Email or username:

Password:

Forgot your password?
Top-level
Michał "rysiek" Woźniak · 🇺🇦

@m you might want to double check on Matrix though:
soatok.blog/2024/08/14/securit

Matrix is a decent IRC replacement, but a secure messenger it is not. I've always felt that encryption was bolted-on as an afterthought in it and that that will lead to tears, and as time goes by I get more and more proof of this.

20 comments
Mia🏳️‍⚧️🌸(too hot for you)💋

@rysiek

I have recently and my experience was quite shitty and it is so bad that i cannot use it.

I posted about it a bit, the only thing that somewhat remotely is usable for me is FluffyChat and they do not support a lot of great accessibility stuff i want, like voice messages that you can convert to text easily, send quick videos, send your location for the next hour or have a "send without sound/ send when online" features.
And somehow it seems super slow in comparison with Telegram.

Michał "rysiek" Woźniak · 🇺🇦

@m yeah, the whole encrypted IM space is and has always been a clusterfsck. Sigh. :sad_cat:

FediThing 🏳️‍🌈

@rysiek @m

What do you think about XMPP with OMEMO?

Would be nice to have a decentralised alternative to Signal.

Mia🏳️‍⚧️🌸(too hot for you)💋

@FediThing @rysiek

I _love_ XMPP, I've run a long time a ejabberd server and it was really my favorite until now.

Especially this stuff is _fast_ and the extension system is just technically awesome.

_but_ no one uses it (ik ik WhatsApp but lets be real here, this is not XMPP as in "i use XMPP for IM")
and sadly the extension system makes it so complicated that no one has a real idea what is going on, has problems with writing others and is excessively complicated for wide adaption.

FediThing 🏳️‍🌈

@m @rysiek

So, if XMPP had more people using it, and it was easier to sign up, there's nothing fundamentally wrong with it?

Mia🏳️‍⚧️🌸(too hot for you)💋

@FediThing @rysiek

From a technical standpoint this is correct, if ppl would use the right Extensions as a collective minimum, but this will just not be the case until ejabberd etc. that these Extensions are the minimum and that they will not communicated with anything that has less.

And there is still the problems with clients, which would need to become really good for sticker (packs), voice messages, gifs, many images and videos and good search.

The XMPP clients i used back then where really fast and i liked them a lot to write with 3 friends and a bunch of bots but i think today, since facebook messanger, telegram and snapchat this is just no option anymore for it to be widely adapted.

@FediThing @rysiek

From a technical standpoint this is correct, if ppl would use the right Extensions as a collective minimum, but this will just not be the case until ejabberd etc. that these Extensions are the minimum and that they will not communicated with anything that has less.

And there is still the problems with clients, which would need to become really good for sticker (packs), voice messages, gifs, many images and videos and good search.

FediThing 🏳️‍🌈

@m

I've been playing around with Snikket as a potential way to get more people trying XMPP. Have you any views on it?

For what it's worth, the default Snikket app has OMEMO on by default, voice/video calls and voice messages, plus image/document/location attachments, but it doesn't have stickers or GIF pickers.

Michał "rysiek" Woźniak · 🇺🇦

@FediThing @m I don't have strong opinions on it other than when I tried XMPP the usability was always an issue.

I know there are projects like Snikket that made great strides on this front though.

jenkinse

@FediThing @rysiek @m @xarvos

Besides Matrix, another decentralized alternative to Signal with no phone number required is Delta Chat (as mentioned by others here like @kkarhan and @andrewg). It won't support all of the same features (but it does support some features which Matrix doesn't provide, like disappearing messages) and it should be easy to sync messages between devices. Downstream Delta Lab supports Telegram stickers.

🚲

@rysiek @m imho matrix is still better than telegram in this respect, and if not using a phone number or not having (latest) android/ios phone is important then i don’t know if there’s better choice.

(i know about jami and briar, but they fill a different niche and syncing messages between devices seem a hassle, if possible at all)

Arcane Alchemist

@rysiek @m Apparently, these issues were already known and not considered to be serious, which is why they remained.

mastodon.social/@krille@troet.

PS: If the issues were as basic and far-reaching as the blog insinuates, why are multiple countries using Matrix for their military and administration?

Michał "rysiek" Woźniak · 🇺🇦

@ArcaneAlchemist it's not "some blog", Soatok is a solid security researcher. Ignore his insight at your own peril.

Also, did you really just argue that surely a certain solution is perfectly fine because nation states use it? Really? :blob0w0:

Because that would make Microsoft Teams by far the best communication solution in the world.

@m

Arcane Alchemist

@rysiek @m I'm judging it as a "blog" because of the style of language and the disclaimer at the beginning. I'm not saying Matrix is perfect, but considering that (at least Germany) is actively contributing to it, I expect that they also have experienced security researchers looking at the codebase. To use your argument, why go through all that effort if they could have just used WebEx and Teams? Arguing that the devs and auditors are all incompetent is a bit far fetched, don't you think?

Michał "rysiek" Woźniak · 🇺🇦

@ArcaneAlchemist I am not arguing that "devs and auditors are all incompetent", please kindly refrain from putting words in my mouth.

People miss things all the time. The fact that A Large Organization or State is using a given tool does not necessarily mean they audited it. And even if they have, it doesn't mean there are no security issues.

I linked to a specific piece of information on specific security issues found by a good security researcher. Do what you will with that info. 🤷‍♀️

@m

Arcane Alchemist

@rysiek @m I was referencing what was written in the blog, where he explicitly warns against using Matrix and repeatedly questions the developers' competence.

Kevin Karhan :verified:

@rysiek @m I've yet to see #Matrix be better than #IRC.

If you need "closed" group chats, consider @zulip as an alternative. OFC it doesn't do encryption, but that's not the focus of #Zulip.

Not shure if @delta does "#E2EE group chats" but I'm certain that if one needs security, E2EE and Group Chats are somewhat exclusionary as part of #OpSec, #InfoSec & #ComSec best-practises go.

- Tho OFC one can use #PGP/MIME and thus E2EE all messages to all recipients i.e. using #Thunderbird.

As for a "secure yet convenient solution" I can recommend #XMPP+#OMEMO with @monocles / #monoclesChat and @gajim / #Gajim...

@rysiek @m I've yet to see #Matrix be better than #IRC.

If you need "closed" group chats, consider @zulip as an alternative. OFC it doesn't do encryption, but that's not the focus of #Zulip.

Not shure if @delta does "#E2EE group chats" but I'm certain that if one needs security, E2EE and Group Chats are somewhat exclusionary as part of #OpSec, #InfoSec & #ComSec best-practises go.

Kevin Karhan :verified:

@andrewg @rysiek @m @zulip @delta @monocles @gajim

That's good to hear...

And since #deltaChat uses regular #IMAP + #SMTP it doesn't require "yet another #server" but merely a new inbox / address to be setup...

jenkinse

@kkarhan @andrewg

While there are reasons why you might want to create a new inbox / address just to use for Delta Chat, this is not a requirement! You can use an existing inbox / address as a dual use traditional email / delta chat address. And if you want to keep your inbox free of clutter, you can tell Delta Chat to automatically delete messages from the server after downloading them, or use a filter to automatically move emails sent by Delta Chat to a separate folder on the server.

Go Up