this post was submitted on 07 Feb 2025
378 points (99.0% liked)
Technology
61968 readers
3747 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Telegram is probably the worst thing you could use, it doesn't encrypt messages by default and they are stored on Telegram's servers, so they can read them at any time.
Yes, Matrix leaks a bunch of metadata and doesn't have post-quantum encryption.
The best option is to use Signal. It uses end-to-end encryption by default for everything: Normal chats, group chats, voice and video calls and even stories. Messages are only stored on their servers (in encrypted format, so they can't access them) until you receive them, after which they are promptly deleted and only stored on your device. And Signal has much better metadata protection than Matrix. The UX is also much better and less confusing, making onboarding new users much easier.
But you should also be aware that Signal does not federate, so the company can be bought. They have control over all accounts and the servers, without easy way to migrate away again. So it might just be another trap.
Try to use federated services (like matrix), they are more robust against hostile take overs.
This is such a bad take it seems like deliberate misinformation.
Signal is open-source software maintained by a non-profit. User data is not stored on Signal servers, they have no way to access messages as they are stored and encrypted on your phone. If the Signal Foundation were revealed as bad actors then the open-source code could be forked to a new project.
Feel free to fully evaluate their code here: https://github.com/signalapp
That's the signal app. The software which runs on their servers is proprietary.
No it's not: https://github.com/signalapp/signal-server
No, the server is on the github account linked above as well. The repo is here.
Signal however doesn't federate and does not generally support third-party clients.
The company (Signal Messenger LLC) is fully owned by Signal Foundation, a 501(c)3 non profit organization.
I generally like this idea, and I also use federated services for things like social media, that's why we're having a discussion here on Lemmy. But it introduces some issues with private messaging, like lack of reliability, which sucks if you want to use Matrix as your primary messenger, as well as metadata leaks. Federation is not always the answer, and in my opinion definitely not when it comes private and secure messaging.
Probably around 80-90% of Matrix users are on the matrix.org homeserver, so it's absolutely not as decentralized and resilient as you think it is.
OpenAI is also non-profit. Not really an argument.
Well, the goal is that moving to your own server, will not mean that you will loose access to all your contacts. Which makes moving instances much simpler. If Matrix gets a hostile take-over, your don't really need to reach a critical mass for an alternative server.
Shortcut question: What's a workable federated e2ee solution that's available today? Quantum secure? Metadata secure?
Matrix?
IMO the whole "metadata insecurity" stuff about Matrix is over exaggerated. Also Matrix is improving there.
If metadata security is really that important, you could try Tox or similar P2P chats.
I actually tried Tox - maybe 8 years ago now... the real problem with it, or anything similar, is that you need both ends of every conversation to take the trouble to set it up. It was pretty easy to setup, IMO, but... as an example, in 2005 I had an engineer co-worker ask me about "that Linux thing" when I got around to telling him that pretty much everything he used on a daily basis was available in Linux, just under different names than he was used to in Windows "Oh, you mean I'd have to learn different names for Word and Excel and Outlook?" "Uh, yeah." "Oh, that's more trouble than I think I want, I'll just stick with what I know."
At least (to my knowledge) the Signal messages are decrypted on the client end, so buying the company doesn't give them automatic access to messages.
Having said that, I'm sure a hostile new owner could update the app to decrypt and then send the messages as plaintext to the servers if they wanted..
Well, you can still insert client side decryption into the app.
But it isn't really about the messages, it is about the control of the servers and the accounts. You cannot easily move away from their servers, because you will lose your contacts. This gives the people controlling the servers power over you. A sort of vendor lockin.
In the 1990s US ISPs would "give you" an e-mail account with their service: [email protected]. Of course, this is insta-lockin for that e-mail address, you can never port it.
Owning your own domain name and running e-mail service through that worked, for a few years, but the big players have made whitelist / blacklist such a frustrating whack-a-mole game in the e-mail space that running your own e-mail server quickly became impractical.
There are different degrees of vendor lock in. If you use email (or Matrix) with a domain, you have no control over, you are soft-locked it. You can buy a domain, self-host or pay for a managed service and inform everyone that you are now reachable over some other address, but nobody else has to change.
If you use Signal (or Discord or whatever) and want to switch to a different domain. You cannot. If you switch to a different protocol, everyone in your contacts has to switch as well, or you lose that contact. The network effect forces you into the service of one provider. The only way out of there would be if the service get so bad, that a critical mass leaves, but you will have to deal with that bad service all the way.
As long as financial interest are there, non-federated services will sooner or later start to enshittyfy. So if you choose a communication medium, choose something that leaves your options open. If you don't like Matrix, try XMPP, it has come a long way as well.
This was outlined 50 years ago as part of Anarchist analysis of the system then. Not exactly an easy read, but "the second watershed" can be equated to "jumping the shark" or "enshittification" or whatever other term you want to apply to: a good thing gone bad due to the business owners switching from serving customers to enriching / empowering themselves:
https://archive.org/details/illich-conviviality/page/9/mode/1up
The alternative proposed by Illich to "Radical Monopolies" are "Convivial Tools" which empower individuals instead of central decision makers.
That's why all clients are fully open-source. You can also use a fork like Molly.
AFAIK, Signal does not want anyone to use alternative clients, has that changed?
As far as I know moxie, signals lead dev, considers only the use of the officially build and distributed client authorized to use their servers.
So if they ever manage to detect someone using their services with an alternative client, they might delete your account.
https://techcrunch.com/2016/11/07/signal-app-maker-rebuts-criticism-of-dev-direction-by-calling-for-more-community-help/