Another issue is that you suggest using Matrix or XMPP, which take security much less seriously. XMPP is not encrypted by default, and Matrix has some serious issues regarding its trust model.
This is not really true, the most popular clients are enabling e2ee by default and it is literally a single click on a padlock sign on the others that support OMEMO e2ee.
That linked article talks about how crypto in browser is easily subverted. You don’t have to use matrix with a browser client and most people I know use standalone clients.
You don’t have to use matrix with a browser client
But the presence of a browser client seriously undermines the security of the whole platform. People don’t know that they should not use the browser client. If it were a third party client it wouldn’t undermine the seriousness of Matrix, but the browser client is an official one, which shows that Matrix takes security much less seriously than Signal.
True, the element.io site offers the browser client first, which I find wrong.
On the other hand some of Signal’s choices were justified by “helping adoption” so I guess that falls under the same category.
Currently I can’t find a way to see which client another user is using in the Element mobile app. Not sure if that is even possible. So I guess for really sensitive matters you have to make sure your collaborators know how to stay safe.
And of course if your use-case really required a web-client you could just self-host it.
So I guess for really sensitive matters you have to make sure your collaborators know how to stay safe
This is a really bad idea. The software you use should be usable safely without any knowledge of security if you want it to be really effective outside of security conscious people. And even security conscious people make mistakes.
And of course if your use-case really required a web-client you could just self-host it
That’s not an option for 99.99% of the population.
Another issue is that you suggest using Matrix or XMPP, which take security much less seriously. XMPP is not encrypted by default, and Matrix has some serious issues regarding its trust model.
This is not really true, the most popular clients are enabling e2ee by default and it is literally a single click on a padlock sign on the others that support OMEMO e2ee.
That linked article talks about how crypto in browser is easily subverted. You don’t have to use matrix with a browser client and most people I know use standalone clients.
But the presence of a browser client seriously undermines the security of the whole platform. People don’t know that they should not use the browser client. If it were a third party client it wouldn’t undermine the seriousness of Matrix, but the browser client is an official one, which shows that Matrix takes security much less seriously than Signal.
True, the element.io site offers the browser client first, which I find wrong. On the other hand some of Signal’s choices were justified by “helping adoption” so I guess that falls under the same category.
Currently I can’t find a way to see which client another user is using in the Element mobile app. Not sure if that is even possible. So I guess for really sensitive matters you have to make sure your collaborators know how to stay safe. And of course if your use-case really required a web-client you could just self-host it.
This is a really bad idea. The software you use should be usable safely without any knowledge of security if you want it to be really effective outside of security conscious people. And even security conscious people make mistakes.
That’s not an option for 99.99% of the population.