Comment on What are your opinions on Matrix?
dngray@lemmy.one 11 months agoleaks more metadata than XMPP
XMPP is not a private protocol either. In a lot of cases data is not E2EE, there is no reference clients and there’s a mess of standards that very few if any clients fully implement.
amanneedsamaid@sopuli.xyz 11 months ago
The “lot of cases” you’re referring is using XMPP without OMEMO enabled, which is a pretty moot point as anyone using XMPP for any sensitive purpose would enable this (and every client I’ve used clearly warns you your message content is unencrypted if this is disabled). Also, XMPP has better (imo) and more numerous clients than Matrix on every platform except iOS and MacOS (No better XMPP client than Element on these platforms).
I disagree that XMPP is a “mess of standards”. XMPP is one standard, extremely minimal at its core, which is highly extensible. The issue you’re talking about is that clients dont always support every XMPP feature, although they all support OMEMO.
I definitely prefer an extensible protocol to a much heavier, metadata-leaking, less-feasible to self host solution like Matrix.
dngray@lemmy.one 11 months ago
OMEMO encrypts text messages for VOIP you need DTLS-SRTP encryption or Jingle session encryption.
The point is that Matrix 1:1 calls are always encrypted and soon with MSC3401: Native Group VoIP Signalling group VOIP calls will be as well. (still in beta. Having foot guns about what might be encrypted or not in a client isn’t very private at all.
I’ve used Nheko and that’s pretty good. Last time I checked the XMPP clients that existed had a lot of rough edges.
That is definitely your opinion, Matrix has shown to be very feasible in a commercial sense as there are many providers and commercial clients using it, french government, german government etc. Matrix really can be quite lightweight enough that it will be entirely possible to run a homeserver locally in WASM which is what the Matrix P2P project is about. arewep2pyet.com has more details about that.
The point is a lot of testing and thought goes into these things.
You’re pretending XMPP doesn’t have metadata between servers, it certainly does.
amanneedsamaid@sopuli.xyz 11 months ago
You are correct about a lack of standardized VOIP encryption, I hadnt thought of that as I never make calls using XMPP.
I was talking about individuals self hosting XMPP, not organizations. And I would imagine its much more popular for organizations to host XMPP servers, as government agencies and business already have been since the early 2000s.
As for the metadata leaking, while metadata is obviously available to the admins of the servers you and you recipient are using, these chat histories are not synced in their entirely, and not to other instances. Is this not the same in Matrix, except that the metadata is more freely shared between servers?
Either way, SimpleX chat addresses most of Matrix and XMPP’s shortcomings, I hope it can one day replace them.
dngray@lemmy.one 11 months ago
Maybe so, but for a public room it really means nothing because they could just join it anyway. Every client has a copy. The point is neither system has deniability in terms of “I was never talking to this person”. I do think there is more utility in Matrix’s future with P2P accounts however, that don’t depend on a single Matrix server and can be rotated. Anything you aim to be anonymous with should be regularly rotating accounts as we suggest. Take a look at XMPP: Admin-in-the-middle. Admins can get more than enough.
Except there is no desktop client, and I’m not sure how it will work at scale. It does not have anywhere near the feature set of Matrix. The whole “spaces” thing is the beginning and I suspect they’ll be doing a lot more there, specifically: “Spaces effectively gives us a way of creating a global decentralised filesystem hierarchy on top of Matrix”.
I honestly doubt that will ever happen they aren’t really competing products. Matrix is really meant for large scale networks, a bit like a whole social media platform, whereas SimpleX is more like a competitor to Signal or Session.
I would like to see Decentralised user accounts and I think they may be still looking at this because it would be nice to be able import your account somewhere else if a home server you’re on shuts down or something.