Differences

This shows you the differences between two versions of the page.

--- security [2026/03/26 06:12] – admin
+++ security [2026/03/30 02:34] (current) – admin
@@ Line 13: / Line 13: @@
   * Matrix
-    * Setup a home server and disable federation to prevent metadata being copied around to other servers, if wanted. This option is configurable by the room creator, which is helpful and can decide when to use it.
+      * Configuration Steps:
-      *.Metadata leaks include username of who belongs in encrypted and unencrypted rooms (user@homeServerDomain.com)
+        * Setup a home server and disable federation to prevent metadata being copied around to other servers,  This option is also configurable by the room creator, which is helpful and can decide when to use it.
-    * Homeserver owners can join encrypted chats and impersonate users by adding their own device key to the target users account.  This is a bug that is being mitigated in 2026 by requiring clients to confirm device keys of other users. https://element.io/blog/verifying-your-devices-is-becoming-mandatory-2/.
+        * Enable End To End Encryption (E2EE) for sensitive rooms.
-    * A stolen domain for homeserver can gain rights as any user that has joined the room from the homeserver, This is due to Matrix stores permissions as user@homeserverDomain.com for rooms.
+      * Security And Privacy Notes:
-    * Fluffychat client is recommended, as it supports multiple profiles.
+        * While messages are encrypted in E2EE rooms, privacy leaks are possible. Metadata is not encrypted and currently not supported by the protocol, although it' being worked on.This includes usernames of who are in encrypted chat rooms, who created the room, and the title of the room.
+        * Homeserver owners can join encrypted chats technically. They would have to impersonate users by adding their own device key to the targeted user account.  This is a bug that is being mitigated in 2026 by requiring users to confirm new devices added to their account https://element.io/blog/verifying-your-devices-is-becoming-mandatory-2/. Note users will be notified that a new device was added, and they should not validate it to avoid having messages sent to it.
+        * A stolen domain for homeserver can gain rights as any user that has joined the room from the homeserver, This is due to Matrix stores permissions as user@homeserverDomain.com for rooms.
+        * Fluffychat client is recommended, as it supports multiple profiles.
+        * Users joining E2EE encrypted rooms can not see past messages. This is being worked on currently (https://github.com/matrix-org/matrix-spec-proposals/pull/4268).