Signal just proven again that the feds cannot get any data.
I wonder how much longer until governments require corporations to Know Your Customer, especially if they offer crypto.
Afaik there was some shady stuff with Signal. Idk if it’s even true, but I think that centralisation just sucks for privacy and just by having common sense this is an issue. I think that signal it’s a pretty good alternative compared to Whatsapp, Instagram Direct, Facebook Messenger or SMS (if someone uses that) . But I think that we need to move to a decentralized alternative.
Yeah signal is good, but the thing I dislike about it is that its centralized and you don’t actually have the option to run your own server. Maybe one of the forks of session like session is a good alternative. But I feel like Signal is the best alternative to things like Whatsapp and Facebook messenger and it is arguably a lot more user friendly that matrix and XMPP.
Compared to the Conversations XMPP client the main “advantage” of Signal in regards to user friendliness is basically that people got used to using their phone numbers for messengers. But that is a bit like printing you phone number on your t-shirt and claiming that is is easier for people to contact you that way…
Also there is Quicksy.im which is Conversations but with a phone-number… if you really want to remove your privacy like that.
Conversations is indeed a far better alternative here…
- It uses a very popular protocol, xmpp
- works with e2e encryption for text, files, video, audio,
- it can be self hosted,
- it’s fully open source, and has a couple of popular forks (like blabber)
- devs got no funding from intelligence agencies (like matrix has)
- it’s highly efficient (unlike matrix) and runs on the cheapest of vps servers / raspberry pi
You can run your own Session server, if you stake it. But Session is about relaying messages, so its not an exclusive server. And because a node is staked, I’m skeptical where Lokinet/Oxen is going (sounds like there’s eventually going to be a business model somewhere in there).
I think the future needs to go towards something serverless. P2P has its drawbacks (offline messages and battery usage). Server based communication has dependence on someone else’s infrastructure. Blockchain might be a solution, combined with either something like Signal Secret Sender, Whisper, or Tor/Lokinet/I2P/relay. Not sure…but I believe it can be a lot better than what we have.
Matrix and XMPP is just not streamlined enough for mass adoption like Signal is. If Signal removes the phone number requirement, that will be HUGE. But keep in mind, Signal could easily be blocked.
I think the ability to run your own server could be added in the future, if they want that. The beauty about software is that most stuff can be fixed.
deleted by creator
XMPP had the issue that it did not supported Video and file-sharing as we know it today. They created more XEPs to address it but the client mess made it impossible for people to really use it.
This has changed but in the meantime people switched.
Video, voice , files - all e2e ecrypted now on conversations (xmpp) using OMEO
Works well
Not every client supports OMEO and none of those clients got an independent audit.
I would like to thank the good people of Lemmy here, who helped me avoid the logistical nightmare of setting up a matrix server, and instead choose xmpp. It’s been so fun and easy to get my family on my xmpp server using Conversations/blabber app. Resource usage is minimal, and it works very easily.
I constantly see this argument but let’s face it, it’s very unlikely that enough people will ever switch to something like Matrix. I like decentralization and the matrix protocol is brilliant, but it brings many problems:
- Many people will have to care enough to host their own servers (which now is not remotely as common as it should be) otherwise everyone will just use the biggest severs, weakening the advantages of decentralization
- It’s way harder to implement new features that people care about
- People are not used to Element’s UI and there aren’t clients good enough to compete with Telegram, Whatsapp or even Signal
- The performance wouldn’t be as good exept for the biggest servers, causing centralization again
- If people don’t use it, it becomes useless, which is the same problem other alternatives have. This means that people must want to change naturally to it, meaning clients, ease of use and performance would have to be at least on par with what they’re using at the moment
On the other hand, Signal:
- Is very similar to the way Whatsapp works, which is what most people are used to
- The Android and iOS clients are getting better with time (the desktop client needs to abandon electron but it’s hard with only few developers and it’s a lot of work)
- The protocol is robust and audited
- It doesn’t leak metadata, as Matrix does
- Even if it’s centralized and Signal runs their servers on AWS, the only useful information third parties could gather are timestamps and the recipient of the message, not even the sender
- It’s easy to jump on Signal, the network of contacts already exists and you wouldn’t need to ask for usernames or email addresses
- Don’t foget that the clients and the server are open source, and even if the Signal Foundation decides to stop working on Signal, shutting down the services (VERY unlikely), we could fork the projects and bring them back up
Centralization can be problematic, but if it’s done correctly the pros may outweigh the cons, and in my opinion this is the case for Signal, but I’d happy to be proved wrong in future
The performance wouldn’t be as good exept for the biggest servers, causing centralization again
In my experience, self hosted matrix is way faster than matrix.org ^^
It depends on what hardware you host it. Most people can’t affort powerful hardware. My experience with self-hosted matrix on a raspi 4 and on an old desktop pc hasn’t been great, and the problems grow with the number of users
yeah right there’s no way to convince the signal users I know to switch platforms yet again. I tried getting some to switch to xmpp which is much simpler than setting up a matrix account and they wouldn’t do it.
You’re basically competing with “Simply download the app (Signal) and use it.” That’s a tough thing to motivate anyone to do, and I can’t articulate in a convincing way to anyone I know why it’s better. In practical terms as far as they’re concerned, Matrix are XMPP are not any better and my preference that we didn’t use siloed centralized services is purely abstract to them.
I chose matrix over signal because of the centralization problem. That being said, I could convert some friends and family to use matrix but a lot of people went to (or already were on it) signal.
After a few months I decided to install a signal bridge on my matrix server so I guess I’m having kind of best of both worlds, even though it’s not a perfect solution, it is one acomodating both sides.
EDIT: it really bothered me to use my personal phone number as well so I use an other number I had laying around
Well the phone number requirement is one of the best parts of signal IMO. Makes it much easier to find your contacts that are also using signal. Plus there’s no account to create.
I just use both and its been fine for me.
Matrix and XMPP are the best services!
Please do not forget about Revolt the open source and self hostable, clone of Discord.
Shame is, Revolt refuses to support any kind of federation…
Matrixedit: Element aims to be more of a replacement for Slack/Discord than WhatsApp/Signal/Telegram though.I think XMPP is probably the better replacement for the latter. With apps like Conversations/Blabber.im and Siskin for iOS the “personal messenger” experience is quite good these days (but not perfect), and with e2ee coming to Movim, there is a strong contender for a convenient to use XMPP webapp as well.
I share your view that XMPP is superior to Matrix as replacement for WhatsApp (which actually uses XMPP internally but does not participate in federation) in the context of personal/direct 1:1 messaging.
The reason, though, is more technical. Matrix works like a globally synchronized database - it duplicates the message history to all participants of a chat and is stored on the server which makes it incredibly complex, expensive and error prone. XMPP rather works like a simple relay - the message is only stored until delivery. This makes the server part way more lightweight and adminstration easier as you don’t run out of memory as fast as with matrix. (See more)
Regarding the clients I don’t like either. Element is too Slack-ish and the more modern clients like FluffyChat are quite buggy. Conversations one the other side looks outdated with a design from like 2015. I would like to see it adopting more recent iterations of material design such as cards or rounded corners.
After all both protocols unfortunately leak considerable meta data :/
Very good break-down.
Besides the meta-data leaking, I would always use xmpp Conversations app over anything else. I don’t find it too outdated UI wise, but I’m no expert in this area. It does feel intuitive - somewhat like watsapp. But the blabber fork does a sligthly better job in UI
Matrix works like a globally synchronized database
And, among other issues, this is why it leaks tons of metadata and allow for easy correlation attacks and social graph discovery.
- Matrix has no SMS support, it is a weak argument but it is one because some people prefer All-in-One Apps instead of installing 1000 apps.
- You can use Signal with burner Sim, the old argument … but but it uses your phone number is nonsense.
- You can use Signal forks that work without phone number like e.g. Molly.
- It is correct that Matrix uses AWS, azure and co. as servers, however the metadata impact those servers can see or use or abuse is not given. This is proven, same like that the code is considerable good enough. From what I know the Matrix clients … none of them nor the protocol got audited.
- Skipping each time a new player pops up instead of fixing the existent protocols and clients is not for everyone a solution.
- Most Matrix clients, at least on Desktop suck, it ends up with using alternative clients and then there is the problem of fragmentation and that those clients might even be more insecure or do not implement all feature.
I use both Matrix and Signal and they both suck in terms of usability and alternatives clients with better GUIs and resource usage.
Claiming over and over and over Matrix is the solution when it is not and had multiple times already incidents is cringe. There is metadata leakage, there is the group chat encryption problematic and and and, I do not even mention all problems. It will take years to address all of this.
You can use Signal with burner Sim, the old argument … but but it uses your phone number is nonsense.
It’s not that easy to get anonymous SIM-cards in many countrys. Also it’s just incredibly inconvenient and insecure. (enables easy impersonation)
But yes most matrix clients (and servers) suck big time.
You can buy SIMs online via Monera and Bitcoin.
It is really that easy, I do not post websites because it is a gray-zone but Google it and you find entire phones without SIM tracking and websites connected to it selling only the SIMs. Every scammer use this method.
How is that insecure if I may ask. There is no attack scenario, SMS is simply not designed to be secure, you know that before you can send something. Impersonation is on all anonymous networks like Session a problem, this is not an exclusive SMS or Signal problem. God knows how many CHEF-KOCH fakes I already encountered on Telegram and Session. I stopped counting.
Also secure networks like Session do not stop someone from data exfiltration attacks or if you leak information yourself others can use against you. SO those networks and so-called alternatives are by no means any real alternative, Signal is designed for friends, not strangers. My friends have my real-name and my phone number, not sure about your friends…
You can buy SIMs online via Monera and Bitcoin.
I know, there are also sms-gateways and if you’re in the EU you can use a SIM from another EU country for quite cheap. It’s still inconvenient, may leak your location and is probably illegal.
Impersonation is on all anonymous networks like Session a problem
Using a mobile number as ID gives a false sense of authenticity. Signal only shows tiny warnings when someones “security code changes” when it should block further communication and show a warning that cannot be clicked away without knowing the implications.
Also secure networks like Session do not stop someone from data exfiltration attacks or if you leak information yourself others can use against you.
It’s impossible to defend against this at the software level.
Signal is designed for friends, not strangers.
Is your communication with friends less sensitive than that with strangers?
- Farming data without opt-in is also illegal and no one cares.
- Using no authentication at all is also false sense of authenticity because you do not know who you are talking too which disqualifies Session. Another problem is you need to trust others servers, joining them without any chance to verify that these servers are not a honeypot or alt-right.
- I agree there is no network nor software which prevents data exfiltration attacks. But this shows that the main issue is on users end, not the network.
- My point is that you to 100 Percent already shared sensitive information, so there is no privacy intrusion if you use Signal. Signal is proven to be secure and the metadata stuff on the servers are so minimal that the feds cannot do anything at all with it. I do not see to suggest other IMs who had leaks in the last + there are no audits or evidence that it is really as secure as you think it is.
Verification, at some point will so or so become a part in the EU, if not via SMS than age check, ID or whatever they come up with. The dream that you can be fully anonymous than this is what this is about ,not privacy, will end so or so, thanks to alt-right people who abuse every anonymous network to share illegal material, to scam others. The privacy argument is for most nothing but an excuse and the Govt is also not stupid and can see that. How is it helpful suggesting software or alternatives that are ore complicated to setup and you never know who you are talking too better, I do not see it, you run into more problems if you trust anonymous strangers, besides you can block on every Android phone at least Contacts and SMS permission without root if you dislike those permissions or features - some networks or alternatives do not even allow that.
There are problems on both ends, not only centralization and decentralization does not solve all of mentioned problems. No beginner wants to setup his own server to just chat, and no one I know does that, so at the end of the day it anyway ends up trusting a random stranger with your data because you use his server, network with your data.
I think Signal is good for beginners, like ever software it is not perfect and like every network nothing is fully anonymous. I do not see how Matrix beats simplicity, functionality and usability - right-now - over Signals for beginners. In fact by default depending on what server you are connected too on Matrix you are less secure. There is absolute no verification, so complaining about that Signals verification process is not perfect while Matrix ones is not existing or flawed is weird.
I daily drove Matrix for a while and honestly, the UI/UX isn’t so good. Signal is the only platform I can reasonably get people on, and it’s just a better user experience (stickers, nice look, fast messages, link previews, etc.).
I’m honestly sick of people saying some alternatives are great for everyone when they still have work to do, you can’t even easily make encrypted groupchats on there. So much fragmentation, so little polish - still love the devs but like, be realistic
a better user experience (stickers, nice look, fast messages, link previews, etc.). I’m honestly sick of people saying some alternatives a Hard agree. Additional some of his points don’t make sense, like his stance on “what if a better app ever appears” - like, who cares? If there’s a significantly better app, suggest it, if there isn’t, why caution people about something that doesn’t exist?
He also brings up the point about LibreSignal being shut down by Moxie but doesn’t bring up the fact there are 3rd party clients that exist, which the devs are aware about, but haven’t been shut down/blocked and its been years.
- https://axolotl.chat/
- https://github.com/boxdot/gurk-rs
- https://github.com/AsamK/signal-cli
- https://molly.im/
Anyways, I would disagree with the message as Signal is currently the best private and cross-platform SMS/text replacement available.
Skip Signal, skip Matrix, go independent, go P2P.
with what? tox?
Tox is well implemented, but we need something that can handle messages when a recipient is offline, and something that won’t consume a lot of energy on a mobile device. Regardless of what options we have today, we need to push for the next gen of P2P, not accept less.
Well, not exactly, I believe Tox hadn’t moved away from needing a lot of auditing they lack. Seed:
https://github.com/TokTok/c-toxcore
https://github.com/TokTok/c-toxcore/issues/426
https://github.com/TokTok/c-toxcore/issues/210
https://github.com/TokTok/spec/issues/50
What it seems is that tox was left behind, compared to other protocols… But most importantly, that they’re really lacking the auditing they need.
I was a fan long time ago, but now I no longer know… Besides tox, there are other p2p ways to communicate, like Briar and Jami. Though Jami doesn’t use double ratchet encryption, it does offer e2ee, and it’s the only offering multi devices syncing, though it doesn’t really work well yet.
The other thing about p2p + e2ee communications, is how impractical they become on mobile devices, whether you keep them deactivated, or you get your device battery drawn in half a day or so… But I’m still hoping for they to become better on both aspects, power consumption and multi devices syncing, supporting both, desktop and mobile devices. In the meantime, I settle down with xmpp, :)
I didn’t like Briar because it isn’t cross platform
I didn’t like Briar because it isn’t cross platform. I didn’t like Jami because the configuration is confusing and the UI on Linux is not good. Tox has issues, but I’m over Tor. It is simple…and very fast…even over Tor. Status.im is another to take a look at. They may have solved the offline issues. Like I’ve said, there still a lot of room for a new generation of messengers.
Yup, there are several options… And I guess, as everything, it’s a matter of taste. I do believe Tox shouldn’t be used when looking for privacy and security, and somehow, perhaps due to lack of developers, that hadn’t changed for quite some time. FYI, there’s a Briar for gnu+linux, though I can’t tell if there’s a desktop version of it (I do know ubuntu touch makes it available for phones). Unfortunately I don’t like status.im, it includes a crypto wallet within, and though it’s OSS, it’s not FLOSS, which I prefer, having an option. I’m hopping for Jami to get more polished, both on the devices syncing and the UI. I have to see what happens with Briar for gnu+linux, and although I lost hope some time back, I’d really like Tox to improve on its security status. BTW, I used Tox (I really had high hopes on it), and there’s no multi-device support. On Android I used both, trifa and antox (it seems antox has been dropped now a days), and on desktop I used qtox. And with no exception, on Android, tox apps, briar, jami, all are power hungry, which is the other thing I’d really like them to improve, but have low expectations given their p2p nature…
Status is something I’m trying to better understand. It solves the P2P problem of offline messages, but I haven’t tried the mobile version to measure battery consumption. I would assume the battery usage is better because Status doesn’t require to be constantly online.
I think there needs to be a mind set change for these types of apps. The big shift is to refer to these apps/platforms as decentralized/distributed. Decentralization/distributed includes messaging + currency + websites. Status is also built with Ethereum. So if they have the technology already built, it would seem logical a lot of these apps/platforms are going to include similar crypto/blockchain features. And if you don’t like the dapps and wallet, you can disable the features in the app. So far I haven’t seen a downside.
Use Briar, the only messaging system that protects your metadata and does not need servers.
Does Briar work well? I have never tried it
I think it would be nice to have a consumer focused document covering:
- Product risks.
- Roadmap of where we want to go.
- Feature implementation matrix of where we want to go.
- I would also like to know the challenges to what we want (feasibility? pros/cons?)
In addition: I don’t want to depend on servers.
I don’t want the risk of self hosting a server. I don’t want a server that can be blocked. I don’t want to trust client/server code. I don’t want people/admins to know who I am talking to. I don’t want people/admins to know where I’m talking from. I don’t want admins to know about groups, the subject, or the members. I don’t want to depend on an organization that can be controlled by government or ideology. I don’t want to depend on anything that can be shutdown.Status and Session seem to be the next evolution (though still not perfect).
I think Jami is one of the best contenders, on the serverless p2p sides, :)
Matrix is quite good. Other alternatives are Briar and Anonymous Messenger. https://briarproject.org https://anonymousmessenger.ly
I hope they eventually become multi-platform, and good support.
