The flagship instance for Matrix demonstrates the use of Cloudflare, which was found to be necessary to defend against DoS attacks. This CaaC (Cloudflare-as-a-Crutch) design has many pitfalls & problems, including but not limited to:

  • digital exclusion (Cloudflare is a walled garden that excludes some groups of people)
  • supports a privacy hostile tech giant
  • adds to growth and dominance of an oppressive force
  • exposes metadata to a privacy offender without the knowledge and consent of participants
  • reflects negatively on the competence, integrity, and digital rights values of Matrix creators
  • creates a needless dependency on a tech giant

#CaaC needs to be replaced with a #securityByDesign approach. Countermeasures need to be baked into the system, not bolted on. The protocol should support mechanisms such as:

  • rate limiting/tar pitting
  • proof-of-work with variable levels of work and a prioritization of traffic that’s proportional to the level of work, which can be enabled on demand and generally upon crossing a load threshold.
  • security cookie tokens to prioritize traffic of trusted participants

Sadly, #Matrix is aligned with another nefarious tech giant, and has jailed its project in Microsoft Github. And worse, they have a complex process for filing bugs/enhancements against the spec:

https://github.com/matrix-org/matrix-spec-proposals/blob/main/README.md

Hence why this bug report is posted here.