I think XMPP.

  • @poVoq
    link
    10
    edit-2
    1 year ago

    deleted by creator

    • Halce
      link
      43 years ago

      Using matrix as is out of the box is relatively secure but you need to be aware that a lot of metadata ends up on the servers of a UK based for-profit & venture capital funded company (New Vector).

      Using 3rd party clients should really be encouraged.

      • jhghjb (he/they)
        link
        63 years ago

        metadata is not encrypted as per matrix protocol, it’s not the client’s fault

        • Halce
          link
          33 years ago

          Would it even be possible to encrypt some basic metadata? I doubt that.

          • @poVoq
            link
            3
            edit-2
            1 year ago

            deleted by creator

            • TmpodM
              link
              fedilink
              23 years ago

              What kind of metadata are we talking about?

              • @poVoq
                link
                4
                edit-2
                1 year ago

                deleted by creator

                • TmpodM
                  link
                  fedilink
                  13 years ago

                  Thanks for the link. Will be reading it

          • jhghjb (he/they)
            link
            03 years ago

            xmpp encrypts everything, metadata included

            it’s not easy and makes the protocol really hard to implement but it is possible

            • @poVoq
              link
              5
              edit-2
              1 year ago

              deleted by creator

              • jhghjb (he/they)
                link
                23 years ago

                🤔 that does seem to be the case, maybe i was thinking of signal (it truly encrypts all metadata)

  • @dragnucs
    link
    7
    edit-2
    3 years ago

    Getting end-to-end encryption work seamlessly is difficult on XMPP, and you would end up not secure. Matrix does have very good defaults and has e2ee enabled by default. It also has a different passphrase to decrypt history if you need to change the device.

    Edit: typo.

    • @poVoq
      link
      4
      edit-2
      1 year ago

      deleted by creator

      • @dragnucs
        link
        43 years ago

        Corrected the sentence. I last used XMPP with Conversations on mobile and Movim on the web about 3 to 4 years ago. Many of my contact had hard time enabling e2ee. I had to visit them to walk them thru the trust process. Other wise, the would just see scrambled text.

        • @tomtom
          link
          53 years ago

          I use Monocles Chat, a fork of blabber.im, which is a fork of Conversations.

          OMEMO encryption works by default, and (for me) was a little bit more seamless than setting it up for Element.

          Element has a slightly awkward “verification” process, and also the backing up of encryption keys, and verifying other devices, just tends to confuse new users (imo).

          • @dragnucs
            link
            23 years ago

            Element sees this as levels of trust.

            1. Not encrypted
            2. Encrypted but untrusted
            3. Encrypted and trusted
            4. Encrypted and trusted but conversation has an untrusted device.

            Verification process is for people you interact with outside of Matrix like IRL or phone, etc.

        • @poVoq
          link
          4
          edit-2
          1 year ago

          deleted by creator

    • @marmulak
      link
      1
      edit-2
      3 years ago

      Getting end-to-end encryption work seamlessly is difficult easy on XMPP

      Fixed that for you. :)

      • @dragnucs
        link
        33 years ago

        As ibsaid previously my statements are based on an old experience. Much has changed today.

      • @ancom
        link
        23 years ago

        default setting is that admins can easily inject their own key without user noticing it.

        additional to that: gajim sends files over jingle without encryption in e2ee chats dino does not offer reliable e2ee for group chat. it is difficult to verify keys in conversations because these settings are hidden afaik.

        • @poVoq
          link
          1
          edit-2
          1 year ago

          deleted by creator

          • @ancom
            link
            13 years ago

            I think in Conversations it switches from a green to a yellow sign).

            There is no button called: verify key or something in conversations. It is a hidden setting. Do you know how to verify a contact without using the qr code? It’s a hidden setting and most users won’t know it. Neither does it give you info that you can verify keys by scanning qr code. How should a user know? Not. So they stick to default settings, and the default setting is, that an admin can inject keys anytime they want, without user noticing.

            As for file sending, these are (usually still transport encrypted)

            I’ve mentioned Gajim, not any client. Gajim uses jingle without transport encryption.

            • @poVoq
              link
              1
              edit-2
              1 year ago

              deleted by creator

              • @ancom
                link
                13 years ago

                You can either make e2ee easy to use and enable it by default, or you can try to make people understand what they are doing to protect them from edge cases. Conversations does the former, while not making the latter impossible.

                …the “edge case” that e2ee should protect from third parties such as an admin to read the messages. A new key could create a pop up window that informs the user. If user doesn’t care, there can be an option for “never show again”. Having a function that says “verify key”, should also be expected from an app that argues to have secure e2ee implementation.

                as most people don’t really need strong e2ee anyways.

                Most people don’t need any. It’s infosec larping what people do. And then software developers build software for LARPing.

  • Ghvsty
    link
    63 years ago

    XMPP is more safe, I can’t remember what exactly but I remember the whole XMPP vs Matrix thing, and matrix has this metadata problem, that spreads like a literal virus; instead of exchanging individual messages- entire chats while encrypted is stored in each server you federate. in regards to privacy Matrix isn’t the best. on top of that most people sign up matrix on matrix.org so that’s a huge chunk of metadata.

    However, your family and friends are sometimes boomers when it comes to signing up for xmpp. so what I’d do is use both and spoonfeed them every step of the way to use xmpp. I’d like to make an easy guide for xmpp one day.

    • @marmulak
      link
      43 years ago

      However, your family and friends are sometimes boomers when it comes to signing up for xmpp. so what I’d do is use both and spoonfeed them every step of the way to use xmpp. I’d like to make an easy guide for xmpp one day.

      Right, like my parents, lol. When I created a private XMPP server for family, what I did was create their accounts and tell them, “Download Conversations onto your phone, and here is your login.” That worked for them…

      As far as guides go, I have seen so many. I often direct strangers to joinjabber.org, but I do not know how effective it is. I feel like it’s too much for normies even though they try to make it simple. Any service that involves choosing a provider and creating a login is out the window for 99% of people.

  • @marmulak
    link
    63 years ago

    I’m not an encryption or security expert or anything, but the thing that you have to be careful about with Matrix is that you are going to find yourself most of the time chatting in rooms which log messages forever. That’s not the case with every room; it depends on the settings, participants, and certain events that might cause the room to stop existing in the future or lose its copies of the messages, but generally what you are looking at is the system the way its designed fights against losing that kind of information. (Matrix federation makes the room copied onto as many servers as it can.) You will just want to be mindful of how you chat on there, for example don’t say things you don’t want someone to look up 10 years from now. It’s kind of a privacy nightmare, but you can just try being careful, for example by staying pseudonymous, and if you mess up somewhere delete those messages.

    The difference here with XMPP is that, while servers can log chat rooms, most of the time they are configured not to. History is usually temporary just for convenience (that is, offline messaging) and may go back anywhere from a few days to a few weeks. Chat rooms live on only one server that hosts them, so they are not duplicated onto other servers.

    In either case, clients could still be logging and so on, so you should always be mindful of how much you trust both the service and the people you are communicating with. E2EE is available on both platforms, which you should utilize anyhow, but mainly I’m talking about public chat rooms.

  • Halce
    link
    2
    edit-2
    3 years ago

    Matrix probably by default, because most Matrix clients already support E2E out-of-the-gate (Element, Mirage, FluffyChat for iOS, Syphon for Android, KDE NeoChat, nheko). Though you could also have E2E on XMPP, it’d just require more effort to find the appropriate plugins/settings on your part, than with Matrix.

    • @tomtom
      link
      23 years ago

      Though you could also have E2E on XMPP, it’d just require more effort to find the appropriate plugins/settings on your part, than with Matrix.

      That may be the case with some older clients, but the client I use has it enabled by default…