The flagship instance for Matrix demonstrates the use of Cloudflare, which was found to be necessary to defend against DoS attacks. This CaaC (Cloudflare-as-a-Crutch) design has many pitfalls & problems, including but not limited to:
- digital exclusion (Cloudflare is a walled garden that excludes some groups of people)
- supports a privacy hostile tech giant
- adds to growth and dominance of an oppressive force
- exposes metadata to a privacy offender without the knowledge and consent of participants
- reflects negatively on the competence, integrity, and digital rights values of Matrix creators
- creates a needless dependency on a tech giant
#CaaC needs to be replaced with a #securityByDesign approach. Countermeasures need to be baked into the system, not bolted on. The protocol should support mechanisms such as:
- rate limiting/tar pitting
- proof-of-work with variable levels of work and a prioritization of traffic that’s proportional to the level of work, which can be enabled on demand and generally upon crossing a load threshold.
- security cookie tokens to prioritize traffic of trusted participants
Sadly, #Matrix is aligned with another nefarious tech giant, and has jailed its project in Microsoft Github. And worse, they have a complex process for filing bugs/enhancements against the spec:
https://github.com/matrix-org/matrix-spec-proposals/blob/main/README.md
Hence why this bug report is posted here.