Hacker News new | past | comments | ask | show | jobs | submit login
France’s government is building its own encrypted messenger service (reuters.com)
239 points by lnguyen on Apr 17, 2018 | hide | past | web | favorite | 130 comments

This isn’t a case of NIH; France has adopted Matrix for the project, which is a lightweight fork of Riot.im combined with a large private federation of Matrix servers. The whole thing is open source (although not public yet, as it is very early days) and open standards based. At Matrix.org we’ve been providing some support to them :) It’s very exciting to see open government projects which actually grok open source and open standards.

I'm so glad Matrix/Riot.im is getting some traction. This and https://blog.status.im/status-invests-5m-in-riot-im-4e3026a8... may be two important steps.

As I understand Matrix is not a fork of Riot, Riot is just a client for a Matrix synapse server (there are others like WeChat) provided by the devs.

I think he means the project is a lightweight fork of Riot.im, which is using the Matrix protocol.

wechat != weechat

Would you say it's a correct description of Matrix to call it "Jabber/XMP without the whole XML mess and over HTTP"?

Not really - the protocols are very different. Matrix is a way of replicating conversation history over a mesh of participating servers; a bit like a bunch of Git repositories constantly pushing commits (messages) to one another. XMPP is much lighter weight and builds on simpler message passing and pubsub primitives. You can use both to build comms systems, but they take opposite engineering and governance approaches on almost everything.

> a bit like a bunch of Git repositories constantly pushing commits (messages) to one another.

Why would you need to do that? Why not just give every message a timestamp, make sure they get sent, and sort the messages on the receiver side? If you're really concerned about message order, you could give every message a unique id, and send out the id of the previous message with every message, and improve your sort function accordingly.

Absolute timestamps cannot be trusted in a byzantine environment, so we do precisely as you suggest - messages are transmitted with pointers to the previous message(s) in the room message graph, so you get a partial ordering within the room (just like git). We also sign the messages into a merkle graph (like git) to stop the shared datastructure being tampered with.

So it's a blockchain! /s

Ok, makes sense now, thanks!

So, Matrix is a better IRC, while XMPP is a better IM.

Matrix is a better NNTP, while XMPP is a better SMTP

For all the hate XML gets... it's not that bad. Certainly not worth switching protocols for. Main problems with XMPP is a divided ecosystem where different clients and servers support different features, and that multi-client encryption is severely flaky.

At least multi-client encryption exists for XMPP, unlike for WhatsApp.

See https://omemo.top/

Also, there is relatively minor subset of features that provide good messaging experience: https://conversations.im/compliance/

Their architectures differ a lot and nowadays you can use XMPP with HTTP via BOSH. I think a fair comparison is the one in the Matrix FAQ:


Disclaimer: I prefer XMPP.

If you think XMPP is bad, take a look at Matrix’s "new HTTP connection for each sent or received batch of messages", thanks to HTTP longpolling.

> France has adopted Matrix for the project

Could you provide a source for this?

I'm the project lead for Matrix. Failing that, on the French side there's been some press where they've confirmed the system is built on Matrix & Riot (https://www.nextinpact.com/news/106463-la-france-travaille-a..., although it's behind a paywall), plus others have spotted the Github repository too.


I'm guessing he is the source.

Actually the source seem to be already available here: https://github.com/dinsic-pim

That's great; this other article I read about this kept mentioning Telegram and how Macron used that during his campaign, so this is much better than I expected :)

yes, the point of the project is to provide a secure and self hosted (yet interoperable for intra- and inter-government purposes) alternative to Telegram for state comms :)

What would appear in a lightweight fork of Riot though? Do you just remove a lot of the fluff to make it a bit more accessible for the public/general consumer?

you simplify the ux (eg autodiscovering the right homeserver); hook it up to directory services and/or SSO; simplify the e2e crypto UX; change the logo and branding, and have a basis to build on for whatever future custom features they need.

This sounds great! I am looking forward to running it.

But I also need an admin panel to lookup user ip addys from the past 36 hours, ability to assign moderator user roles who can see other user's ips, ban ip addys, subnets, hostnames and cidrs easily.

Love to have some other needed admin options and run this! A stun / turn server to hide other user's ip addys and such as well, interception of images posted so they are scanned, exif stripped and hosted temporarily rather than giving the hoster everyone's ip info.

Stuff like that.

I guess blocking users from joining the huge main matrix channels through our server would cut down on the ram / processing needed..

I wonder if something like https://access.watch could hook into this, or if it needs something all in it's own language or what. Looking forward to this system growing.

were doing exactly that at the place i work at, riot has too many settings and can be quite hard for a "normal" user (someone who is used to slack for example).

would love some kind of integration with openid connect though, since that would enable us to easier integrate with our AD. of course we could make that ourselves but we dont have the manpower right now.

It has (or at least had, when I ran a server) support for CAS. JASIG CAS isn’t that difficult to set up against AD, I think Shibboleth has a plug-in that implements the protocol too.

Really? We are looking to use it for some of our work but are aware that the UI/UX esp around keys is a bit messy. Would be great to see how your simplifying it.

I like (and use) Riot.im but as an electron app that uses ~300 MB of RAM (I just checked) it is definitely not lightweight.

I can't think of any way they could make it lightweight either. Maybe if they treated the JS as pseudocode and re-implemented as native clients.

The lightweightness here referred to the complexity of the fork - i.e. it's not an attempt to entirely rewrite Riot, but instead a reskinning and UX simplification exercise. The intention is to be able to keep merging in updates from Riot proper (and indeed to port stuff back into Riot).

Agreed that Riot itself uses way too much RAM though - but we have some massive improvements on the horizon there; by lazyloading user data on demand rather than preloading it up front, we can improve RAM usage by ~5x. This work is happening over the next month or two (modulo GDPR).

Meanwhile, you can always use a desktop client; Nheko, Fractal and Quaternion are all looking increasingly good :)

I would've liked better if they'd gone to extend XMPP clients to do audio/video, but this is ok as well.

jitsi does this.

Is Matrix planning to use MLS for interop with other E2E systems?


Good question.

We're participating on the periphery of the MLS discussions, mainly to try to encourage the MLS team to consider and support decentralised use cases.

At the moment there's a temptation to go for a simpler approach which assumes there's a centralised sequencing server which solves all the races you otherwise get (and which have plagued us in Matrix whilst implementing Megolm). However, assuming a centralised focal point for each group conversation kills the whole point of decentralisation, so we're trying to ensure it's not designed out.

See https://mailarchive.ietf.org/arch/msg/mls/MnLJkbJ_Mwe8Oz0Ll6... for the gory details.

Has Matrix considered developing a DMLS (D for decentralized use cases) specification for submission to IETF?

We may have to go down that path if MLS ends up being decentralisation unfriendly.

> This isn’t a case of NIH

Makes sense as the title says "due to surveillance risk".

Comment from a French insider: It will not work. The last two IT projects the government ordered I have in mind are the ears dropping facility for the police and SAIP, an application to warn citizens in case of a dramatic event such as a terrorist attack. Both are failures. On the first one, the police complains of crashes, slowness, and not fulfilling its missions. The second simply does not warn people when there is an attack...

The worst is that it will cost tax payers millions

You forgot Louvois which was used to pay the soldiers' salary. The project costed 500 millions € before being cancelled and a new contract bid was won ... by the company that was unable to write the software in the first place ...

Lets hope it's not as bad as this French government project:


All government projects goes wrong (I was in several of them). But man this was extreme.

As someone using it already, it works pretty well actually ;p

Such a comment is meaningless without context. How often do corporate IT projects fail? How often do government IT projects fail?

The problem is not really about corporate vs government, it's about size.

These folks tend to think big. Everything else stems from that. What they really need is a little app with simple messaging, end to end encryption, and a server that doesn't log anything they don't want it to log. What they are likely to get if they pay some big shot contractor big money to do it is a Swiss army knife the size of a kitchen sink. With bugs.

How is the corporate failure rate relevant?

It is relevant because IT projects are inherently difficult, and many of them fail. Just because the French government failed at two projects mentioned in the original comment does not mean that a) it's particularly bad at IT projects or b) it will necessarily fail again. Having the corporate failure rate as a baseline could help assess the proficiency of governments around the world.

It is if the grandparent meant to disparage government IT projects (compared to corporate IT projects) -- which is a possible reading.

(It's also relevant because because we pay corporations with subsidies, tax cuts, tax evasion, research grants, public procurement, specialty laws favoring them, etc -- sometimes even more than we pay governments).

SAIP has never sent an alert to me. But I get alerts from International SOS. So a third party emergency app does a better job than the official French app. Quelle surprise!

Yes let not forget the unifed medical record.

And SAIP was budgeted for at least 78M€ ...

That seems insane, even for the French government. Do you have a source ? I can't find anything with a 2 minutes search.


That actually was the estimated cost; it grew at least at 81,5M€. (there's also a story in the article about one of the components of that seemingly simple app being 37 months late)

81.5 for the whole project SAIP (broadcasting warnings on several mediums (phone, ad panels, radio, TV,...), not only the SAIP app.

Or the phones nobody in our gouvernement wants to use (slow, old tech, freezes alk the time).

The spin here is funny. The article pretends this is done to prevent eavesdropping, while it is probably closer to the truth that this is done to ensure eavesdropping by the DGSI.

If you're talking about the metadata, yes, probably. It 's the same kind of eavesdropping capability you'd have from Signal servers (i.e: not much).

Also: from what we've seen of Macron's team, they've proven that they have good-enough internal technical advisors; so it remains to be seen if they'd use a solution that can be eavesdropped.

Unless you can verify the deployed build against an open source code, whether the code is open source or not is irrelevant, you trust all the intermediaries. Which is ok for a corporate actor but probably not when you are a sovereign actor and know you are dealing with a keen NSA. How could you control that Apple or Google wouldn’t patch the app before it gets deployed or after it has been deployed?

A known Ken Thompson speech: https://dl.acm.org/citation.cfm?id=358210 (has a link to the full text as PDF).

4 paragraph summary: http://www.catb.org/jargon/html/B/back-door.html

On Android (at least); you can verify that the apk is signed with the developer's key; and Signal provides reproducible builds. Then the app is designed to not trust the server.

I think we are in agreement that Apple or Google could patch the app before it gets deployed. But AFAIK it has never been done yet, and if it ever happens, it would undermine all credibility of the platform. Of course a state actor wouldn't want to be the first to find out.

Thinking about it, Google and Apple actually don't even need to patch the app, they have access to all key strokes and screen rendering. It just needs to be a few lines of code hidden anywhere.

This would need patching the OS at runtime, but yes, it's also possible.

What I mean is that perhaps they already have.

It's a possibility. It just wouldn't make any business sense, it's a pure self-destruct button. And there are hundreds of reverse engineers on both platforms that could have caught it by now.

I imagine you’d run your own OS with reproduceable builds all the way down.

All the way down to the hardware manufactured in China. Life sucks for paranoid intelligence services.

> (i.e: not much).

Not sure if I'm 100% right here, but knowing all my contacts and when I communicate with whom is an awful much.

> Not sure if I'm 100% right here, but knowing all my contacts and when I communicate with whom is an awful much.

Signal actually doesn't know all your contacts - you can check the source code to confirm that it doesn't know about any contacts that you don't message using Signal, for example.

Signal also doesn't store most of the metadata that it could, so it really knows incredibly little about its users. It knows (for example) the last date that it was able to talk to a particular device, but they don't store historical data for that, so if you received a message on Signal today, they don't (anymore) know that they sent you a message yesterday, or last month.

Of course, that second part all runs server-side, so you do have to trust Signal when they describe their internal architecture. But to be frank, who do you trust more with that metadata: Moxie Marlinspike, or the government that is essentially the "sixth eye" in the Five Eyes alliance[0]?

[0] https://www.defensenews.com/global/europe/2018/02/05/french-...

>Signal actually doesn't know all your contacts - you can check the source code to confirm that it doesn't know about any contacts that you don't message using Signal, for example.

I get a message in the app when a contact starts using Signal, so it has to know them server-side.

The other part of the comment was reffering to what the server could know (in the gov. case - will know), and that IS quite a lot (assuming Signal style service).

And I do trust Moxie nominally, but I also believe that he will obey US courts.

Hahahaha. My sides.

Macron is hawkish about surveillance, despite public appearances. Long term, they want everything.

I think the main idea now is: let’s make it appear trusted, and see who signs up.

End to end encrypted is no good if there are side channel attacks to get your keystrokes, like from say, closed source radio firmware zero days.

Yup. As a French citizen I’d trust a Chinese servicr more than a Franch one. Sure they evedrop more, but at least they’re less connected with French politics.

What’s amusing is that foreign secret services are not the only ones snooping on French politicians. French secret services have a whole department (formally called RG) in charge of collecting files on every domestic public figure (own file is a interesting ritual read for a newly promoted minister of interior). The justice dept had also an interesting interpretation of attorney client privilege where it argued recently that it was ok to snoop if retroactively a wrongdoing is found (the Sarkozy case).

If I was a tech savvy French politician I would try to use something that is neither in control of French authorities nor foreign. But French politicians are almost exclusively political science graduates, lawyers, doctors and teachers, not typically tech savvy.

> But French politicians are almost exclusively political science graduates, lawyers, doctors and teachers, not typically tech savvy.

I think this applies to politicians worldwide, at least in western countries.

We have a non-insignificant number of engineers as politicians in Portugal. E.g. the current Secretary-General of the UN is one of our ex-PMs, and is an ex-assistant professor of Telecommunication Signals after having graduated in Physics and Electrical Engineering.

Considering our political panorama, I don't think this has helped much, though.

> If I was a tech savvy French politician I would try to use something that is neither in control of French authorities nor foreign.

What's the domestic app in France that comes closest to fulfilling that?

The RG are dead, but now it's the DGSI (Direction générale de la Sécurité intérieure aka General Directorate for Internal Security)

I remember when they tried to build a Google rival:


When tax dollars go into open source, it's just an endless chain of win-win-win-win-...

News like this is just great. :-)

I hope its a win for good old capitalist competition and diversification (if it makes it into the public) even though its state sponsored :)

Yeah its a total win for the french tax payer who will spend a bunch of money on a service that they neither need nor want.

It seems that the source have already been published and is using open protocols.

I'm actually greatly pleased that my taxes are spent on an app that is actually accessible from the public, and will benefit open source project. This should be the standard way for most government development projects.

Which means you already have conducted a nation-wide poll on the question?

This is awesome to see! My only wish was that matrix and riot were clearly mentioned. This would have significantly raised the profiles of both projects that I'm a big fan of.

To @Arathorn and any other members of matrix and riot teams, kudos on this news, and great job! Next step - of course, beyond the tech work already being done on the platforms - is to promote the heck out of this news!! ;-)

EDIT: Ok, there's at least some other promotion elsewhere which mentions matrix and riot; cool: https://www.tomshardware.com/news/france-alternative-whatsap...

thanks :) the problem here is that the government comms guys simply don’t know about Matrix or care about the underlying protocol, hence lack of reference to Matrix. Hopefully the word will get out anyway!

> Both WhatsApp and Telegram promote themselves as ultra secure because all their data is encrypted from start to finish.

Sigh. I wish they had added that Telegram is not "encrypted from start to finish"

What about using Signal? Will they do something else then using the Signal protocol? If so, this might be either pretty expensive or could go wrong.

"Surveillance Risk" means that there is a risk that somebody other than the French government can do surveillance.

> If so, this might be either pretty expensive or could go wrong.

Keep in mind that they also wasted millions on building a "Google Competitor": https://en.wikipedia.org/wiki/Quaero

For the people receiving the money it didn't go wrong though.

I thought about that too...if their concern is that they want the server to remain on French soil could they not spin up an instance of their own Signal server?


Afaik they would still need Google Services, based in the US obviously, to run Signal.

There's technically an APK on the Signal website without Gapps, but it's not officially supported by the development team. On their issue tracker they "leave it to the open source folks", i.e. ignore serious bugs like massive battery life degradation and Signal silently not updating for hours.

Thing is, you either get massive battery life degradation or your messages won't get through, there isn't much of a choice there unless you use push messaging. Google Cloud Messaging allows Signal's servers to send a "Hey, wake up and connect to us!" message to your phone, and every other app uses GCM for this as Google has spent a ton of time trying to optimize both reachability and battery life with GCM.

Maybe something will come along to supplant this, but for now push messaging is how we deal with terrible state table problems at the cell network operator level without wrecking battery life.

Not only that, Google apparently has agreements with mobile network operators to ensure that their long-lived connections don't get closed after a few seconds or minutes of inactivity. Some mobile ISPs close idle connections after as little as ten seconds, so unless you're in a position to negotiate with just about every major mobile network operator worldwide, you can't really offer the same level of service.

Apple likely has similar agreements too. I'm hoping that IPv6 will help alleviate many of these issues, as while your address may change as you move between towns, the state table needing to be maintained will be much less complex.

Signal doesn't work with desktop _only_ (without ever touching a smartphone). Matrix and XMPP does.

I've seen (at least in a dev build) support for activating an account on desktop, i.e. you enter a confirmation code sent via SMS to a phone number you chose. That phone number needn't necessarily only be accessible through a smartphone, I'd presume.

Is there a reason a crypto messenger team wouldn't seem to publish their protocol specs using BAN notation that people can objectively reason about, and then verify the implementation of it in the code?

As in, if you can't explain it this clearly, what's the problem?


Having worked on some crypto projects, the admonition to, "just read the code," is disingenuous, because without a formal spec, you have nothing to compare the code to or evaluate the code against.

Now that's how it's done. Nice.

I don't quite get the need of messaging service for the government when there are already other secure/official means of communication. Would any corporate promote messaging app over official email communication channel for employees?

I though we already had such a service, used by top-level government executives.

Are these communications preserved for open records purposes? This seems like a good way for government officials to avoid scrutiny from the public or history.

What is the best Matrix/Riot Android app right now? I see Riot only has 50k downloads which I'm not sure if is a mistake or reality.

Asking for "the best" might be a bit subjective, no? Early on, the Matrix Console Android client was ok; i had no problems with it. Though i think it was intended merely as a reference implementation. The Riot client (it used to be called Vector client) gained alot of attention since the beginning, so its got plenty more polish. I honestly have not used any of the other clients - since happily sticking with Riot (web client). But the matrix.org site does have a list of clients/apps (and the list is much longer than I recall since the last time I checked): https://matrix.org/docs/projects/try-matrix-now.html You lose nothing in giving a few of them a try. Cheers!

It's funny how I'm learning things about my government first on NH and not on national news.

Edit: and I've learned a few other things (SAIP, Quaero)

Well looks like our government (I'm French) is having the NIH syndrome as well. Why not reusing existing solutions like XMPP + OMEMO? They can invest a few thousands euros in those projects and in a couple of open source clients. Plus this will also allow the citizen to have a nice, government funded, encrypted solution.

But hey, it's not "sexy" enough. So they'll drop some public money to a big company that knows "what they are doing" and deliver a crappy platform that no one will use :) It already happened too many times.

The article was pretty light on details, but isn't it more a case of "Not Hosted Here"? This is the only relevant parts I could find:

> We need to find a way to have an encrypted messaging service that is not encrypted by the United States or Russia


> The French government’s encrypted app has been developed on the basis of free-to-use code found on the Internet.

I'm hoping this means they are using a mature, open implementation for most of it.

As per another comment, the project is 100% FOSS (other than the operational bits) and is built on Matrix.org

+1 on that. Based on the article I hope they’re using signal or some other reputable crypto. Ideally they’ll host it in France and provide a good UI

I think it is intended for the government only, you'll never see it as a citizen.

Because it's not about building an encrypted solution, it's about building "our" encryption solution, so that we can break it when needed and infringe on privacy of citizens. Western European countries are going full speed ahead on censorship and surveillance, so no wonder they are trying to fight 'pesky' foreign encryption schemes.

This is a boring middlebrow dismissal. Please provide some evidence, or shut the hell up.

XMPP is legacy, and rightfully so. With it, by default, communication is in cleartext, there is no way to ensure message reliability and integrity without privacy implications, and multi-device support is arkward.

That's why OP said "XMPP + OMEMO".

Wasn't PGP illegal in France in the 1990s? Do they expect people to trust them?

> Wasn't PGP illegal in France in the 1990s?

Essentially yes (and not just PGP), strong cryptography fell under arms regulations and required, essentially, the equivalent of a firearms license (but was, by contrast, almost impossible to obtain). Import and export of cryptography technology are still regulated, though [1].

> Do they expect people to trust them?

I’m not sure what you mean by that: This isn’t a trust issue, the French government is/was completely upfront about these restrictions.

[1] https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFT...

Wait a minute, does this means what I have done with Monocypher¹ is illegal? I live in France, and I clearly provided and exported "cryptographic means", and I haven't written a word to our prime minister.

Same goes for Libsodium by the way, I doubt Franck Denis bothered to ask permission as well.

[1]: https://monocypher.org

As far as I understand (I haven’t lived in France since 2004), the import and export restrictions are essentially unenforced, and nobody cares (as long as you’re not actively trading with embargoed nations). But if you’re working in cryptography, it might be worth talking to other local experts. There are surely user groups that know the legal situation inside out — at the very least, publicly funded researchers should be able to point you to resources.

The trust issue is whether to trust the French government to care about the privacy of individual citizens over its own surveillance capability towards those citizens, when it made the opposite tradeoff in the past.

Though I agree it's not as bad as if they had been caught lying on the topic. Still, are they specifically saying the tool will protect people from the government itself?

Why would people not trust the current government's endeavours because of the state of things about twenty years and ten governments ago?

I wish I would have seen a GitHub repo opened by the French government (à la Keybase) instead of an article from Reuters telling me that 20 officials beta-test an app developed by "we don't know who" using the taxes that pay my parents and friends. Show, don't tell.

So there is an open github repo, and I’m a bit surprised they’re not linking to it - I think this reflects more on the government comms processes than the FOSS side of things. On the Matrix side we’re seeing what we can do to help.

Would it not have been enough to pass a law that prohibited survaillance?

It's a wonderful initiative, but I doubt the average user will switch.

Until there is an open source micro chip i won't believe that any security protocol is not being cheated.

When are they rolling their own CPUs, in light of Intel ME and associated surveillance risk?

So if it can’t be perfect we might as well give up? One time pads or go home?

No, I was just wondering how far they are prepared to go.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact