@m0xee You should be very wary of Matrix

https://gist.github.com/soatok/8aef6f67fec9c702f510ee24d19ef92b?permalink_comment_id=5058644

@feld
Yes, I'm aware of presence leak in multi-user rooms, I think this existed for years — would be great if they fixed that, but I'm not really concerned as I'm not using them 🤷

Aren't private chats in Matrix basically encrypted multi-user rooms between two people?
I ask because you can easily "upgrade" a two-person room to a multi-person room.

@Hyolobrika @feld
They are, but whom would it leak the status to in this case? There is your server and the server the other party is on — both are already aware of your presence 😆
The way I understand it, it sends out your status to all participants of group chats even to the sessions that no one verified explicitly or implicitly — if one of the participants is compromised, it could be used to track when you go online.

@Hyolobrika @feld
The problem was already blown out of proportion as it is, but in case with 1 on 1 chats it's not even relevant.
Besides, I think they have already implemented a "sort of" fix for that: "Never send encrypted messages to unverified sessions in this room from this session" in room settings is just that, but it's not perfect as you have to enable it for each of your sessions individually.

I don't really see how it could be fixed in any case. How can you send a presence notification to a participant in a chat without also notifying the server they are on? Even if it's encrypted it will still indicate that you are online.
Or is the problem that notifications are being sent automatically without the user's knowledge?

Right. I was thinking about the bug mentioned in the gist that room joins are unauthenticated and therefore a server can maliciously add users to spy on the participants.