Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

Meet Matrix, an Open Standard for De-centralized Encrypted Communications

In the early days of the internet, communication was by email. Originally siloed by companies like Compuserve, AT&T and Sprint so that messages could only be exchanged with others on the same system, email is now ubiquitous. Pretty much anyone can communicate with anyone else without worrying about app or device or browser.

In the early days of the internet, communication was by email. Originally siloed by companies like Compuserve, AT&T and Sprint so that messages could only be exchanged with others on the same system, email is now ubiquitous. Pretty much anyone can communicate with anyone else without worrying about app or device or browser.

Today there are additional methods of communicating via the internet, such as chat and voice. These new methods, however, are currently similar to early email: siloed by different vendors so that users can communicate only with other users on the same system. Matrix.org aims to change this, so that any user on one system can communicate with any user on a different system; just like email today.

Matrix: De-centralized Encrypted Real-time Communications over IPMatrix is an open standard for interoperable, decentralized, real-time communication over IP. It can be used for any type of IP communication: IM, VoIP, or IoT data. One system already operating on Matrix is the open team collaboration app, Riot. While Riot is described as “a simple and elegant collaboration environment that gathers all of your different conversations and app integrations into one single app,” it can actually communicate with any user anywhere in the Matrix ecosphere.

The Matrix organization has not adopted the usual method of approaching all the big companies and trying to get the world to adopt Matrix. Instead, technical co-founder Matthew Hodgson told SecurityWeek, “We’re just building it — putting it out there on the internet as a de facto standard, and we then go and build bridges through to the existing communities. We’ve already got bridges through to Slack and to Skype and to IRC and various other online communities. Since the entire thing is open source, we’re also getting contributors from all round the world building bridges to their own systems; such as Ericsson building bridges into their own infrastructure. Or it could be contributors who write their own bridge to link something like Telegram or Twitter — and they basically act as a bridge to link existing silos into matrix. It’s a very pragmatic way of solving the problem.”

This still requires cooperation from the vendors. New companies like Slack are often open to cooperation, but larger companies like Microsoft (Skype) are not necessarily so. However, the Nadella Microsoft seems to be far more pragmatic than the Ballmer Microsoft.

“They’ve not fundamentally changed their spots,” said Hodgson, “but at least superficially there’s much more openness to this sort of technology; and the reality is that Skype is on the back foot, hemorriging users. Microsoft could do with any help it can get in trying to regain the ‘cool’ factor and market share. It has actually been very positive in letting us integrate with Skype. We haven’t integrated Skype into Matrix, but we’re in conversation — especially since Skype is turning into a platform itself, and Microsoft realizes there is a problem of reach for its O365 customers (who have their own teams using Slack and other ‘silos’). Matrix is the only common ground that can be used to link these different apps together.”

He said that the only pushback Matrix has had so far has been from Facebook, “unsurprisingly,” he added, since they are the incumbent and want to keep their monopoly as long as they can. But literally everyone else is amenable to pooling resources to make the world a better place. Matrix is the necessary counterbalance that can maintain the openness of the internet against monopolistic designs of big organizations.”

However, the matrix itself is not enough: users, especially enterprise users, need to trust the privacy of their communications. The solution is the new beta launch of Olm encryption.

“E2E encryption is particularly important to Matrix where its decentralized nature means that a conversation can end up replicated over thousands of different servers. When the participant ‘rooms’ are public, that’s not a problem. But if they’re private rooms you get a huge attack envelope where you basically just blindly trust all of the server admins not to snoop on the content of the room.” 

Advertisement. Scroll to continue reading.

“In practice, he added, it’s not much different to email. If I send an email to 1,000 people, it could end up on 1,000 different mail servers. But with Matrix we can and should do better. We’ve spent the last two years building our E2E encryption, so that if I send a message to someone on Matrix it is never stored unencrypted on any of the servers, and it can only be decrypted by the participants. It’s much like WhatsApp and Allo; but we are the only one that is decentralized and not dependent on a silo or walled garden like Signal. We think it’s the perfect storm for communications, combining encryption with decentralization.”

To this end, Matrix has announced and launched the formal beta of the new Olm end-to-end encryption implementation across Web, iOS and Android. “With Matrix.org and Olm,” commented Hodgson, “we have created a universal end-to-end encrypted communication fabric — we really consider this a key step in the evolution of the Internet.”

Olm is the Matrix implementation of the Double Ratchet algorithm designed by Trevor Perrin and Moxie Marlinspike. It was chosen, explained Hodgson in a blog post Monday, “in its capacity as the most ubiquitous, respected and widely studied e2e algorithm out there – mainly thanks to Open Whisper Systems implementing it in Signal, and subsequently licensing it to Facebook for WhatsApp and Messenger, Google for Allo, etc.”

Olm has been reviewed by NCC Group (PDF). In keeping with its open philosophy, Matrix has ensured this review is available online. Several issues were discovered by NCC, including one high risk and one medium risk. The most exotic of these was an ‘unknown key share attack’. “Needless to say,” wrote Hodgson, “all of these issues have been solved with the release of libolm 2.0.0 on October 25th and included in today’s releases of the client SDKs and Riot.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Privacy

Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Privacy

Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Application Security

Open banking can be described as a perfect storm for cybersecurity. At one end, small startups with financial acumen but little or no security...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Government

The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.