Dude, It’s the Matrix! Understanding the Matrix Protocol

Welcome, readers! Pavluu here. Over the past few years, Matrix has captured the attention of darknet users, and the Element messenger has become almost as popular as Jabber once was. Let’s dive into what makes Matrix so great and why so many people trust it.

A Bit of History

I won’t copy-paste the Wikipedia article here—feel free to read it yourself if you’re interested. Instead, I’ll highlight some key moments:

• In 2017, KDE developers announced they were working on adding Matrix protocol support to their IM client, Konversation. This was the starting point for Matrix’s practical use, though the protocol was still in beta at the time.
• In January 2018, the company received a $5 million investment from Status, an Ethereum-based startup. Status is a secure messenger with E2EE, a built-in ETH wallet, and DApps support, using the Waku protocol (a fork of Whisper) for P2P communication.
• In April 2018, the French government announced plans to create its own instant messaging tool. The Matrix team later confirmed it would be based on Riot and Matrix, with New Vector providing support. (Riot was one of the first Matrix-based messengers; it’s now called Element.)
• In May 2020, Matrix introduced end-to-end encryption enabled by default for private chats—something Telegram still lacks.

What Makes Matrix So Good?

Matrix is an open protocol for decentralized real-time communication. It can be used for text messaging, group chats, audio/video calls, and creating bots. Its main features include:

1. Federated messenger
2. Replication (room content is replicated across all participating servers, meaning no single point of control or failure)
3. Key synchronization (like Telegram’s secret chat, but across all devices)
4. End-to-end message encryption
5. Bridges (one of its main features—communicate with users on IRC, XMPP, Telegram, and more)
6. Widgets and bots
7. Anonymous registration

The protocol specifications, as well as the client-server components (Synapse as the server and Element as the client), are open source—unlike Telegram, which only has its client open, raising questions about the security of the MTProto protocol.

Matrix has a full-fledged federation implementation, allowing seamless communication, shared rooms for users on different servers, and audio/video calls. The protocol also enables message exchange with other protocols via bridges—programs that work with the server to relay messages between networks. Currently, there are bridges for:

• Telegram
• Discord
• Gitter
• Slack/Mattermost
• IRC
• WhatsApp
• XMPP
• Facebook Messenger
• Signal
• Skype

For a comparison with some of the messengers mentioned above, check out the following table—look for Riot Matrix.

How Does Matrix Work?

Each Matrix user connects to a specific server, which is considered their “home” server. You can freely communicate with users on other servers. To fully control your data and communication settings, you can set up your own server, giving you “god mode” to do whatever you want—including routing to other protocols and messengers (IRC, XMPP, Discord, Telegram) or hosting bots.

When you send a message to a room (more on that later), it’s synchronized across all servers in that room. So if one server goes offline, the other participants can still keep chatting. And don’t forget: Matrix uses end-to-end encryption, so even the server owner can’t access your conversations.

Which Messengers Use Matrix?

Here are some messengers that work with the Matrix protocol:

• Element
• Syphon
• Cinny
• FluffyChat
• SchildiChat

How to Get Started

First, download a Matrix-compatible messenger or go here to create an account and start chatting right in your browser. A list of native and third-party clients for all platforms is available here.

Matrix uses “rooms,” which are like public Telegram chats. You can browse room lists and their contents even without registering.

When registering, choose a server to connect to (or leave matrix.org as the default). Then pick a username, enter your email and password, or sign in via GitHub, Gmail, GitLab, and other services.

Just like with Mastodon, your username is tied to your chosen server, but you can still communicate with users on other servers.

How to Set Up Your Own Server

Setting up your own Matrix server is relatively easy if you’ve done something similar before. Just follow the documentation to deploy a Synapse instance. There are step-by-step guides for almost any system and provider.

Is Matrix the Perfect Protocol?

Yes and no. In September last year, a group of cybersecurity researchers discovered five vulnerabilities in code libraries that could be used to hack encrypted Matrix chat clients. A hacker could impersonate a real user and send messages on their behalf.

Three flaws were found in the matrix-react-sdk, matrix-js-sdk, and matrix-android-sdk2 libraries, affecting chat clients like Element, Beeper, Cinny, SchildiChat, Circuli, and Synod.im. Not all clients were at risk, as this was an implementation-level issue.

On September 28, the Matrix.org Foundation, which manages the Matrix protocol, released a bulletin describing these as vulnerabilities in Matrix’s end-to-end encryption software and recommended users update affected apps and libraries.

According to the Matrix.org Foundation, the vulnerabilities have been fixed, and there’s no evidence of them being exploited in practice. Exploiting all the flaws would require running a malicious home server.

Two critical issues were identified:

• Key/Device Identifier Confusion in SAS Verification (CVE-2022-39250): A bug in matrix-js-sdk that confuses device identifiers with cross-signing keys, potentially allowing a malicious server admin to impersonate a target user.
• Trusted Impersonation (CVE-2022-39251): A protocol confusion bug in matrix-js-sdk that could let an attacker forge previous messages from other users. Also tracked as CVE-2022-39255 (matrix-ios-sdk) and CVE-2022-39248 (matrix-android-sdk2).

Trusted Impersonation involves backing up a malicious key. In this scenario, a malicious home server admin could add a backup of a malicious key to a user’s account to exfiltrate message keys. The matrix-js-sdk library would accept keys forwarded by other users that weren’t requested, allowing a hacker to impersonate others.

Another bug, called “Homeserver,” is of medium severity and allows a malicious home server to send invites to users it controls or add its own devices to user accounts. Matrix.org promised to fix this soon, but I haven’t seen a follow-up report. Researchers noted that Matrix relies on a “specialized cryptographic protocol that hasn’t undergone thorough review by the cryptographic community.”

Author: Pavluu

Onion Market — a free P2P exchange on Telegram. We have XMR, BTC, USDT, TRX, and TON!