But if for you the matrix vector behavior of knowingly implementing the protocol with centrally accessible data tracks is not questionable, and doesn’t make you look for alternatives, matrix is still not the only way to improve FOSS messengers, there are other alternatives to support for improving a privacy-respecting protocol for sure.
Ah yes, good old projection. I’ve actually spent time this week prior to this conversation helping work on a thatoneprivacysite color chart equivalent for messengers for our Monero community for reference for events like DEF CON, and have contributed to Chatty localization since Februrary but yes, please tell me more about how I don’t look for messenger alternatives because Matrix exists.
Yes, hence why I said:
Surely at least Chatty should be non-controversial given
The grand irony to me is that despite all of the messenger virtue signalling by pro-Grid folk here and on PTIO, the Grid project uses Telegram of all things in addition to Matrix so apparently the Grid project has no major issues with Matrix policy either.
I have no problem with Grid Protocol itself if only because there is quite literally no PoC to audit according to Grid’s taskboard. As I said before, if and when they get something that actually works then people can better contribute. Until then, people who contribute to FOSS are likely going to be focused on contributing to stuff that actually exists and is used in the wild such as privacy interested governments like France ¯\(ツ)/¯
At this point to distinguish myself from a broken record, I’ll disengage myself from any Grid virtual signalling conversation.
Sorry, don’t jump to projecting things. I didn’t want to, nor did I say, anybody isn’t looking for messenger alternatives, I just missed any trace of this in your preceding messages. So, everything is fine actually, if the if-clause sentence that I actually wrote above resolves to the false case, and you are looking and actually telling us about the alternatives you found.
Another fully-featured protocol alternative, with existing clients, may be http://goldbug.sourceforge.net/
(A simplified UI version seems missing, for example, the clients look as for power users, hackers, and academics.)
Interestingly, France taking interest in matrix was based on the knowledge and matrix pitch of 2017, and coincidentally or not, now the “1.0 seriously?” matrix research is coming out of libremonde.org (french language).
Matrix project lead here. I missed this thread at the time, but wanted to briefly respond to some of the themes raised:
Matrix has zero interest in tracking users (other than UX analytics in Riot for those who opt in), and you do not need any centralised service to use Matrix.
One of the main complaints that the libremonde paper raised is that the default config in Riot uses an Identity Server (used to discover other users on Matrix based on email/phone number) and Integration Manager run by New Vector, the company which develops Riot. However, these services are optional, and you can configure the app not to use them.
Subsequently, we’ve been going through rearchitecting Riot, Integration Managers & Identity Servers to only prompt to use these services on demand - making it abundantly clear to the user that they can opt out, or use an alternative, and to ensure they accept the service’s terms of use.
We’ve also been working through a load of other privacy improvements (e.g. garbage collecting deleted data properly; hashing contacts when doing discovery; letting users & admins specify data retention periods for rooms; prompting the user before using Google as a fallback TURN server; etc. etc).
^ is the main description of the work we’ve been doing here, and you can see a snapshot of the current progress (as of today; it doesn’t update so will already be stale) at https://matrix.org/~matthew/privacy-sprint.html.
It’s worth considering that the libremonde paper was written by a disaffected ex-contributor to Matrix, and while it contains some legitimate concerns which we’ve addressed (or are addressing), it makes no attempt to provide a balanced viewpoint.
Thanks a lot!
That’s about what I got from reading your updates, but it’s good to hear it from you directly in all clarity.
While we have you here, are you able to share the current state regarding Matrix on the Librem 5?
I’d love to point it out in the Promise Delivery Chart
Purism hasn’t really coordinated with the core Matrix team (or the Matrix.org Foundation) on shipping Matrix on the Librem5 beyond the initial press release. To the best of my knowledge, they are shipping a build of Fractal: a Gtk/Rust client built by the wider FOSS community. However, to get Fractal to do everything that’s needed for the Librem5 is a significant amount of work. Unfortunately the Matrix core team hasn’t received any funding to work on this, and we can’t donate time as building a mobile linux app for Purism’s usage would come at the expense of other much more core Matrix work (e.g. turning on E2E by default; addressing the privacy complaints earlier in this thread; improving server stability/scalability; etc). I’m not sure how much support the Fractal team themselves has received to do what’s needed.
I find that very often the less popular instant messengers are the safest. Since the more popular messengers have no longer proven their safety. There are too many stories of cyber attacks on users. Therefore, it may be worth looking for not very well-known messengers, like Utopia p2p.
In a practical sense, maybe, but isn’t that security through obscurity?
A niche product may not have been audited by anyone (unless you audited it yourself).
The other consideration is whether you can communicate with the people that you want to communicate with. (This is a question of the server and/or the network and/or the infrastructure. It doesn’t matter for the purposes of this paragraph what client software you use.) If you can only talk to yourself, but in perfect privacy, then it may be pointless.
This “critical mass” effect is a serious issue. Fragmentation is both a good thing and a bad thing, good because it avoids a single point of failure (single target), bad because no network gets critical mass and most people can’t communicate with most other people. (It is true that people will try to use bridges to workaround this issue but that muddies the water around privacy and attacks. A bridge can bring the problems of one network to another network.)
Hmm, I disagree that absolutely all unpopular messengers are safe. But if we talk about the Utopia p2p application - yes, this decentralized ecosystem does not require any personal data at all, as far as I know. Therefore, it can be considered safe.
It is not really obscurity if the source code is available. I would say that its more security by rarity. The biggest platforms are usually the ones targeted by most attackers since the payoff succeeding is larger. Small platforms may not attract that much attention from attackers.
Yes, despite being closed source, I still think this app is worthy of user attention. The only disappointment is the lack of a mobile version, I hope the developers will think about it.
Wait a minute, are you discribing this https://utopia-ecosystem.com/ one right now? My colleague has been using some kind of utopia for a long time, and if everything fits together, then I will definitely install it for myself, too. So far, I’ve only heard good things about this app.
Matrix is still a cluster, and that is not referencing chatty, which is seeing some good improvements. I mean that the state of the Matrix protocol and development efforts is still just a mess, with a lot of outstanding issues, and funding issues.
Meanwhile, XMPP is going strong, and getting stronger with initiatives like Snikket helping to fix the remaining weakspots (which is really just a quality iOS client). XMPP is federated by default, very similar to your email address. It has robust validated e2e encryption (OMEMO), and it is lightweight to the max, which is a sign of competent design and development. It can do everything that Purism needs from Matrix as well.
I think it would make a lot of sense to focus efforts on XMPP instead of Matrix at this point.
So I have been running a synapse server for the past 2+ weeks, and walking back some of my comments above. I am not changing my mind that I think Matrix should have just worked to improve XMPP and turn it into everything, BUT it is awesome to see the progress that the matrix folks are making. All the stuff planned for Matrix 2.0 seems pretty awesome.
Also my own server is running great and handling things well. It is NO WHERE near as efficient as the Prosody server I am running as well, but I am content.
The Element X client is going to be pretty great as well.
Still love XMPP and think it would have made more sense, but really digging Matrix as well at the moment.
If we compare to the service with closest features:
Any other messenger has (as far as I know) not the same feature set with streaming desktop for example. Alone for that reason I’m happy that matrix exists, even if it’s not perfect.
Edit:
Also seams that not every point is fair:
We may share your information when working with our suppliers in order to provide the Service.
That is something (if I understand correctly) that depends on different home servers that share data with other home servers of same chat room to enable communication and stability.
One thing that I like about XMPP, that is specific to the Android app, Conversations, is that it makes a local copy of all your conversations. This is good because if the server goes down, or is turned off, you still at least have a copy of all the stuff that is on your phone.
Other services, if you can’t log in, you can’t access the data.
As far as I know (also a point I edit in post above) of matrix is, that you have access to the files if 2 home servers are involved and one went down. Your local copy doesn’t help you with different devices. So matrix was designed with different devices in mind.
If we think bigger, we can create company networks with matrix and using more than 1 homeserver - if one goes down, other home servers will stay alive.
XMPP and matrix address the same problem in different ways with different pros and cons.
Sorry for double posting, but @Tonyp: Why is Tor Browser classified as “privacy C” (Firefox is B)? Just wanna say we should take this website with care.