Giving Up on Element & Matrix.org
Giving Up on Element & Matrix.org
The Matrix.org network has great potential, but after years of dealing with glitches, slow performance, poor UX, and one too many failures, I’m done with it.
You're viewing a single thread.
The protocol is bloated to hell so third-party clients stand no chance, and the foundation spends more time bikeshedding or pissing away money than they do developing. It's a doomed project.
You can interact with Matrix server through basic curl commands... and I thought the documentation was pretty good. There are plenty of third-party clients.
Sure, E2EE, keys and cross-signing is not trivial, but I don't know where it is.
I didn't imply that you can't strip the protocol down to its bare essentials and still use it, but what's the point of a protocol if everyone is on their own personalized version of it? Version / Feature fragmentation is a massive problem and basically none of the third party clients are up to snuff. Synapse is a massive bowl of lukewarm dog water, and most alternatives to it die in a year because it's impossible to keep up. There's too much shit in the protocol.
What specific version/feature fragmentation and clients are you referring to? As is common now, newer Synapse drops support for older Postgres (for example). Voice and video calls is the only feature that I can think of that is half-assed in Element/ElementX or not implemented in some clients.
Otherwise, Element, Element X, FluffyChat, Fractal, freaking Cinny on Ubuntu Touch (!), and terminal-based gomuks all support basic functionality, DMs, rooms, encryption, and attachments.
So what's left? Jabber?
Slrpnk hosts an XMPP/Jabber for our users, mods and admins to communicate. Its worked pretty darn well for the past couple years, with very low resource needs.
The clients are pretty slick now too, such as Cheogram or Monocles for mobile, and movim is an excellent web app with support for group calls.
I'd certainly recommend it over Matrix/element.
The clients are pretty slick now too, such as Cheogram or Monocles
I wouldn't call either of those, or any other XMPP clients "slick" and it's my biggest complaint about the protocol.
What would make them slick?
Not to mention you can run a server on anything pretty much and for surprisingly big amount of users. Toaster or potatoes will do just fine.
What's the protection in the clients assuming compromised infrastructure, like e.g. in https://notes.valdikss.org.ru/jabber.ru-mitm/ ?
Significant improvements to certificate pinning and validation have been added to all major XMPP clients as a result of this incident, but it should also be clear that hosting a server on infrastructure under control by an antagonist government (see also Signal) is a very bad idea and hard to mitigate against.
Signal is under control by the government? 🤔
Their server infrastructure is (run by Pentagon and NSA best buddies AWS).
And that means the government controls it?
The infrastructure is under control of an antagonistic government, yes. Hetzner is also technically a private company, but they obviously willingly complied with requests from the German government.
And what are the implications of that control? It doesn't mean they can access anything on it. Especially not data that doesn't exist.
They have live access to all of the metadata and can easily correlate that with phone numbers that Signal stores and shares on request of governments. Just because Signal claims they don't store anything doesn't mean that the ones that 100% run all the servers Signal uses don't access and store anything. You are being extremely naive if you believe Signals BS marketing.
End to end encryption between clients (also for groups) seems to partly address the issue of a bad server. As for self-hosting, any rented or cloud sevices are very vulnerable to an evil maid. So either in-house hosting or locked cages with tamper-proof hardware remain an option.
I'm afraid that's quite outside my field of expertise. I can only report how my experience on XMPP has been as a user, though perhaps @poVoq@slrpnk.net, who hosts it, may be able to weigh in on that. Edit: ah, I see you already have 😄
Though from my untrained eye, it seems that Jabber.ru was compromised due to not enabling a particular feature on their server
"Channel binding" is a feature in XMPP which can detect a MiTM even if the interceptor present a valid certificate. Both the client and the server must support SCRAM PLUS authentication mechanisms for this to work. Unfortunately this was not active on jabber.ru at the time of the attack.
And it seems that hosting it externally on paid hosting service (hetzner and linode) left them particularly vulnerable to this attack, and tgat it could've been mitigated by self hosting the XMPP locally, as well as activating that feature.
Back to IRC we go...
It is entirely insecure.
The argument has always been, if when chat rooms are public, anyone can join and start logging the chats, encryption does nothing.
It has the ability to connect over TLS, but that's about it.
I loved using it for its simplicity, except when using all the different flavours of nick registration (Q, NickServ, ...).
There is some nuance here. It would be nice to not have your identity publicly linked to your IP address, which is not always the default on IRC.
That's the main privacy concern I know about I guess.
My friends created a telegram group and invited in a couple of bots that do stupid things like posting images or vulgarities when they detect certain words, or perform actions on request.
I tried to convince them to get rid of the bots but they're in the "we have nothing to hide" camp.
Not when the entirety of your conversations are jargon and in-jokes!
/s
Define secure. You can run your own network.
Depends what your goal is. Revolt seems pretty cool, but I don't think it has any kind of encryption. It is based in Europe, though, so it gets GDPR protection, and it's open source, so it could be forked to fit other needs and uses.
No, Revolt checks neither of my boxes unfortunately.
What about delta?