this post was submitted on 16 Jun 2023
129 points (100.0% liked)

Free and Open Source Software

17926 readers
20 users here now

If it's free and open source and it's also software, it can be discussed here. Subcommunity of Technology.


This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 30 points 1 year ago (18 children)

I'm cautiously optimistic that this isn't a warning sign. I can imagine wanting to do something new after spending so long working on one project, but if he left because things were straying from his vision of Signal that could be a bad sign.

[–] [email protected] 3 points 1 year ago (5 children)

Meh, signal seems like a worse version of matrix to me, is there any reason to prefer it?

[–] [email protected] 3 points 1 year ago

Well for one thing matrix clients on mobile are...not the best. Element X is looking promising, but it's currently still in beta. Element misorders messages and crashes often, and most other clients are not as feature complete. Whereas in my experience Signal tends to just work. Plus for the average person it makes for a dead simple drop in replacement to WhatsApp or iMessage. Yes, the phone number requirement has led to issues with governments just blocking the sign up SMSes, but that is a tradeoff they make for convenience.

Matrix also leaks more metadata in comparison to Signal (this is just how decentralization works). Not to mention that the recent vulnerabilities seem to suggest (in my opinion at least) that matrix cryptography is not as battle tested as the Signal protocol.

Besides the observed implementation and specification errors, these vulnerabilities highlight a lack of a unified and formal approach to security guarantees in Matrix. Rather, the specification and its implementations seem to have grown “organically” with new sub-protocols adding new functionalities and thus inadvertently subverting the security guarantees of the core protocol. This suggests that, besides fixing the specific vulnerabilities reported here, the Matrix/Megolm specification will need to receive a formal security analysis to establish confidence in the design.

Real world example: The university I study at promoted matrix as a way for students to chat at the start of the semester, and pushed them to use Element. Practically no one uses it, but I've met a few people who do chat with Signal.

load more comments (4 replies)
load more comments (16 replies)