29 comments

[ 3.0 ms ] story [ 77.2 ms ] thread
Hey, that’s my project! Thanks for the link.

We’re working on figuring out some sort of compatibility with MinesTRIX btw.

In a healthy social ecosystem, there would be multiple interoperating clients AND servers.

Awesome, this is the culture that we need more of
What is your plans on discoverability, how will users discover each other?
If you're privacy focused, do not use matrix… The amount of metadata it leaks is astonishing.
Could you elaborate or link something, I'm interested as I thought it was fairly good.
It has stuff like E2E encryption, but that essentially just works on the message contents. Who sends messages where is visible to any server owner that receives the data (basically: host of the user account or room, or any public room). (there may be wrinkles to this, but in a broad sense it matches Matrix's metadata exposure)

Which makes it pretty much exactly the same as, e.g., XMPP. Or nearly[1] any federated chat system, past, present, or future. It's not privacy-oriented, by design, because privacy oriented and able to connect N independent implementations which are able to protect themselves from abuse are almost completely at odds with each other.

In that sense: yes, it's a privacy disaster. It is not and never will be Signal. But in another sense, no, it's just what happens when you build a usable federated chat system - convenience costs privacy. There are "free" and "cheap" ways they could improve it, and some improvements have been trickling steadily, but the fundamental feature-set prevents it from ever being what most privacy people would call "good".

[1]: there are some exceptions, but generally speaking they are making extreme tradeoffs somewhere. E.g. inability to stop spammers because you can't see senders -> no large hosts will ever exist because it'll hemorrhage money, so it's practically just a P2P network. Some of which do have interesting privacy feature-sets, but often suffer with discoverability and connection reliability.

No large hosts is by design. Too many digital eggs in one digital basket is everything that's wrong with SaaS these days.
Which exposes you to greater complexity in combating abuse, and greater difficulty in discovery.

I agree entirely, and I really like the fine-grained "part P2P part federated" stuff that's growing more and more popular, but it's not a zero-cost thing to do. And it's not just a "oh, well, the code's a bit more complex" cost, the user experience will be unavoidably more complex as number of hosts increases, as they now need to select one in order to enter the ecosystem... but they're outsiders, how do they make an informed choice?

Abuse is something that there's work being done over: https://matrix.org/blog/2020/10/19/combating-abuse-in-matrix...

I disagree re discovery, it's working-as-intended. It's got better discovery than say email, at least there are actually identity servers for people who wish to use them, and can work with both phone numbers and email addresses.

Non-publicly-addressable accounts are excellent, that's why the EU gov, military, healthcare and emergency services are using Matrix protocol versus say WhatsApp.

People can host their own node right now, and that's encouraged rather than joining Matrix.org or a paid Matrix provider. 60m+ publicly-addressable accounts on Matrix thus far. A Raspberry Pi starts at the price of lunch.

However, going forward, there's work being done to have on-device lite servers, eliminating the need for a third-party server to send/receive messages. These can even work P2P via BLE, meaning connectivity in areas of natural disaster, warzones, and political unrest where an oppressive government or invading force may disable the internet.

That post on abuse is a good example of what I mean, tbh. It's proposing a tagged reputation system.

That means users choosing and updating tags, service-owners choosing and updating tags and taggers, taggers having to follow[1] purposes of tags and changing purposes of tags, eventually mime-type-like things for better specificity and disambiguation, etc. There is absolutely no way that that is a better non-technical / non-deeply-invested user experience than "the company checks on and deletes violating stuff for me so I don't see it".

I generally like it, reputation systems are a reasonable option for nearly everything in a federated or P2P system, and they're wonderfully flexible. But they're not simple. Any time you choose reputation, you're depending on a manually-selected pool of trusted actors (at the very least for bootstrapping), or putting highly-technical expectations on users. You can reduce the impact (significantly) with good UX, but you can't truly remove it.

[1]: or abuse! abuse of abuse-management systems is a huge problem.

I think the interesting aspect to me is how so many on here complain about Signal in comparison to Matrix in the context of one-on-one or small group chats. How federization makes Matrix "more secure", but I think meta data is probably more important at this point. (Still excited to see Matrix grow, but this is clearly an issue that needs to be resolved)
Different tools for different tasks.

Is the security and privacy provided by Matrix fit-for-purpose for the EU gov, healthcare, military and emergency services? Yes.

Is it fit-for-purpose for those with nefarious intent, or those who might be the victim of an oppressive regime? "It depends".

If two people are talking on a single Matrix server that they control, it's absolutely whatever as far as metadata goes.

Element using Matrix protocol to make a Slack-like/Teams-like/WhatsApp-like? Absolutely fit-for-purpose. We've used it every day for over a year for business. I've even bridged in WhatsApp, Facebook Messenger, Discord et al to not need anything but Element as a comms app on any of my devices. I separate them by "Spaces".

In the real world, very few people need ever worry about metadata.

Yeah, for Slack/Discord-like purposes, it's entirely reasonable I think. There are of course low-hanging fruit worth grabbing, but "tons of metadata all the time" is absolutely the normal expectation for a system like that. By being federated, Matrix is already noticeably better in most ways.

Anything better is achieved through massive effort and often novel research. Which is wonderful when it happens, but it's not reasonable to point to existing systems and say "how dare you [not do that thing nobody knows how to do yet / nobody has demonstrated scales to real-world use]".

> Different tools for different tasks.

Honestly this is how I see it, with the exact same split. Matrix = slack/teams and Signal = text messages/messenger/whatsapp. But I've seen quite a lot of passionate responses about how this comparison is naive because Matrix is a protocol and pointing to Element.

> In the real world, very few people need ever worry about metadata.

I disagree. Personally I'm not a fan of surveillance capitalism. Rather I think that people don't understand the importance of their data and how powerful it is.

Just the stuff from your user agent that shows up under device details is not good.
Please link to an explanation of this. I really want to see Matrix do well, but if there are security problems, of security rumours persist, it loses its appeal quickly.
Why bother? Arathorn and his fanboys will come out of the woodwork to shit on the author of any such piece as soon as it's posted.

Just Google Matrix and privacy and there are all sorts of things that come up.

The matrix.to links, the default identity server that was eventually removed after Arathorn personally gaslit me on this website about its existence (why did the bad default to use matrix.org as an identity server need to be removed if it wasn't a problem, hmm?)

I mean the real question is: do you want to use a distributed database for chat? If you love waiting forty minutes to join a channel on another server, Matrix is for you!

I currently use a Matrix server with two other people and I love telling them "I'm going to join a channel on the matrix.org flagship server, so nobody will be able to send messages for an hour or so."

Meanwhile I'm using a different chat product on the same server and it works fine while Synapse plugs away at.. uh.. joining a public channel.

I've gotten off topic.

Point is, Matrix is terrible, but thanks to the sunk cost fallacy people are still pushing it. Stuff like the OP prove to me that the basic failures I've seen in UX with Matrix stem back to a spec that is too large and makes it possible to do too many things that aren't chat, to the detriment of the chat features.

Hell, I once witnessed an hours long shouting match in the Synapse Admins channel on the matrix.org homeserver about whether or not Matrix was a chat protocol or not, because it does so much more -- and this argument was between very involved community members/contributors!

Maybe, just maybe, we'd be better off using a protocol for chat that knows what kind of protocol it is?

>hours long shouting match

doubt it, those mods are extremely trigger happy and ban anyone who even thinks about complaining, same for their libera IRC room.

Security and privacy are not the same thing.

Look up the difference. Metadata is not a matter of security, it is a matter of privacy.

I think you may need to look up how the terms relate. If your loss of privacy reduces your security (eg. exposing that your phone uses a banned app or that you are talking with a state enemy), the difference becomes meaningless.
The metadata that Matrix “leaks” is the timing, size, sender and recipients of messages, which is exposed only to the servers participating in a given chatroom. Same as PGP encrypted email, or OMEMO encrypted XMPP. Matrix also doesn’t encrypt emoji reactions or room key/value data yet.

Meanwhile Signal exposes the timing, size, and recipients of messages to the server (complete with their phone number!) - just not the sender, thanks to sealed sender.

Whether you consider Matrix’s metadata footprint a privacy problem depends on your threat model. Meanwhile we’re working on P2P Matrix (arewep2pyet.com) to obfuscate the metadata to be better than Signal (given ideally it never needs a server, and if it does, it goes via obfuscated store & forward relays).

This is great! The more applications and systems that are created leveraging the matrix protocol, the more that the world can learn and benefit from secure, decentralized (or at least federated) options for communications (not just chat). Kudos to the creators of MinesTRIX!
With that name? And the capitalization? This isn't to sound catty.
I'm not into Facebook, but I could see this gaining a lot of traction. Extremely impressive.