That article is mostly FUD, but there are very good reasons to be sceptical of Matrix, as it is mostly driven by a VC funded for-profit company.
If you are looking for a truly community driven and owned alternative, check out XMPP: https://joinjabber.org
XMPP has issues such as rooms are not properly decentralised, not all clients support proper replys and you cant edit messages older then 1 message
the servers are much lighter then matrix servers, conduit is quite light and fast compared to synapse but not as light as XMPP servers
The message editing thing is just a client setting and having a single source of truth for a room is a huge advantage of XMPP that Matrix is now reinventing as they realized their hyped decentralized rooms are just a gimmick feature that causes more problem than it solves.
Linearized matrix wont be replacing the current way rooms work, especially with how they want to make the clients p2p eventually, its just for the DMA and convincing them to go with matrix
Yes the article is FUD and sloppy. This is what Matthew Hodgson (Arathorn) had to say about it:
Talking of sloppiness, that hackea.org article is a huge steaming pile of FUD about Matrix.
For what it’s worth, the team who came up with Matrix was originally based in two separate startups: one in the UK doing VoIP, one in France doing mobile dev. Both got acquired by Amdocs in 2010, but we ended up forming an independent “incubated startup” first to build telco apps, and then we came up with the idea of Matrix in ~2013. We then built out Matrix until 2017 when Amdocs killed our funding, having run out of patience for what amounted to generous FOSS philanthropy.
We then set up New Vector (now Element) as an entirely independent UK/FR startup, and have received zero funding from Amdocs since. To be crystal clear: Amdocs has zero privileged influence or control over Matrix (or Element, for that matter), and has zero access to the Matrix servers we operate as Element. And besides - the whole point of Matrix is that you can and should run your own servers so you can pick who to trust, even if you don’t trust the project itself.
"5 years after the creation of Matrix, and after 5 years of centrally receiving such a scandalous amount of users private data from their «decentralized» software, it was only after the mentioned report was published when the Matrix developers published some «privacy improvements» [13] addressing some of the revealed problems.
We have not read it."
This seems lazy to me. I haven't read the report but i'm also not the one writing an article bashing matrix. If i was I'd want to know whether my concerns are still valid, and as a reader i want to know whether the concerns they brought up still apply without having to read a whole other report
The rest of the article reads the same. They even said what they were repeating is probably FUD and made zero effort to investigate.
yeah it seems like they started writing this article by forming an opinion then cherry picking, not looking at the data and then forming an opinion around it
That article is full of fud don't trust it
but I do generally like matrix, its far from perfect but I do think its the best bet for a decentralised chat platform
Matrix is okay but like anything else, it's security is dependent on your server admins. Session has no server so that's what I'd recommend if you have the option.
there is still servers it goes through to get to whoever your talking to and it doesnt have perfect forward security so that a no go for me
It goes through TOR "nodes" but it can be routed through any of 10k different ones. It doesn't go through any Session servers and doesn't need Session servers.
Perfect Forward Secrecy is not important and Session details clearly why it works this way..
Session has no server so that’s what I’d recommend if you have the option.
Closed rooms in session are limited to 100 people iirc. You can have Matrix rooms with any number of users.
Matrix is fine, just use end-to-end endcryption which is trivial to set up.
Theres a lot of metadata that's not encrypted in matrix, some of which goes to matrix.org no matter what server youre using.
If your talking to someone and your both on a server that's not matrix.org no data gets sent to matrix.org
Except that the Element web-client also phones home to matrix/element mothership.
thats one check and just use another client :P and that doesnt send the messages in the room to matrix.org so that doesnt have anything to do with the comment I replied to
Now you're just making excuses for new vector/matrix
all it does is ping to check that your config.md is valid I think its not the end of the world like people make it out to be and its element/new vector not new vector/matrix
Element web-client also phones home
It doesn't send metadata about your use. There is a version check though.
That is the nature of any federated protocol.
E2EE works well enough within rooms and that is likely where private data is to be anyway. As long as you Matrix and assume that everyone can see your Matrix ID and room IDs you'll be okay.
XMPP isn't any better in that regard.
That's why I joined a Swiss server 😀
It doesn't matter what server you use, unless you do not interact with anyone from matrix.org.
It does matter, because it would be a lot harder to get my information. It's called reducing your attack surface. Same reason I use an encrypted Swiss email provider.
What are you talking about? Metadata is information about your messages besides it's encrypted content; i.e. time of send and who the recipient and sender are. Matrix has a large weakness, as most users use matrix.org. This is bad because metadata can reveal a lot about ones communications, and most every message sent on matrix (unless it is in a private message with someone not using matrix.org) is passed through matrix.org. This pools a lot of metadata in one place, and there are other messengers do not have this issue, or if they do, they do not have it as badly. Metadata is not magically hidden because your server is located in Switzerland.
I'm very aware of what metadata is. I'm not sure what's confusing you.
If my data is not on matrix.org, no one can get my data from Matrix.org.
If my data is on a Swiss server, the government can't get it, even if they have a warrant.
If I have some data on matrix.org and some data on a Swiss server, they can only get my data on matrix.org.
This is called reducing your attack surface.
Yes, but Matrix leaks way more metadata to other servers, negating more of the benefit of using a Swiss server compared to if you used XMPP for example.
Yes, but Matrix leaks way more metadata to other servers
FUD, Matrix doesn't leak any more data than XMPP in that regard. Admins of either service can know what rooms you're in and information about events such as time they were sent.
XMPP isn't any better in this regard.
Not FUD, Matrix syncs entire chats to all involved servers, unlike XMPP. This post explains and links to why Matrix does leak more data than XMPP in this regard.
Also, using the term FUD makes you seem stupid.
To me, the biggest problem with Matrix is that Synapse and Dendrite are both really heavy. I use an alternative server called Matrix Conduit that's more like an xmpp server in how light it is. Only problem then is that Conduit doesn't have that many resources so it's always a few steps back from Synapse or Dendrite.
synapse has gotten lighter, but its still heavy if you join a big room like HQ with a few thousand servers in and a complex state
Meh, I use it. I'll take it over Discord or Telegram any day. But I don't use it for anything that may be sensitive or anything involving IRL people.
It's leaky. I remember all media were uploaded unencrypted and available over https, I don't know if it is still like that. Lots and lots of metadata out in the open. To be searchable you have to give your phone number to a centralized service. The protocol is overly complex, all messages live on all servers of everyone involved in the conversation, lots of duplication, but ActivityPub is like that too and we are on Lemmy...
If I set my own stuff up, I prefer XMPP, and increasingly Simplex. If some project uses matrix, I have an account and will talk to them there.
Overall I'm not a fan, but I don't outright hate it.
You don't have to give them your phone number to be searchable, just use your matrix ID
Files in encrypted rooms are encrypted
Your not wrong about the metadata but xmpp leaks the same amount it just doesn't goto every server that has a user in the room
No, to be searchable by your friends you have to attach your matrix ID to your phone number and upload it to an identity server, which anyone can run of course but which is useless unless its the new vector identity server. It's a central database of verified matrix IDs.
you dont, users can find me just fine without sending my phone number to an idenity server, please stop spreading FUD
you have to attach your matrix ID to your phone number
Yes, this is FUD, it's not necessary, and entirely opt-in. Also you don't even need to connect to the identity server.
Yeah, you don't have to. But to be able to easily prove you are who you are to IRL people you will. And the decision tells you something about the product and protocol design.
what? no you dont and the founders have said they dont like them at all since they go against the core of matrix but they make alot of sense in businesses for an internal chat app
No you don't 🙂 DM your Matrix ID and I'll show you.
My main complaint about it is it just seems so resource heavy and complex for what it offers. It's nowhere near a viable alternative for Discord yet unless all you do is text chat.
Matrix has no resources. It's just a protocol. If you mean Element, and are signed up with matrix.org server, I would recommend choosing another server.
Its alright, but resource heavy, more complex, and leaks more metadata than XMPP.
leaks more metadata than XMPP
XMPP is not a private protocol either. In a lot of cases data is not E2EE, there is no reference clients and there's a mess of standards that very few if any clients fully implement.
The "lot of cases" you're referring is using XMPP without OMEMO enabled, which is a pretty moot point as anyone using XMPP for any sensitive purpose would enable this (and every client I've used clearly warns you your message content is unencrypted if this is disabled). Also, XMPP has better (imo) and more numerous clients than Matrix on every platform except iOS and MacOS (No better XMPP client than Element on these platforms).
I disagree that XMPP is a "mess of standards". XMPP is one standard, extremely minimal at its core, which is highly extensible. The issue you're talking about is that clients dont always support every XMPP feature, although they all support OMEMO.
I definitely prefer an extensible protocol to a much heavier, metadata-leaking, less-feasible to self host solution like Matrix.
you’re referring is using XMPP without OMEMO
OMEMO encrypts text messages for VOIP you need DTLS-SRTP encryption or Jingle session encryption. OMEMO has no concept of cross signing, ie one device being trusted and therefore the others either if they do an authentication with each other. Device verification has to be done each session which is a massive pain.
warns you your message content is unencrypted if this is disabled
The point is that Matrix 1:1 calls are always encrypted and soon with MSC3401: Native Group VoIP Signalling 1:many VOIP calls will be as well. Having foot guns about what might be encrypted or not in a client isn't very private at all.
Also, XMPP has better (imo) and more numerous clients than Matrix on every platform except iOS and MacOS (No better XMPP client than Element on these platforms).
I've used Nheko and that's pretty good. Last time I checked the XMPP clients that existed had a lot of rough edges and feature inconsistency.
I definitely prefer an extensible protocol to a much heavier, metadata-leaking, less-feasible to self host solution like Matrix.
That is definitely your opinion, Matrix has shown to be very feasible in a commercial sense as there are many providers and commercial clients using it, french, german government etc. There are also quite a few clients using EMS. They claim: "Matrix is an open network for secure, decentralised communication, connecting 80M+ users over 80K+ deployments."
Which is probably a lot more than XMPP.
Matrix really can be quite lightweight enough that it will be entirely possible to run a homeserver locally in WASM which is what the Matrix P2P project is about. https://arewep2pyet.com/ has more details about that. It's also possible to have very light Matrix servers Breaking the 100bps barrier with Matrix, meshsim & coap-proxy. The reason that a lot of public Matrix servers are quite "heavy" is because they have many numbers of users, and activity. Synapse has also made huge gains in this regard to what it was originally, and we know that Dendrite uses a lot less resources (that I've tested privately).
With RFC 9420 aka Messaging Layer Security (MLS) it should be entirely possible to have large E2EE rooms without too much of a performance hit. Matrix is also working on MLS: A giant leap forwards for encryption with MLS. They have a site tracking that: https://arewemlsyet.com/
The point is a lot of testing and thought goes into these things.
metadata-leaking
You're pretending XMPP doesn't have metadata between servers, it certainly does it's really no more private than Matrix.
This is what Matthew Hodgson (Arathorn) - CEO of Element had to say about it in March 13, 2022:
Talking of sloppiness, that hackea.org article is a huge steaming pile of FUD about Matrix.
For what it’s worth, the team who came up with Matrix was originally based in two separate startups: one in the UK doing VoIP, one in France doing mobile dev. Both got acquired by Amdocs in 2010, but we ended up forming an independent “incubated startup” first to build telco apps, and then we came up with the idea of Matrix in ~2013. We then built out Matrix until 2017 when Amdocs killed our funding, having run out of patience for what amounted to generous FOSS philanthropy.
We then set up New Vector (now Element) as an entirely independent UK/FR startup, and have received zero funding from Amdocs since. To be crystal clear: Amdocs has zero privileged influence or control over Matrix (or Element, for that matter), and has zero access to the Matrix servers we operate as Element. And besides - the whole point of Matrix is that you can and should run your own servers so you can pick who to trust, even if you don’t trust the project itself.
You are correct about a lack of standardized VOIP encryption, I hadnt thought of that as I never make calls using XMPP.
I was talking about individuals self hosting XMPP, not organizations. And I would imagine its much more popular for organizations to host XMPP servers, as government agencies and business already have been since the early 2000s.
As for the metadata leaking, while metadata is obviously available to the admins of the servers you and you recipient are using, these chat histories are not synced in their entirely, and not to other instances. Is this not the same in Matrix, except that the metadata is more freely shared between servers?
Either way, SimpleX chat addresses most of Matrix and XMPP's shortcomings, I hope it can one day replace them.
As for the metadata leaking, while metadata is obviously available to the admins of the servers you and you recipient are using, these chat histories are not synced in their entirely,
Maybe so, but for a public room it really means nothing because they could just join it anyway. Every client has a copy. The point is neither system has deniability in terms of "I was never talking to this person". I do think there is more utility in Matrix's future with P2P accounts however, that don't depend on a single Matrix server and can be rotated. Anything you aim to be anonymous with should be regularly rotating accounts as we suggest. Take a look at XMPP: Admin-in-the-middle. Admins can get more than enough.
SimpleX chat addresses most of Matrix and XMPP’s shortcomings
Except there is no desktop client, and I'm not sure how it will work at scale. It does not have anywhere near the feature set of Matrix. The whole "spaces" thing is the beginning and I suspect they'll be doing a lot more there, specifically: "Spaces effectively gives us a way of creating a global decentralised filesystem hierarchy on top of Matrix".
I hope it can one day replace them.
I honestly doubt that will ever happen they aren't really competing products. Matrix is really meant for large scale networks, a bit like a whole social media platform, whereas SimpleX is more like a competitor to Signal or Session.
I would like to see Decentralised user accounts and I think they may be still looking at this because it would be nice to be able import your account somewhere else if a home server you're on shuts down or something.
I would prefer session but messages aren't reliable. They can come late or out of order, if the core functionality makes you trouble you can't make convince other people to use it.
In the digital age, protecting your personal information might seem like an impossible task. We’re here to help.
This is a community for sharing news about privacy, posting information about cool privacy tools and services, and getting advice about your privacy journey.
You can subscribe to this community from any Kbin or Lemmy instance:
Check out our website at privacyguides.org before asking your questions here. We've tried answering the common questions and recommendations there!
Want to get involved? The website is open-source on GitHub, and your help would be appreciated!
This community is the "official" Privacy Guides community on Lemmy, which can be verified here. Other "Privacy Guides" communities on other Lemmy servers are not moderated by this team or associated with the website.
Moderation Rules:
Additional Resources: