare, Inc.; CN=CloudFlare Inc ECC CA-2
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* (304) (OUT), TLS Unknown, Unknown (23):
} [1 bytes data]
* (304) (OUT), TLS Unknown, Unknown (23):
} [1 bytes data]
* (304) (OUT), TLS Unknown, Unknown (23):
} [1 bytes data]
* Using Stream ID: 1 (easy handle 0x560bab614580)
} [5 bytes data]
* (304) (OUT), TLS Unknown, Unknown (23):
} [1 bytes data]
> GET /_matrix/identity/api/v1 HTTP/2
> Host: vector.im
> User-Agent: curl/7.58.0
> Accept: */*
> 
{ [5 bytes data]
* (304) (IN), TLS Unknown, Certificate Status (22):
{ [1 bytes data]
* (304) (IN), TLS handshake, Newsession Ticket (4):
{ [230 bytes data]
* (304) (IN), TLS handshake, Newsession Ticket (4):
{ [230 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
} [5 bytes data]
* (304) (OUT), TLS Unknown, Unknown (23):
} [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
< HTTP/2 200 
< date: Sun, 07 Jul 2019 22:57:56 GMT
< content-type: application/json
< set-cookie: __cfduid=d14ef1f6254ebb5c211fdb3493dfabfbf1562540276; expires=Mon, 06-Jul-20 22:57:56 GMT; path=/; domain=.vector.im; HttpOnly
< access-control-allow-methods: GET, POST, PUT, DELETE, OPTIONS
< access-control-allow-origin: *
< access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< server: cloudflare
< cf-ray: 4f2d6b993a53d4b4-BRU
< 
{ [2 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* Connection #0 to host vector.im left intact
{}

In all cases, we can see the headers set-cookie, server, cf-ray and expect-ct with values set by Cloudflare, which would not be possible if TLS termination was done directly on matrix.org/vector.im servers.