deleted by creator
Using matrix as is out of the box is relatively secure but you need to be aware that a lot of metadata ends up on the servers of a UK based for-profit & venture capital funded company (New Vector).
Using 3rd party clients should really be encouraged.
metadata is not encrypted as per matrix protocol, it’s not the client’s fault
Would it even be possible to encrypt some basic metadata? I doubt that.
deleted by creator
What kind of metadata are we talking about?
deleted by creator
Thanks for the link. Will be reading it
xmpp encrypts everything, metadata included
it’s not easy and makes the protocol really hard to implement but it is possible
deleted by creator
🤔 that does seem to be the case, maybe i was thinking of signal (it truly encrypts all metadata)
Getting end-to-end encryption work seamlessly is difficult on XMPP, and you would end up not secure. Matrix does have very good defaults and has e2ee enabled by default. It also has a different passphrase to decrypt history if you need to change the device.
Edit: typo.
deleted by creator
Corrected the sentence. I last used XMPP with Conversations on mobile and Movim on the web about 3 to 4 years ago. Many of my contact had hard time enabling e2ee. I had to visit them to walk them thru the trust process. Other wise, the would just see scrambled text.
I use Monocles Chat, a fork of blabber.im, which is a fork of Conversations.
OMEMO encryption works by default, and (for me) was a little bit more seamless than setting it up for Element.
Element has a slightly awkward “verification” process, and also the backing up of encryption keys, and verifying other devices, just tends to confuse new users (imo).
Element sees this as levels of trust.
- Not encrypted
- Encrypted but untrusted
- Encrypted and trusted
- Encrypted and trusted but conversation has an untrusted device.
Verification process is for people you interact with outside of Matrix like IRL or phone, etc.
deleted by creator
deleted by creator
Getting end-to-end encryption work seamlessly is
difficulteasy on XMPPFixed that for you. :)
As ibsaid previously my statements are based on an old experience. Much has changed today.
default setting is that admins can easily inject their own key without user noticing it.
additional to that: gajim sends files over jingle without encryption in e2ee chats dino does not offer reliable e2ee for group chat. it is difficult to verify keys in conversations because these settings are hidden afaik.
deleted by creator
I think in Conversations it switches from a green to a yellow sign).
There is no button called: verify key or something in conversations. It is a hidden setting. Do you know how to verify a contact without using the qr code? It’s a hidden setting and most users won’t know it. Neither does it give you info that you can verify keys by scanning qr code. How should a user know? Not. So they stick to default settings, and the default setting is, that an admin can inject keys anytime they want, without user noticing.
As for file sending, these are (usually still transport encrypted)
I’ve mentioned Gajim, not any client. Gajim uses jingle without transport encryption.
deleted by creator
You can either make e2ee easy to use and enable it by default, or you can try to make people understand what they are doing to protect them from edge cases. Conversations does the former, while not making the latter impossible.
…the “edge case” that e2ee should protect from third parties such as an admin to read the messages. A new key could create a pop up window that informs the user. If user doesn’t care, there can be an option for “never show again”. Having a function that says “verify key”, should also be expected from an app that argues to have secure e2ee implementation.
as most people don’t really need strong e2ee anyways.
Most people don’t need any. It’s infosec larping what people do. And then software developers build software for LARPing.
XMPP is more safe, I can’t remember what exactly but I remember the whole XMPP vs Matrix thing, and matrix has this metadata problem, that spreads like a literal virus; instead of exchanging individual messages- entire chats while encrypted is stored in each server you federate. in regards to privacy Matrix isn’t the best. on top of that most people sign up matrix on matrix.org so that’s a huge chunk of metadata.
However, your family and friends are sometimes boomers when it comes to signing up for xmpp. so what I’d do is use both and spoonfeed them every step of the way to use xmpp. I’d like to make an easy guide for xmpp one day.
However, your family and friends are sometimes boomers when it comes to signing up for xmpp. so what I’d do is use both and spoonfeed them every step of the way to use xmpp. I’d like to make an easy guide for xmpp one day.
Right, like my parents, lol. When I created a private XMPP server for family, what I did was create their accounts and tell them, “Download Conversations onto your phone, and here is your login.” That worked for them…
As far as guides go, I have seen so many. I often direct strangers to joinjabber.org, but I do not know how effective it is. I feel like it’s too much for normies even though they try to make it simple. Any service that involves choosing a provider and creating a login is out the window for 99% of people.
I’m not an encryption or security expert or anything, but the thing that you have to be careful about with Matrix is that you are going to find yourself most of the time chatting in rooms which log messages forever. That’s not the case with every room; it depends on the settings, participants, and certain events that might cause the room to stop existing in the future or lose its copies of the messages, but generally what you are looking at is the system the way its designed fights against losing that kind of information. (Matrix federation makes the room copied onto as many servers as it can.) You will just want to be mindful of how you chat on there, for example don’t say things you don’t want someone to look up 10 years from now. It’s kind of a privacy nightmare, but you can just try being careful, for example by staying pseudonymous, and if you mess up somewhere delete those messages.
The difference here with XMPP is that, while servers can log chat rooms, most of the time they are configured not to. History is usually temporary just for convenience (that is, offline messaging) and may go back anywhere from a few days to a few weeks. Chat rooms live on only one server that hosts them, so they are not duplicated onto other servers.
In either case, clients could still be logging and so on, so you should always be mindful of how much you trust both the service and the people you are communicating with. E2EE is available on both platforms, which you should utilize anyhow, but mainly I’m talking about public chat rooms.
Matrix probably by default, because most Matrix clients already support E2E out-of-the-gate (Element, Mirage, FluffyChat for iOS, Syphon for Android, KDE NeoChat, nheko). Though you could also have E2E on XMPP, it’d just require more effort to find the appropriate plugins/settings on your part, than with Matrix.
Though you could also have E2E on XMPP, it’d just require more effort to find the appropriate plugins/settings on your part, than with Matrix.
That may be the case with some older clients, but the client I use has it enabled by default…
deleted by creator