Page MenuHomePhabricator

#mediawiki_security cannot be accessed using Matrix as an IRC client
Open, Needs TriagePublic

Description

IRC serves as a backbone of our technical communications, but it's a dated protocol, and most default / common clients are not fun to use. Matrix is a decent IRC client (T222458: Evaluate Element as recommended IRC client) and also provides a migration path towards more modern communication technologies. It cannot fully replace an IRC client today, though, because it does not work with #mediawiki_security. (It does work with #wikimedia-staff so it's not a matter of public vs. private channels.) Even if it did, we'd probably want some security assessment of whether it's OK to use there.

Event Timeline

The technical side of the issue might be solved by T341314: Create a plumbed Matrix room for every Wikimedia IRC room that doesn't opt out if we extend that to the security channel.

As for the security side: on a technical level, Matrix clients aren't IRC clients. What happens is (1) a bridge joins the IRC channel, typically by storing Matrix users' IRC passwords and acting in their name as an IRC client; (2) the bridge joins some Matrix server which has a Matrix room attached to the IRC channel (a "plumbed room") and translates IRC messages to Matrix messages and vice versa; (3) end users connect to the matrix server using their Matrix clients and interact with it using the Matrix protocol. So, users' IRC passwords will be shared with the bridge (although this happens regardless of #mediawiki_security - it's how one uses IRC through a Matrix client, even for public channels), and the contents of the secure channel will be shared with both the bridge and the Matrix server. The server is matrix.org, operated by Matrix's parent organization, and they also run the bridge (theoretically we could use any other server or bridge, or host our own, or rent our own).

To me this feels like a bad idea, considering that Libera.Chat is making the bridge opt-in partly because of the bridge has a history of leaking data from private channels.

The server is matrix.org, operated by Matrix's parent organization

The bridge is apparently operated by EMS which is a for-profit company.

The names of secret channels, not the content of private channels. #mediawiki_security is not secret so that is not directly relevant, although it does show that the bridge is not very robust (which is certainly true - until recently there was a single full-time developer maintaining all the bridges for a dozen or so protocols).

Realistically, I'm not sure that's worse than average. The alternative is to use IRCCloud (which also has security incidents occasionally, is closed source, for-profit and I don't think it's particularly well-aligned with us philosophically) or set up your own bouncer, and then you are on your own making sure that a server you administer (somewhere on the cloud, or your home router, and in practice probably in your free time) is sufficiently well-protected (something most #mediawiki_security members are not particularly skilled in).

The bridge is apparently operated by EMS which is a for-profit company.

EMS is the name of a product offering by New Vector Ltd, which is the for-profit arm of Matrix (the two Matrix founders are the CEO/CTO and the COO).