this post was submitted on 16 Jun 2023
118 points (100.0% liked)

Free and Open Source Software

17971 readers
54 users here now

If it's free and open source and it's also software, it can be discussed here. Subcommunity of Technology.


This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 1 points 1 year ago (2 children)

Meh, signal seems like a worse version of matrix to me, is there any reason to prefer it?

[–] [email protected] 3 points 1 year ago (1 children)

It is just closer to WhatsApp. What Matrix does, especially with regards to enabling true multi-device support, is quite complex overall and sometimes causes issues with keys for decrypting messages not arriving on all devices. Signal is more limited but it just works a lot better. Small but important extra: Signal supports fully encrypted voice and video chats.

Full disclosure: I personally also prefer Matrix because I use it with multiple devices. I don't want to install desktop apps for these services and Element runs in the browser while Signal does not.

[–] [email protected] 4 points 1 year ago (1 children)

Ah, so, what it really seems to come down to is that since it's centralized, it's easier to make it work for everyone, no?

[–] [email protected] 0 points 1 year ago (1 children)

Being centralized isn't the only reason, but basically yes. The concept behind the protocol is simpler because your decryption keys only ever live on one device. You don't really have the entire trust (and key sharing) model for devices that Matrix has. Signal's desktop app works very similarly to WhatsApp where your single main device needs to be connected at least intermittently for "guest" sessions to be able to send and receive messages. I haven't used Signal desktop though, that was just the impression I got from it. Would make sense though because WhatsApp is allegedly borrowing from Signal's protocol quite a bit.

[–] [email protected] 2 points 1 year ago

You don't need your main device connected to send/receive on the Signal desktop app.

[–] [email protected] 3 points 1 year ago

Well for one thing matrix clients on mobile are...not the best. Element X is looking promising, but it's currently still in beta. Element misorders messages and crashes often, and most other clients are not as feature complete. Whereas in my experience Signal tends to just work. Plus for the average person it makes for a dead simple drop in replacement to WhatsApp or iMessage. Yes, the phone number requirement has led to issues with governments just blocking the sign up SMSes, but that is a tradeoff they make for convenience.

Matrix also leaks more metadata in comparison to Signal (this is just how decentralization works). Not to mention that the recent vulnerabilities seem to suggest (in my opinion at least) that matrix cryptography is not as battle tested as the Signal protocol.

Besides the observed implementation and specification errors, these vulnerabilities highlight a lack of a unified and formal approach to security guarantees in Matrix. Rather, the specification and its implementations seem to have grown “organically” with new sub-protocols adding new functionalities and thus inadvertently subverting the security guarantees of the core protocol. This suggests that, besides fixing the specific vulnerabilities reported here, the Matrix/Megolm specification will need to receive a formal security analysis to establish confidence in the design.

Real world example: The university I study at promoted matrix as a way for students to chat at the start of the semester, and pushed them to use Element. Practically no one uses it, but I've met a few people who do chat with Signal.