Typical Matrix users depend on IANA internet addressing, ICANN DNS, and the unnamed group (“TLS cabal”) that decides what Certificate Authorities to include by default in popular browsers to support TLS.
Matrix has the flexibility to address many threats arising from these and other sources. This chapter is more nerdy, so feel free to skip it.
The “TLS cabal” has the power to facilitate Man in the Middle attacks for TLS connections. This requires the attacker to also be able to reroute the homeserver IP. IP spoofing is why TLS was invented.
By distributing a private CA key to homeservers and users, and signing the homeserver TLS certificates with that CA, the “cabal” is bypassed.
There are several protocols for a global IPv6 overlay mesh VPN. Examples
include Cjdns and
Yggdrasil and
Pinecone. All of these use a 128-bit truncated hash of each node’s pubkey
to authenticate IPs. Consequently, each system uses a large IPv6 address
space: fc00::/8 for Cjdns and 0200::/7 for yggdrasil. This
prevents IP spoofing.
In addition, each protocol also provides end-to-end encryption of every packet between two IPs. Relay nodes do no know what they are relaying.
ICANN claims the power to demand cancelation of any domain in any TLD (Top Level Domain — like .ORG or .COM) at any time for any reason. Any TLD refusing to comply is removed from the ICANN global DNS “root zone”. Even two letter country codes are removed.
The simple, but less scalable, mitigation is the ancient “hosts” file from the late 1970s. This takes precedence over the more capable and scalable DNS protocol for most Operating Systems, including Windows™.
Since DNS was designed to be federated, another mitigation is to use private DNS for part of the DNS namespace. For instance, the Opennic organization consolidates independent TLDs on independent (usually, but not always volunteer run) top level nameservers. Opennic TLDs include .GEEK and .GOPHER among others. TLDs not run by Opennic members are looked up via ICANN as usual.
An organization like MAF can simply declare an unused (or little used) TLD to be “theirs”, e.g. .MAF
The nameservers for the .MAF TLD must then be distributed to all DNS resolvers wishing to resolve it and they must keep it updated. Updating is typically automatic via the zone transfer protocol of DNS.
Users must configure their devices to use the alternate DNS resolver or caching server. Or add needed names to their HOSTS file (and keep them updated).
Since no cabal Certificate Authority will sign a host certificate with such a TLD, there must also be a private CA for MAF, and the keys distributed to users of the host certificates.
Actually, a malicious CA will in fact sign a host certificate just to MITM such a site, and most browsers have no way to NOT trust the CAs endorsed by the cabal. So what is really needed is …
Since a MITM attack also needs IP spoofing to succeed, using an IPv6 VPN with authenticated IPs thwarts the attack by preventing IP spoofing. In fact, TLS is not really needed at all if you use raw IPv6 addresses. A Matrix homeserver can be accessed via raw IP. Raw IPs can have certs signed by the private CA (cabal CAs will only sign IANA IPs, naturally).
With the Synapse homeserver, you can add the homeserver name or IPv6 to a TLS whitelist, which skips TLS. Since the IPv6 Mesh VPNs already provide their own TLS between IPs, it is redundant to do it again. If using a name instead of a raw ip, put it in the hosts file. That avoids depending on securing the private DNS with DNSSEC and DNScrypt.
Note that authenticated IPv6 VPN can also be used for peer-to-peer email that bypasses the globalist security traps.