Technology @beehaw.org hedge @beehaw.org 1 yr. ago

How exactly do Matrix bridges work? Are they secure?

What I'm looking for ultimately is a universal chat type app like Beeper that can handle Signal and SMS, however, reading this about it gives me pause. It would be nice if I could get all my peeps on matrix, but since it was so hard to get them on to Signal, I think the best I can hope for is something than can handle matrix, signal, and sms. Which brings me back to the title, how exactly do Matrix bridges work and are they secure?

EDIT: SMS is insecure by its very nature, yes?

14 comments

Permanently Deleted
- I fucking love it every time I hear about some random thing that the EU decides is unacceptable and forces corporations to be much more consumer friendly as a result
- That means Apple, Signal, WhatsApp, and a whole bunch of other services will have to interoperate by law
  
  I don't think Signal is big enough to be included in the requirement. and in addition to that, while the premise is pretty great I'm not that enthusiastic about Whatsapp being able to mine metadata from my conversations as a Signal user :/
  
  That's fair, Signal is probably not small enough to be considered a gatekeeper. I doubt Signal is going to be the only messenger that doesn't take advantage of this, though.
  
  You don't have to talk to people who use WhatsApp if you don't want to, you can always ignore their messages or block them.
Permanently Deleted
- E2EE only exists up to the bridge, not the whole way to your client
  
  I just want to clarify that most bridges can be set up to have E2EE between the Matrix client and the bridge (regardless of whether the bridge supports encrypted chats on the bridged service because not all do, e.g. Facebook), but it is true that the bridge itself has to decrypt and translate between Matrix and the 3rd party chat service, so as you mentioned trusting who hosts bridges or doing it yourself is really important.
- most bridges are open source and you can host them yourself, the risk that unauthorised parties can gain access to the data is fairly low
  
  ...as long as you keep them up to date and follow some basic security practices. There is nothing stopping you from self-hosting an outdated vulnerable version exposed to the public.
  
  Third parties are a risk of unauthorized access, but may be more likely to follow security practices in order to avoid getting fined (according to the legislation of wherever they're hosted).
- Oh boy. I think I'm really out of my depth here. I just downloaded Element and was fiddling with it a bit and found it to be kind of confusing. Maybe I oughta just stick with Signal despite centralization and signalcoin. Would be nice to be able to get SMS on the desktop tho, so I don't have to go hunting for my phone everytime I have to do 2FA (which, admittedly, is not that often). In any event, thanks to @wxboss@lemmy.sdf.org & @GlowingLantern@feddit.de.
  
  What did you find confusing about Element? The most confusing part for most people is the federation but since you're on Lemmy, I assume that's not the case for you.
  
  so I don't have to go hunting for my phone everytime I have to do 2FA
  
  Automatically forwarding the SMS to the desktop, could turn that 2FA into 1FA.
This is a great point that you bring up. I subscribe to an IRC channel that has bridges to both Telegram and Matrix. My feelings at this point, is that the weakest link is going to be of the most concern. But how all this technology interoperate with each other and how they actually handle privacy/security together is a question I cannot answer.
EU's Digital Markets Act might interest you :p

You've viewed 14 comments.