this post was submitted on 21 Jul 2023
41 points (100.0% liked)

Privacy Guides

16784 readers
61 users here now

In the digital age, protecting your personal information might seem like an impossible task. We’re here to help.

This is a community for sharing news about privacy, posting information about cool privacy tools and services, and getting advice about your privacy journey.


You can subscribe to this community from any Kbin or Lemmy instance:

Learn more...


Check out our website at privacyguides.org before asking your questions here. We've tried answering the common questions and recommendations there!

Want to get involved? The website is open-source on GitHub, and your help would be appreciated!


This community is the "official" Privacy Guides community on Lemmy, which can be verified here. Other "Privacy Guides" communities on other Lemmy servers are not moderated by this team or associated with the website.


Moderation Rules:

  1. We prefer posting about open-source software whenever possible.
  2. This is not the place for self-promotion if you are not listed on privacyguides.org. If you want to be listed, make a suggestion on our forum first.
  3. No soliciting engagement: Don't ask for upvotes, follows, etc.
  4. Surveys, Fundraising, and Petitions must be pre-approved by the mod team.
  5. Be civil, no violence, hate speech. Assume people here are posting in good faith.
  6. Don't repost topics which have already been covered here.
  7. News posts must be related to privacy and security, and your post title must match the article headline exactly. Do not editorialize titles, you can post your opinions in the post body or a comment.
  8. Memes/images/video posts that could be summarized as text explanations should not be posted. Infographics and conference talks from reputable sources are acceptable.
  9. No help vampires: This is not a tech support subreddit, don't abuse our community's willingness to help. Questions related to privacy, security or privacy/security related software and their configurations are acceptable.
  10. No misinformation: Extraordinary claims must be matched with evidence.
  11. Do not post about VPNs or cryptocurrencies which are not listed on privacyguides.org. See Rule 2 for info on adding new recommendations to the website.
  12. General guides or software lists are not permitted. Original sources and research about specific topics are allowed as long as they are high quality and factual. We are not providing a platform for poorly-vetted, out-of-date or conflicting recommendations.

Additional Resources:

founded 1 year ago
MODERATORS
 

I was sold on Matrix as a viable alternative to Discord but recently read this article which made it look not so good.

you are viewing a single comment's thread
view the rest of the comments
[–] dngray@lemmy.one 3 points 1 year ago (1 children)

leaks more metadata than XMPP

XMPP is not a private protocol either. In a lot of cases data is not E2EE, there is no reference clients and there's a mess of standards that very few if any clients fully implement.

[–] amanneedsamaid@sopuli.xyz 2 points 1 year ago (1 children)

The "lot of cases" you're referring is using XMPP without OMEMO enabled, which is a pretty moot point as anyone using XMPP for any sensitive purpose would enable this (and every client I've used clearly warns you your message content is unencrypted if this is disabled). Also, XMPP has better (imo) and more numerous clients than Matrix on every platform except iOS and MacOS (No better XMPP client than Element on these platforms).

I disagree that XMPP is a "mess of standards". XMPP is one standard, extremely minimal at its core, which is highly extensible. The issue you're talking about is that clients dont always support every XMPP feature, although they all support OMEMO.

I definitely prefer an extensible protocol to a much heavier, metadata-leaking, less-feasible to self host solution like Matrix.

[–] dngray@lemmy.one 3 points 1 year ago* (last edited 1 year ago) (1 children)

you’re referring is using XMPP without OMEMO

OMEMO encrypts text messages for VOIP you need DTLS-SRTP encryption or Jingle session encryption. OMEMO has no concept of cross signing, ie one device being trusted and therefore the others either if they do an authentication with each other. Device verification has to be done each session which is a massive pain.

warns you your message content is unencrypted if this is disabled

The point is that Matrix 1:1 calls are always encrypted and soon with MSC3401: Native Group VoIP Signalling 1:many VOIP calls will be as well. Having foot guns about what might be encrypted or not in a client isn't very private at all.

Also, XMPP has better (imo) and more numerous clients than Matrix on every platform except iOS and MacOS (No better XMPP client than Element on these platforms).

I've used Nheko and that's pretty good. Last time I checked the XMPP clients that existed had a lot of rough edges and feature inconsistency.

I definitely prefer an extensible protocol to a much heavier, metadata-leaking, less-feasible to self host solution like Matrix.

That is definitely your opinion, Matrix has shown to be very feasible in a commercial sense as there are many providers and commercial clients using it, french, german government etc. There are also quite a few clients using EMS. They claim: "Matrix is an open network for secure, decentralised communication, connecting 80M+ users over 80K+ deployments."

Which is probably a lot more than XMPP.

Matrix really can be quite lightweight enough that it will be entirely possible to run a homeserver locally in WASM which is what the Matrix P2P project is about. https://arewep2pyet.com/ has more details about that. It's also possible to have very light Matrix servers Breaking the 100bps barrier with Matrix, meshsim & coap-proxy. The reason that a lot of public Matrix servers are quite "heavy" is because they have many numbers of users, and activity. Synapse has also made huge gains in this regard to what it was originally, and we know that Dendrite uses a lot less resources (that I've tested privately).

With RFC 9420 aka Messaging Layer Security (MLS) it should be entirely possible to have large E2EE rooms without too much of a performance hit. Matrix is also working on MLS: A giant leap forwards for encryption with MLS. They have a site tracking that: https://arewemlsyet.com/

The point is a lot of testing and thought goes into these things.

metadata-leaking

You're pretending XMPP doesn't have metadata between servers, it certainly does it's really no more private than Matrix.

This is what Matthew Hodgson (Arathorn) - CEO of Element had to say about it in March 13, 2022:

Talking of sloppiness, that hackea.org article is a huge steaming pile of FUD about Matrix.

For what it’s worth, the team who came up with Matrix was originally based in two separate startups: one in the UK doing VoIP, one in France doing mobile dev. Both got acquired by Amdocs in 2010, but we ended up forming an independent “incubated startup” first to build telco apps, and then we came up with the idea of Matrix in ~2013. We then built out Matrix until 2017 when Amdocs killed our funding, having run out of patience for what amounted to generous FOSS philanthropy.

We then set up New Vector (now Element) as an entirely independent UK/FR startup, and have received zero funding from Amdocs since. To be crystal clear: Amdocs has zero privileged influence or control over Matrix (or Element, for that matter), and has zero access to the Matrix servers we operate as Element. And besides - the whole point of Matrix is that you can and should run your own servers so you can pick who to trust, even if you don’t trust the project itself.

[–] amanneedsamaid@sopuli.xyz 1 points 1 year ago (1 children)

You are correct about a lack of standardized VOIP encryption, I hadnt thought of that as I never make calls using XMPP.

I was talking about individuals self hosting XMPP, not organizations. And I would imagine its much more popular for organizations to host XMPP servers, as government agencies and business already have been since the early 2000s.

As for the metadata leaking, while metadata is obviously available to the admins of the servers you and you recipient are using, these chat histories are not synced in their entirely, and not to other instances. Is this not the same in Matrix, except that the metadata is more freely shared between servers?

Either way, SimpleX chat addresses most of Matrix and XMPP's shortcomings, I hope it can one day replace them.

[–] dngray@lemmy.one 2 points 1 year ago

As for the metadata leaking, while metadata is obviously available to the admins of the servers you and you recipient are using, these chat histories are not synced in their entirely,

Maybe so, but for a public room it really means nothing because they could just join it anyway. Every client has a copy. The point is neither system has deniability in terms of "I was never talking to this person". I do think there is more utility in Matrix's future with P2P accounts however, that don't depend on a single Matrix server and can be rotated. Anything you aim to be anonymous with should be regularly rotating accounts as we suggest. Take a look at XMPP: Admin-in-the-middle. Admins can get more than enough.

SimpleX chat addresses most of Matrix and XMPP’s shortcomings

Except there is no desktop client, and I'm not sure how it will work at scale. It does not have anywhere near the feature set of Matrix. The whole "spaces" thing is the beginning and I suspect they'll be doing a lot more there, specifically: "Spaces effectively gives us a way of creating a global decentralised filesystem hierarchy on top of Matrix".

I hope it can one day replace them.

I honestly doubt that will ever happen they aren't really competing products. Matrix is really meant for large scale networks, a bit like a whole social media platform, whereas SimpleX is more like a competitor to Signal or Session.

I would like to see Decentralised user accounts and I think they may be still looking at this because it would be nice to be able import your account somewhere else if a home server you're on shuts down or something.