Message metadata - such as sender, recipient, device ID, and timestamps - is not encrypted at the transport layer, and in many cases remains visible to the homeserver
If it’s the problem that I’ve seen people complain about in the past, it’s effectively the same as HTTPS ‘not supporting’ end to end encryption because it runs over IP and IP packets contain the IP address of where they need to go, so someone can see that two IP addresses are communicating, which is unavoidable as otherwise there’s nothing to say where the data needs to go, so no way for it to get there. Someone did a blog post a couple of years ago claiming Matrix was unsecure as encrypted messages had their destination homeserver in plaintext, but that doesn’t carry any information that isn’t implied by the fact that the message is being sent to that homeserver’s IP.
Please explain. They don’t have that?
https://wire.com/en/blog/matrix-not-safe-eu-data-privacy
If it’s the problem that I’ve seen people complain about in the past, it’s effectively the same as HTTPS ‘not supporting’ end to end encryption because it runs over IP and IP packets contain the IP address of where they need to go, so someone can see that two IP addresses are communicating, which is unavoidable as otherwise there’s nothing to say where the data needs to go, so no way for it to get there. Someone did a blog post a couple of years ago claiming Matrix was unsecure as encrypted messages had their destination homeserver in plaintext, but that doesn’t carry any information that isn’t implied by the fact that the message is being sent to that homeserver’s IP.
But what if the name of my home server is my private key? Mah jong, alchemists!