undefined | Better HN

0 pointsclaudius6y ago0 comments

I am confused by the e-mail issue. The OP says that Riot says:

> If you don't specify an email address, you won't be able to reset your password. Are you sure?

In your response on pg. 4, you say:

> Commented [11]: Yup, this is the point of the service -to map email addresses and phone numbers to matrix IDs.

Is it possible to specify an e-mail address to be able to reset passwords without making this e-mail address public? Clearly, this should be the default setting if someone enters an e-mail address after the above prompt by Riot.

0 comments

Arathorn6y ago

So email addresses are used for two purposes in Matrix: "administrative contact" for an account (for password reset), as per https://matrix.org/docs/spec/client_server/r0.5.0#adding-acc..., and for discovering users' mxids by email address (as per https://matrix.org/docs/spec/identity_service/r0.2.0#post-ma...).

At registration, if you specify an email address, Riot does sets it both for password reset and for mxid discovery. You (and the OP) are right that this should be clearer - it boils down to the fact that we need to add UI to remind the user that they're using an identity server (with given terms of use) and to confirm this is what they want.

We could also split it into separate actions (one to set it for password reset, and one to use it for discovery), and indeed before Riot this is how it used to be (there was a checkbox in Matrix Console at registration to let the user choose whether to bind their email). This got lost in Riot because of concerns that it made the registration UX too noisy and complicated (especially with custom HS & IS URLs flying around the place), so it currently binds their email by default. I've just filed https://github.com/vector-im/riot-web/issues/10054 to track addressing this.

You said "making this e-mail address public" in your question - it's worth noting that binding a 3PID does not publish it in a public list; instead, it means it can be used as a key to look up your MXID for users who already know your email address.

In terms of the other valid points the analysis raises, I've also filed a bug to track hashing contact details when doing lookups (https://github.com/matrix-org/matrix-doc/issues/2130, although i could have sworn we had one already). The other two issues (Riot/Web talking to Scalar too much, and the desire to remove notary servers entirely) already have bugs - https://github.com/vector-im/riot-web/issues/5846 and https://github.com/matrix-org/matrix-doc/issues/1228 respectively).

claudiusOP6y ago

Thanks.

> You said "making this e-mail address public" in your question - it's worth noting that binding a 3PID does not publish it in a public list; instead, it means it can be used as a key to look up your MXID for users who already know your email address.

The domain part of e-mail addresses is public anyways due to certificate transparency, meaning that an interested party would only have to enumerate the local part to find all e-mail addresses from a specific domain used by Matrix users. In this respect, the lookup answers the question "Does this address exist?" and as such makes it public.

maxidorius6y ago

To clarify: the paper does not claim a list with email addresses is made public or anything of the sort. Only that they can be queried without restriction or authentication.

Once again, it's not about brute listing things. It's about knowing a 3PID from another source, like a dump of email/phone number on the darkweb which can then be used to query for a mapped Matrix ID. Or simply an email given for another purpose to the same server.

It is all fun and games until you start correlating data sets, like claudius points out correctly with other public lists.

j / k navigate · click thread line to collapse