this post was submitted on 02 Nov 2023
99 points (96.3% liked)

Privacy

31997 readers
930 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

I recently saw Alex's video about XMPP and I got curious.

I am using Element and Schildichat a bit, trying Element X and curious about the new Development here. It seems vibrant, they rewrite stuff in rust, the Apps are fancy and all.

But I tried Conversations and it seems based too, has transparent encryption, it is damn fast, usable, supports groups and files and all. Probably doesnt use the latest fancy Android SDKs but it seems solid.

I was surprised about how fast it was, as Matrix drastically varies per server. But also I found many dead communities, and in general I dont see XMPP at all, while many Projects (if not using Discord, bruh...) have a Matrix room.

How secure is OMEMO in todays standards? Or OpenPGP, compared to Matrix or Signal Encryption? I heard it also has rotating keys and all.

There are other things, like permission systems, chosen federation, privacy, bridge support and more, that are interesting. Are there advanced modern WebUIs for XMPP you like?

I saw that it uses up waaay less resources, why is that? Really, is "simply encrypted mail" somehow worse in an important way?

Similar to IRC, where I never found nice usable apps for my taste, I thought XMPP was deprecated, but that doesnt seem so?

What can you tell me about XMPP, is it modern, secure, privacy friendly?

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 24 points 1 year ago* (last edited 1 year ago)

XMPP is much more popular for private messaging, so you don't have many large public group chats like on Discord (and lesser extend Matrix). It can do it, but clients are not really optimized for that to be honest.

You can btw learn more on https://joinjabber.org

As for the specific questions on e2ee: OMEMO as it is currently implemented in most clients is very similar to Signal in security, but like Signal it does not encrypt metadata. There is an updated OMEMO standard that does encrypt metadata as well, but it hasn't been adopted by any popular XMPP clients yet. However both versions are significantly more secure than Matrix's MegOLM, which has chosen to sacrifice a lot of security for user convenience IMHO.

XMPP is actively developed, but it doesn't have much funding for the open-source efforts, so it lacks PR and some things don't develop as quickly as what you might be used from VC funded for-profit companies like Element/matrix.

I like the Movim webclient, but most current users seem to prefer the native clients for XMPP.

XMPP uses way less resources because it was designed to scale to billions of users for chat, instead of being some over-engineered failed experiment to use a DACS for chat, which really isn't a good idea and never was.

[–] [email protected] 14 points 1 year ago* (last edited 1 year ago) (2 children)

XMPP is like email, a very open standard that was designed for interoperability even with more closed servers that included proprietary features and extensions. It can be configured to be secure and private. Matrix is another attempt at a more closed protocol / ecosystem with the difference that you can self host it. There have been also multiple complaints about the amounts of metadata that Matrix scatters across servers.

The only thing I dislike about XMPP is that stuff like push notifications and proper mobile clients aren't as easy to get as they are with Matrix. Privacy and protocol-wise I would pick it any day - even if the only advantage is that is is considerably simpler than Matrix.

https://hackea.org/notas/matrix.html

[–] [email protected] 10 points 1 year ago (1 children)

Can you elaborate on what you mean that Matrix is a closed protocol? The spec is open and there are several server and clients to choose from.

[–] [email protected] -3 points 1 year ago (3 children)

Matrix is developed by a for profit entity, a group of venture capitalists and having a spec doesn't mean everything. XMPP is an open standard, truly open and if you notice you've had a lot of implementations of it all able to properly integrate with each other without effort.

The way Matrix is designed is to force into jumping through hoops and kind of draw all attention to Matrix itself instead of the end result. The kind of open collaboration where the protocol becomes mostly invisible for the end user isn't just the objective of Matrix.

[–] [email protected] 7 points 1 year ago (2 children)

Sorry, but nothing you mentioned has anything to do with Matrix not being an open protocol. I don't know what you mean by "truly open". It sounds like a "no true Scotsman" argument.

The spec is absolutely open, and you can see it in what I linked. There are also several servers and several clients if you don't like one written by the Matrix or Element folks. Heck, there's even a client for emacs! Now there are compatibility issues since not every server and client implements the entire protocol yet, but that's not an issue of openness. I used to run into problems all the time with XMPP way back when for similar reasons. I even recall something about Google breaking the XMPP protocol in some ways and causing problems.

I'm not even sure your claim of VC funding is true, since the faq mentions several non VC sources of funding. I couldn't find anything about VC at element.io, so maybe it's hidden there, or something has changed a matrix.org?

Still, discussion about not liking their business model is orthogonal to whether the protocol is open or not. Maybe we run the risk of them pulling a HashiCorp and changing some licensing down the road, which would be terrible. But I think it's dishonest to say it's not open.

[–] [email protected] 4 points 1 year ago* (last edited 1 year ago) (2 children)

Try contributing to the Matrix specs. It literally has a paywall (only contributing foundation members can do it) and basically any proposal that does not further the business goals of Element gets shot down by the overwhelming majority of Element employees or affiliates on the Matrix foundation board.

So while the protocol is open to use, it does not really fulfill the typical requirement of openess in so far that it is also open for contributions and changes.

This is totally different from the truly open standardisation process for XMPP where anyone can contribute freely and no single company dominates the process.

Edit: the VC funding is for Element / New Vector, but that company fully controls the Matrix Foundation.

[–] [email protected] 6 points 1 year ago (1 children)

no? anyone can send a spec proposal here. After discussion and implementation, it may well be accepted.

[–] [email protected] -3 points 1 year ago (2 children)

Sure, you can beg them to consider your proposal, but I hope you do realize that this isn't the same as an open standardization process, right?

[–] [email protected] 6 points 1 year ago (1 children)

sorry, goalpost moving isn't my favorite sport

[–] [email protected] 1 points 1 year ago

The original objection was about it not being and "open protocol", which is not the same as having the source code of an implementation under an open source license.

That Matrix isn't an open protocol has always been one of the core objections against it. This isn't moving goal-posts, and if you fail to understand the original objection then why are you even commenting on it?

[–] [email protected] 5 points 1 year ago (1 children)

What is an open standardization process?

[–] [email protected] 1 points 1 year ago (1 children)
[–] [email protected] 3 points 1 year ago (1 children)

This is xmpps open standardization process. Its good. Its also similar to matrix in that you propose and people comment on it. They both have the core elements needed to be an open standardization process. So stop gatekeeping.

[–] [email protected] 2 points 1 year ago (1 children)

No you fail to see the vital difference that the Matrix Foundation process is only open to paying members and that a single for-profit company is currently absolutly dominating the Foundation board that has the final say.

On the XSF anyone can easily become a member and get voted in a fair democratic election into the council. I know that several members are just community members with no corporate backing and they have the same if not more weight in the decision making as everyone else.

[–] [email protected] 2 points 1 year ago (1 children)

Then outline the ways they are different and source it.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

I just did, and you can look up the how little oversight and accountability there really here: https://matrix.org/membership/

To look up who the guardians and core spec team is you can scroll to the bottom here: https://matrix.org/about/ (Note that basically all of them are very closely affiliated the Element the for-profit company).

Tl;dr the Matrix Foundation is a sham to hide that Element the company calls all the shots and has no interested at all in an truly open standards process.

[–] [email protected] 5 points 1 year ago (1 children)

So is the Linux kernel not open because code has to go through review and may be rejected?

Is Gnu software not open because you have to sign over copyright or may have code rejected for ideological reasons?

Guido van Rossum was BDFL of Python until recently and had pretty much final say on anything that went into the langauge. So I guess Python isn't open?

Hopefully the XMPP Standards Foundation doesn't just blindly merge in every pull request that comes their way! I'm sure there have been plenty of people that had to beg and still had their proposal rejected.

You may not agree with the decisions being made about Matrix, but that doesn't mean it's not an open protocol or an open process. In fact it's extremely transparent as another commenter linked to their proposal pull requests on GitHub.

There's plenty to criticize about Matrix. It may be overly complicated and over-engineered. If there is significant VC involvement, then the threat of enshittification is very real. Element is also quite slow in larger rooms and the search is pretty terrible at the moment.

But, it's dishonest to say it's not open. I just don't want other readers to think it's somehow closed, when it isn't. Discord is closed. Slack is closed. Matrix is not.

Also, while being open is a good thing, it's not a virtue unto itself. Visual Studio Code is an open editor but I stay away from it because I don't trust Microsoft to not fuck it up. Likewise Chromium is open but I stay away from it because I trust Google even less.

[–] [email protected] -3 points 1 year ago (1 children)

You do not seem to understand the difference between source code of an implementation and the protocol specifications themselves.

I think you need to read up on that first before we can continue this discussion.

[–] [email protected] 4 points 1 year ago (1 children)

Sorry, but that's a bit of a rude conclusion to come to considering you know nothing about me or the fact that I've been writing software for over 20 years.

Anyway, I think we've both said our piece and I'm happy to just disagree. You seem like a cool person and I'd rather not have us get upset over semantics.

Take care! :)

[–] [email protected] -1 points 1 year ago

No hard feelings and I didn't mean to be rude, but this was a rather factual observation.

What you are saying is basically because you have 20 years experience of driving a taxi you know how to operate a train service. Those are just two totally different things.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

I think some people don't give any room to breathe to projects that just want major contributors be paid, even when, as you rightfully say, XMPP had the same compatibility struggles in its infancy as Matrix implementations now have.

So far, there is a lot of FUD around newer protocol and that it lacks in openness. But if you look again, it recognizes versions and differences between them in the specification. Every MSC proposal covers the context of change and recommendations to implement, while keeping backwards-compatibility with older software in mind. If you make a proposal, it will be reviewed. If you need someone else besides Spec Core Team members to move it forward, flag to you - fork. But I rather prefer this model in upstream than beating around the bush and electing someone who might have lost an idea of why they are still in the project.

[–] [email protected] 6 points 1 year ago (1 children)

iirc, Matrix is a non profit, idk where you're getting it's for profit.

[–] [email protected] 1 points 1 year ago

There is the non-profit Matrix Foundation that functions as a thinly veiled front for the Element for-profit company that controls the Foundation in almost every regard.

[–] [email protected] 2 points 11 months ago

Matrix is developed by a for profit entity, a group of venture capitalists and having a spec doesn’t mean everything (...) The way Matrix is designed is to force into jumping through hoops and kind of draw all attention to Matrix itself instead of the end result

For all the people downvoting my original comment this was just out. Oh well what do I know...

Decentralized communication protocol Matrix shifts to less-permissive AGPL open source license

Element, the company and core developer behind the decentralized communication protocol known as Matrix, has announced a notable license change that will make the open source project just that little bit less appealing for companies looking to build on top of it.

https://techcrunch.com/2023/11/06/decentralized-communication-protocol-matrix-shifts-to-less-permissive-agpl-open-source-license/

[–] [email protected] 2 points 1 year ago

Snikket is really good

[–] [email protected] 12 points 1 year ago* (last edited 1 year ago) (1 children)

This is good reading on XMPP

https://privacy.awiki.org/im.html#XMPP

And one about matrix

https://hackea.org/notas/matrix.html

I think that XMPP is obviously the superior choice here. Matrix is funded by venture capitalists that need to make money some way and they are actually recollecting users' data for that.

[–] [email protected] 4 points 1 year ago (1 children)

Do you have a source for the claim that collecting userdata is ultimately what funds Matrix?

[–] [email protected] 0 points 1 year ago* (last edited 1 year ago) (2 children)

have you read the article I linked?

I didn't say it was ultimately what funds matrix, they sell servers too, but they recollect data that's for sure.

Quoting the article here:

matrix.org and vector.im receive a lot of private, personal and identifiable data on a regular basis, or metadata that can be used to precisely identify and/or track users/server, their social graph, usage pattern and potential location. This is possible both by the default configuration values in synapse/Riot that do not promote privacy, and by specific choices made by their developers to not disclose, inform users or resolve in a timely manner several known behaviors of the software.

Data sent on a potential regular basis based on a common web/desktop+smartphone usage even with a self-hosted client and Homeserver:

The Matrix ID of users, usually including their username.

Email addresses, phone numbers of the user and their contacts.

Associations of Email, phone numbers with Matrix IDs.

Usage patterns of the user.

IP address of the user, which can give more or less precise geographical location information.

The user’s devices and system information.

The other servers that users talks to.

Room IDs, potentially identifying the Direct chat ones and the other user/server.

With default settings, they allow unrestricted, non-obfuscated public access to the following potentially personal data/info:

Matrix IDs mapped to Email addresses/phone numbers added to a user’s settings.

Every file, image, video, audio that is uploaded to the Homeserver.

Profile name and avatar of users.
[–] [email protected] 18 points 1 year ago

I did, yes. TBH it is very anti-Matrix right out of the gate, makes a mountain out of a molehill and it even admits that it contains FUD.

There's a couple of things that are misleading in it (for example the section on bridges) and the critique basically boils down to "if you use the identity servers that are run by Matrix.org with your self-hosted homeserver they can see the info you send to them" and "Google Analytics in Element is bad".

All in all I didn't find it very convincing, and very lacking in nuance.

[–] [email protected] 10 points 1 year ago (4 children)

I am hosting a two-person XMPP server now, and it's pretty light on resources. Matrix, however, I am not even sure my VPS would even handle: I've seen multiple people talk about how their servers would explode when someone tries to join a large room. And also there's an issue of every participating server storing chat history/media: my disk is small, I need it for the media on my site!

I am also concerned about how overly prevalent the central matrix.org server is.

[–] [email protected] 3 points 1 year ago (1 children)

all your first points are generally correct, as far as the last one however, that is the entire point in running your own instance. too many uses on matrix.org. all fedi platforms have this issue as well.

[–] [email protected] 1 points 1 year ago

That was the point - it's not supposed to happen yet it is there at least for the moment.

[–] [email protected] 2 points 1 year ago (1 children)

I share your concern - matrix is bloated as a protocol. I assume you tried synapse. I wonder how conduit (rust) or dendrite (go) would perform.

[–] [email protected] 3 points 1 year ago

I didn't try it, but I read about it and talked to people who did. Two of them ran Synapse and one tried Conduit. The result - Conduit does consume much less but still noticeably more than XMPP (plus the storage concern is still there).

[–] [email protected] 1 points 1 year ago

Yes, Matrix.org is a huge problem. Even Mastodon is way more federated.

[–] [email protected] 1 points 1 year ago* (last edited 11 months ago)

[This comment has been deleted by an automated system]

[–] [email protected] 8 points 1 year ago* (last edited 1 year ago) (1 children)

XMPP is too fragmented with all the addons or whatever they're called (edit: XEPs). Chatting with people on different servers, or even different clients is a crapshoot whether basic features like encryption are enabled. I have a lot of hope for Matrix as they work out the bugs.

[–] [email protected] 7 points 1 year ago* (last edited 1 year ago) (1 children)

Try using Matrix with a non-synapse / non-element client setup and you will have as much if not more fragmentation issues. Heck, Synapse doesn't even follow the official Matrix standard, so things break all the time on other Matrix servers like Conduit.

XMPP had a lot more time to iron out federation issues between different implementations, and it shows.

E2e encryption works more hassle free in my experience with XMPP as well, at least for private chats and small groups.

[–] [email protected] 2 points 1 year ago

I'm basically still 'testing' both of them out. Neither is good enough for me to lobby my friends to use. I use Cheogram for XMPP, mostly for it's integration with SIP/jmp.chat. Years ago I spent a bunch of time on Movim. I'd be very happy for XMPP to be a consistent experience.

[–] [email protected] 5 points 1 year ago

Yeah, he did showcase XMPP in a way that normal users care about. I’m excited to try this with my friends and family using one of those open servers and later spin up a prosody server myself.

[–] [email protected] 4 points 1 year ago (3 children)

I'm also still interested in the xmpp vs matrix debate. I'm using matrix ATM because it seems more actively developed and used, but I know some people still swear by xmpp. Ultimately I really just want a decentralized alternative to discord, but beyond that I feel like I'll just want to go to whichever alternative has the most users, since that's pretty useful for chatting software.

I've heard feedback that matrix doesn't seem to be very united, with different groups implementing different competing features proposals etc., which does seem to be a pretty big issue.

I'm also pretty optimistic about a lot of the new stuff being built on matrix. I recently became aware of Commune, which is about making sections of matrix servers web searchable, and that sounds incredible - one of my biggest issues with discord is how often it gets used as effectively game wikis, collecting all these guides and information that's only accessible through a proprietary discord account. No anonymous search.

[–] [email protected] 4 points 1 year ago* (last edited 1 year ago)

Matrix is probably closer to Discord if you use that mainly for public group chats. But actually you will be surprised how nice IRC can be for that as well, including modern looking webclients.

XMPP is more of an replacement for WhatsApp, Signal and Telegram right now.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

It is easy to cook up your own IM protocol, but for interoperability between providers (which is the whole point of using XMPP or Matrix in the first place!) we need to agree on a protocol. The way we agree on protocols is standardization. XMPP is the proper IETF internet standard for instant messaging while Matrix is effectively just another product by some startup with lots of venture capital funding for shiny clients and marketing.

Also, XMPP servers and clients are also a lot less bloated.

[–] [email protected] 1 points 1 year ago

Yeah, for a Discord alternative a web searchable Matrix server might me good... but not for anything private

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

A kind of speed talk about matrix during a conference last month (SRECon23 EMEA): https://m.youtube.com/watch?v=JZsJwEjrrcM

There's a slide about XMPP at 28:40.

I am more interested in this coming law he is referring to at 36:54 but I can't find it in https://digital-markets-act.ec.europa.eu/index_en

load more comments
view more: next ›