Element (Matrix) launches Chatterbox, end-to-end encrypted embedded chat (opens in new tab)

t6jvcereio3y ago

I'm not sure the problem was the client (element for Android). Asking around it seems people on the chatrooms kind of agreed the issue was matrix.org

Regardless, if you believe the issue is the client, which would you recommend is the lightest/fastest client?

[0]: https://github.com/vector-im/element-web/issues/21147

Arathorn3y ago

this is like saying “i tried the web, and it’s extremely slow”. what server were you using? and which client on which platform?

Legogris3y ago

Not the person you're replying to but following up on an identical past thread: https://news.ycombinator.com/item?id=30996203

> Linux, x86_64. Getting the same behavior across distros and installations.

It is still very much the case. To emphasize, we have for the past couple of years used Matrix routinely on:

  * Multiple client implementations
  * Multiple OSs (Linux/Android/iOS)
  * Multiple accounts and profiles
  * Multiple Linux distros, desktop environments, window managers, X11/Wayland, CPU architectures (x86_64, aarch64)
  * Private and public homeservers

In particular, multiple accounts on the same Linux installation of element-desktop.

The common denominator seems to be that the account with many (thousands) of rooms (almost all of which fully historical/archived with no ongoing activity apart from participants presence) consistently gets Element freeze, hang, be extremely slow.

This makes element-desktop practically unusable for that account. Other accounts in the exact same environment do not have this issue. Signing in to a fresh profile seems to improve this, for a while, until it starts happening again

The same issue does not appear on Element iOS/Android, or with other accounts on the same client.

It gets more annoying by the fact that even under normal operations it's slow enough to start up that it can take some time to tell if this time it'll eventually resolve by waiting or if it needs to be force-killed and restarted. This is also the case on an otherwise idle 8-core Ryzen3 with 64GB of RAM and fast NVMe drive sitting close to its homeserver on a 1GBps link. (The slowness seems to be all or mostly locally in Element - even when in a mostly empty room, it can take a very long time expanding/collapsing/navigating the People/Rooms sidebar. This, too, only for those particular high-room accounts and only on element-desktop)

For a while we believed it could have been the same cause as this issue[0] but alas, 1.11.0 with Electron 19 has not resolved it.

The common factors that consistently exhibits this behavior seems to be Linux, element-desktop, account with large amount of rooms. Been like this for a while now.

t6jvcereio3y ago

> this is like saying “i tried the web, and it’s extremely slow”

Uuuuuh ok...? WhatsApp isn't slow.

ngetchell3y ago

How about slow compared to Discord?

[2]: https://github.com/nomadic-labs/safesupport-chatbox

Saris3y ago

I found the same, as soon as I join any larger rooms it starts to struggle.

The clients feel sluggish as well, just in terms of moving around the UI.

maxloh3y ago· 6 in thread

What is the benefit of end to end encryption in this scenario?

There is no risk of service provider spying on you because you as the business is the service provider.

jeroenhd3y ago

This is part of a hosted package. In theory, this means that the folks over at Element.io can't see the chats between you and your customers/business partners because of the E2EE. That does depend on them not hosting the software, of course, because E2EE becomes useless if the software used to encrypt data can be changed at a whim.

With the private keys on the recipient end and the browser end, it does make it easier to follow certain data privacy regulations. Whether the rather leaky Matrix protocol is considered foolproof is still an unanswered question, though; the average encrypted chat session sends a LOT of unique identifiers that shouldn't cause any trouble, but I haven't seen a recent audit of the protocol.

godelski3y ago

> What is the benefit of end to end encryption in this scenario?

Let's say I'm talking to my bank. Is there really any information that you want open? They're going to ask you security questions to confirm your identity. You're likely talking about specific sums of money.

Let's say you're talking to your doctor. Is there really any information that you want open? Are you violating HIPPA and privacy laws just by talking? Your health is of no concern to anyone but you and your health provider. Full stop.

I mean, they use these two examples in the post. The use case is pretty clear to me here. The risk isn't your service provider spying on you, it is anyone that you aren't intending to talk to. A hacker (who may be interested in your bank or health care). A state actor. Abusive ex. Data companies that extract every bit of information they can. Or politicians who want to track your period. Maybe this isn't useful when I'm submitting tickets to wandb, but I can see this being very helpful when I'm talking to my bank.

tcfhgj3y ago

Hmm, I'd say it depends.

Imagine you're contacting a doctor and are communicating about sensitive stuff. I'd still expect this to been treated relatively confidential, i.e. not spreading it within the company, or potentially leaking it.

Plus, the matrix server of the person on the other side might not be in your hands, e.g. hosted by Element

hda23y ago

E2EE can prevent the leaking of private conversations to thirdparty middleware/cloud companies. This would allow orgs to continue using those thirdparty services to handle their traffic like usual, but would also guard against middleware disasters like cloudflair's leaking of https traffic.

Thanks to the prevalence of early HTTPS termination (usually at the edge of some big cloud company), that green pad lock at the top of your browser means little when true privacy is needed.

viccuad3y ago

In addition to points from others: no middleman can tamper with the information being sent (e.g: see how Russia changes content of pages served via http to display war propaganda or ads).

maxloh3y ago

How did that work with HTTPS?

jeroenhd3y ago· 5 in thread

Edit: Github link at [3], couldn't find it when I originally wrote my comment below

I wonder how this compares to alternatives like [1] and [2] that you can also host yourself.

There was also a Matrix project *that I can't find for the life of me) featuring multi-agent live chat support with multiple agents being able to join and leave a room. I suppose the E2EE support is what sets it apart, though I'm not sure if that's actually a feature you really need.

Half the features advertised seem to be existing EMS features (like talking across chat services). I suppose you can use this to portal a web chat box into Slack but honestly I think there are better solutions.

[1]: https://github.com/osousa/livematrix

[3]: https://github.com/vector-im/chatterbox

Arathorn3y ago

You can host chatterbox yourself too - it’s apache licensed FOSS (https://github.com/vector-im/chatterbox).

jeroenhd3y ago

Oh, I see! I was looking under the matrix-org Github account so I couldn't find the source code, I probably should've looked at the vector-im tag as well.

osousa3y ago

Hi there.

I wrote [1] (Thanks for the reference) , and i skipped encryption for the sake of simplicity.

I'm enabling encryption as we speak.

If you host the server yourself, on a controlled setting (VPS), it should allow for a fairly secure way of communication if TLS is used. The communication channel would resemble this rough ASCII drawing:

[Browser] <---TLS---> [livematrix] <---e2ee---> [Matrix homeserver]

In the end you always have to trust the person hosting the service. Host things yourself.

I don't see this channel of communication as being truly secure, without audits where and how its deployed. Web apps are riddled with vulnerabilities, how much of the attack surface from a website would compromise the live chat embedded is a guess until it happens.

I should point out that my "solution" is intended for personal websites, people who enjoy Matrix a lot :) . Not for corporations at all.

jeroenhd3y ago

TLS for browser communication should work great; if the website can't control its scripts, then there's no reason to trust its execution anyway. The main problem space, in my opinion, is encryption support between your service and the Matrix server, as messages get stored long-term in that space, which comes with possible privacy risks. Your solution would probably mitigate that problem perfectly!

tcfhgj3y ago

The former doesn't have encryption, but good question

tcfhgj3y ago· 4 in thread

How does E2EE work here? How can the user know their communication isn't being intercepted?

Arathorn3y ago

It’s using normal Matrix olm/megolm double ratchet encryption.

To track the identity of who you’re talking to we can do TOFU and/or normal out of band Matrix verification as per https://github.com/vector-im/hydrogen-web/issues/518 - but this isn’t yet exposed in Chatterbox. We’ll get it added, as without verification you obviously can’t spot a MITM.

remram3y ago

How does the user check that, if they are running untrusted clients embedded on untrusted sites? Who is the adversary that the addition of end-to-end encryption is supposed to defeat?

jimmygrapes3y ago

This is my question, too.

From TFA:

>there’s no need for them to register or create an account just because it’s E2EE, and it still supports persistent messaging.

How does that work? Arathorn in a sibling comment says that there's out of band something, which I interpret to mean some verification process, but for the life of me I can't imagine what that process might be or how it might work without any sort of account... unless the client generates a unique a key per user session and coordinates the key exchange with a single host server behind the scenes to encrypt that session's data?

What am I missing?

hda23y ago

Normal users will probably just check that the green padlock in their address bar.

I think this is targeted towards securing chat traffic from thrid-party hosting services accidentally leaking or passively spying on you. Think problems that arise from early HTTPS termination like the cloudflair's https leak.

midislack3y ago· 3 in thread

Bonus - unlike Signal they don't need your phone number or DNA...

warning263y ago

Does it have export?

Signal's complete inability to any kind of history backup is a dealbreaker for me.

tcfhgj3y ago

Element has. The app on the other side

I think it's unlikely that this chatbox has export functionality

midislack3y ago

Just because there's no "official" way to access history as a client in Signal doesn't mean the history isn't there. You'd have to ask that "Moxie Marlinspike" or whatever his name is fella.

theogravity3y ago· 2 in thread

I'm not familiar with pricing in this space, but $3.80 / MAU (says $3 for element product, then 0.80 for the chatterbox product on top) seems really expensive that you would have very specific use-cases (government, hospitals?) to use the product to want to pay the price for it.

Arathorn3y ago

It’s $3/MAU for the users who are using a fullblown Matrix client like Element on the server. Meanwhile users who are coming in via the lightweight Chatterbox client are only $0.80/MAU. And users who come in via federation are free.

We’ll see how the pricing fares in practice.

halostatue3y ago

Yeah. I can’t see any of the clients who are using our live chat solution paying almost $1/customer for chat. That would raise the bills of many of our clients by thousands of dollars a month.

encryptluks23y ago· 2 in thread

This is just another firm reminder that Matrix isn't the revolution against IRC/XMPP and instead is just a company running Microsoft's playbook.

smotched3y ago

How so?

encryptluks23y ago

Because they are in the "extend" phase.

bsaul3y ago· 1 in thread

not sure i understand what the point is.. Embedded usually means c2b communication, not c2c. The professional you're communicating with is probably already hosting its computer's data on the company's network...

woojoo6663y ago

This could be useful for smaller business that don't want to maintain their own servers. Element already provides hosting services for Matrix chat [1]. Businesses can use it, without worrying about messages being exposed to the hosting service.

[1]: https://element.io/matrix-services

hda23y ago· 1 in thread

This is very interesting. Does Chatterbox require agents to use specialized matrix clients to interact with customers or will any matrix client do? (e.g Element for android)

If any matrix element would do, how will new customers appear in the client? Will they pop up as a new direct chat?

RMidhunSuresh3y ago

You can use any matrix client to interact with the customers. New customers will appear as direct chats in your preferred client.

sylvain_kerkour3y ago

While I like the idea, I feel the that this announce is wrong.

First the pricing is outrageously high.

Second, why not provide a link to try it? And screenshots to see how it looks from an agent's point of view. Because Most embedded chat widgets come with advanced customer support features, and Element applications are not designed for that.

Don't tell, show!

chrismorgan3y ago

> It’s a surprise to most people that the majority of embedded chat is not end-to-end encrypted (E2EE).

I don’t know about the general populace, but I would instead be surprised to encounter E2EE in embedded chat.

I also go to what I keep on saying in cases like this: first-party end-to-end encryption is broken by design. To have any semblance of real security, you need to self-host the client software, preferably also obtaining it from a different party from the transport provider. Self-hosting of the entire chat system is the only truly dependable solution here, and in that context for this application, end-to-end encryption adds no value at all, being equivalent to transport encryption.

upofadown3y ago

How do you verify that you are actually chatting with the entity that you want to be chatting with?

j / k navigate · click thread line to collapse

90 comments

44 comments · 12 top-level

t6jvcereio3y ago· 8 in thread

Incidentally I tried matrix for the first time on the basis of someone recommending it here in HN, and it's extremely slow

jeroenhd3y ago

I recommend giving the platform another quick try using https://app.cinny.in/ which to me feels very Discord-like in terms of snappiness.

lelandfe3y ago

[0] https://imgur.com/a/zYBZWoW

t6jvcereio3y ago

I'm not sure the problem was the client (element for Android). Asking around it seems people on the chatrooms kind of agreed the issue was matrix.org

Regardless, if you believe the issue is the client, which would you recommend is the lightest/fastest client?

[0]: https://github.com/vector-im/element-web/issues/21147

Arathorn3y ago

this is like saying “i tried the web, and it’s extremely slow”. what server were you using? and which client on which platform?

Legogris3y ago

Not the person you're replying to but following up on an identical past thread: https://news.ycombinator.com/item?id=30996203

> Linux, x86_64. Getting the same behavior across distros and installations.

It is still very much the case. To emphasize, we have for the past couple of years used Matrix routinely on:

  * Multiple client implementations
  * Multiple OSs (Linux/Android/iOS)
  * Multiple accounts and profiles
  * Multiple Linux distros, desktop environments, window managers, X11/Wayland, CPU architectures (x86_64, aarch64)
  * Private and public homeservers

In particular, multiple accounts on the same Linux installation of element-desktop.

The same issue does not appear on Element iOS/Android, or with other accounts on the same client.

For a while we believed it could have been the same cause as this issue[0] but alas, 1.11.0 with Electron 19 has not resolved it.

The common factors that consistently exhibits this behavior seems to be Linux, element-desktop, account with large amount of rooms. Been like this for a while now.

t6jvcereio3y ago

> this is like saying “i tried the web, and it’s extremely slow”

Uuuuuh ok...? WhatsApp isn't slow.

ngetchell3y ago

How about slow compared to Discord?

[2]: https://github.com/nomadic-labs/safesupport-chatbox

Saris3y ago

I found the same, as soon as I join any larger rooms it starts to struggle.

The clients feel sluggish as well, just in terms of moving around the UI.

maxloh3y ago· 6 in thread

What is the benefit of end to end encryption in this scenario?

There is no risk of service provider spying on you because you as the business is the service provider.

jeroenhd3y ago

godelski3y ago

> What is the benefit of end to end encryption in this scenario?

tcfhgj3y ago

Hmm, I'd say it depends.

Plus, the matrix server of the person on the other side might not be in your hands, e.g. hosted by Element

hda23y ago

Thanks to the prevalence of early HTTPS termination (usually at the edge of some big cloud company), that green pad lock at the top of your browser means little when true privacy is needed.

viccuad3y ago

In addition to points from others: no middleman can tamper with the information being sent (e.g: see how Russia changes content of pages served via http to display war propaganda or ads).

maxloh3y ago

How did that work with HTTPS?

jeroenhd3y ago· 5 in thread

Edit: Github link at [3], couldn't find it when I originally wrote my comment below

I wonder how this compares to alternatives like [1] and [2] that you can also host yourself.

[1]: https://github.com/osousa/livematrix

[3]: https://github.com/vector-im/chatterbox

Arathorn3y ago

You can host chatterbox yourself too - it’s apache licensed FOSS (https://github.com/vector-im/chatterbox).

jeroenhd3y ago

Oh, I see! I was looking under the matrix-org Github account so I couldn't find the source code, I probably should've looked at the vector-im tag as well.

osousa3y ago

Hi there.

I wrote [1] (Thanks for the reference) , and i skipped encryption for the sake of simplicity.

I'm enabling encryption as we speak.

[Browser] <---TLS---> [livematrix] <---e2ee---> [Matrix homeserver]

In the end you always have to trust the person hosting the service. Host things yourself.

I should point out that my "solution" is intended for personal websites, people who enjoy Matrix a lot :) . Not for corporations at all.

jeroenhd3y ago

tcfhgj3y ago

The former doesn't have encryption, but good question

tcfhgj3y ago· 4 in thread

How does E2EE work here? How can the user know their communication isn't being intercepted?

Arathorn3y ago

It’s using normal Matrix olm/megolm double ratchet encryption.

remram3y ago

How does the user check that, if they are running untrusted clients embedded on untrusted sites? Who is the adversary that the addition of end-to-end encryption is supposed to defeat?

jimmygrapes3y ago

This is my question, too.

From TFA:

>there’s no need for them to register or create an account just because it’s E2EE, and it still supports persistent messaging.

What am I missing?

hda23y ago

Normal users will probably just check that the green padlock in their address bar.

midislack3y ago· 3 in thread

Bonus - unlike Signal they don't need your phone number or DNA...

warning263y ago

Does it have export?

Signal's complete inability to any kind of history backup is a dealbreaker for me.

tcfhgj3y ago

Element has. The app on the other side

I think it's unlikely that this chatbox has export functionality

midislack3y ago

Just because there's no "official" way to access history as a client in Signal doesn't mean the history isn't there. You'd have to ask that "Moxie Marlinspike" or whatever his name is fella.

theogravity3y ago· 2 in thread

Arathorn3y ago

We’ll see how the pricing fares in practice.

halostatue3y ago

Yeah. I can’t see any of the clients who are using our live chat solution paying almost $1/customer for chat. That would raise the bills of many of our clients by thousands of dollars a month.

encryptluks23y ago· 2 in thread

This is just another firm reminder that Matrix isn't the revolution against IRC/XMPP and instead is just a company running Microsoft's playbook.

smotched3y ago

How so?

encryptluks23y ago

Because they are in the "extend" phase.