this post was submitted on 21 Jul 2023
39 points (100.0% liked)

Privacy Guides

16813 readers
38 users here now

In the digital age, protecting your personal information might seem like an impossible task. We’re here to help.

This is a community for sharing news about privacy, posting information about cool privacy tools and services, and getting advice about your privacy journey.


You can subscribe to this community from any Kbin or Lemmy instance:

Learn more...


Check out our website at privacyguides.org before asking your questions here. We've tried answering the common questions and recommendations there!

Want to get involved? The website is open-source on GitHub, and your help would be appreciated!


This community is the "official" Privacy Guides community on Lemmy, which can be verified here. Other "Privacy Guides" communities on other Lemmy servers are not moderated by this team or associated with the website.


Moderation Rules:

  1. We prefer posting about open-source software whenever possible.
  2. This is not the place for self-promotion if you are not listed on privacyguides.org. If you want to be listed, make a suggestion on our forum first.
  3. No soliciting engagement: Don't ask for upvotes, follows, etc.
  4. Surveys, Fundraising, and Petitions must be pre-approved by the mod team.
  5. Be civil, no violence, hate speech. Assume people here are posting in good faith.
  6. Don't repost topics which have already been covered here.
  7. News posts must be related to privacy and security, and your post title must match the article headline exactly. Do not editorialize titles, you can post your opinions in the post body or a comment.
  8. Memes/images/video posts that could be summarized as text explanations should not be posted. Infographics and conference talks from reputable sources are acceptable.
  9. No help vampires: This is not a tech support subreddit, don't abuse our community's willingness to help. Questions related to privacy, security or privacy/security related software and their configurations are acceptable.
  10. No misinformation: Extraordinary claims must be matched with evidence.
  11. Do not post about VPNs or cryptocurrencies which are not listed on privacyguides.org. See Rule 2 for info on adding new recommendations to the website.
  12. General guides or software lists are not permitted. Original sources and research about specific topics are allowed as long as they are high quality and factual. We are not providing a platform for poorly-vetted, out-of-date or conflicting recommendations.

Additional Resources:

founded 1 year ago
MODERATORS
 

I was sold on Matrix as a viable alternative to Discord but recently read this article which made it look not so good.

top 43 comments
sorted by: hot top controversial new old
[–] poVoq@slrpnk.net 24 points 1 year ago (2 children)

That article is mostly FUD, but there are very good reasons to be sceptical of Matrix, as it is mostly driven by a VC funded for-profit company.

If you are looking for a truly community driven and owned alternative, check out XMPP: https://joinjabber.org

[–] ninchuka@lemmy.one 4 points 1 year ago* (last edited 1 year ago) (1 children)

XMPP has issues such as rooms are not properly decentralised, not all clients support proper replys and you cant edit messages older then 1 message

the servers are much lighter then matrix servers, conduit is quite light and fast compared to synapse but not as light as XMPP servers

[–] poVoq@slrpnk.net 1 points 1 year ago (1 children)

The message editing thing is just a client setting and having a single source of truth for a room is a huge advantage of XMPP that Matrix is now reinventing as they realized their hyped decentralized rooms are just a gimmick feature that causes more problem than it solves.

[–] ninchuka@lemmy.one 2 points 1 year ago

Linearized matrix wont be replacing the current way rooms work, especially with how they want to make the clients p2p eventually, its just for the DMA and convincing them to go with matrix

[–] dngray@lemmy.one 3 points 1 year ago* (last edited 1 year ago)

Yes the article is FUD and sloppy. This is what Matthew Hodgson (Arathorn) had to say about it:

Talking of sloppiness, that hackea.org article is a huge steaming pile of FUD about Matrix.

For what it’s worth, the team who came up with Matrix was originally based in two separate startups: one in the UK doing VoIP, one in France doing mobile dev. Both got acquired by Amdocs in 2010, but we ended up forming an independent “incubated startup” first to build telco apps, and then we came up with the idea of Matrix in ~2013. We then built out Matrix until 2017 when Amdocs killed our funding, having run out of patience for what amounted to generous FOSS philanthropy.

We then set up New Vector (now Element) as an entirely independent UK/FR startup, and have received zero funding from Amdocs since. To be crystal clear: Amdocs has zero privileged influence or control over Matrix (or Element, for that matter), and has zero access to the Matrix servers we operate as Element. And besides - the whole point of Matrix is that you can and should run your own servers so you can pick who to trust, even if you don’t trust the project itself.

[–] oshitwaddup@lemmy.antemeridiem.xyz 23 points 1 year ago* (last edited 1 year ago) (2 children)

"5 years after the creation of Matrix, and after 5 years of centrally receiving such a scandalous amount of users private data from their «decentralized» software, it was only after the mentioned report was published when the Matrix developers published some «privacy improvements» [13] addressing some of the revealed problems.

We have not read it."

This seems lazy to me. I haven't read the report but i'm also not the one writing an article bashing matrix. If i was I'd want to know whether my concerns are still valid, and as a reader i want to know whether the concerns they brought up still apply without having to read a whole other report

[–] johntash@eviltoast.org 12 points 1 year ago

The rest of the article reads the same. They even said what they were repeating is probably FUD and made zero effort to investigate.

[–] Monologue@lemmy.zip 10 points 1 year ago

yeah it seems like they started writing this article by forming an opinion then cherry picking, not looking at the data and then forming an opinion around it

[–] ninchuka@lemmy.one 16 points 1 year ago* (last edited 1 year ago)

That article is full of fud don't trust it

but I do generally like matrix, its far from perfect but I do think its the best bet for a decentralised chat platform

[–] Swedneck@discuss.tchncs.de 6 points 1 year ago (1 children)

Matrix is fine, just use end-to-end endcryption which is trivial to set up.

[–] mister_monster@monero.town 5 points 1 year ago (2 children)

Theres a lot of metadata that's not encrypted in matrix, some of which goes to matrix.org no matter what server youre using.

[–] dngray@lemmy.one 3 points 1 year ago

That is the nature of any federated protocol.

E2EE works well enough within rooms and that is likely where private data is to be anyway. As long as you Matrix and assume that everyone can see your Matrix ID and room IDs you'll be okay.

XMPP isn't any better in that regard.

[–] ninchuka@lemmy.one 3 points 1 year ago (1 children)

If your talking to someone and your both on a server that's not matrix.org no data gets sent to matrix.org

[–] poVoq@slrpnk.net 2 points 1 year ago* (last edited 1 year ago) (2 children)

Except that the Element web-client also phones home to matrix/element mothership.

[–] ninchuka@lemmy.one 2 points 1 year ago* (last edited 1 year ago) (1 children)

thats one check and just use another client :P and that doesnt send the messages in the room to matrix.org so that doesnt have anything to do with the comment I replied to

[–] mister_monster@monero.town 1 points 1 year ago* (last edited 1 year ago) (1 children)

Now you're just making excuses for new vector/matrix

[–] ninchuka@lemmy.one 5 points 1 year ago* (last edited 1 year ago) (1 children)

all it does is ping to check that your config.md is valid I think its not the end of the world like people make it out to be and its element/new vector not new vector/matrix

[–] mister_monster@monero.town 1 points 1 year ago (1 children)

You're the type of woman that makes excuses for her abusive boyfriend.

load more comments (1 replies)
[–] dngray@lemmy.one 1 points 1 year ago

Element web-client also phones home

It doesn't send metadata about your use. There is a version check though.

[–] mister_monster@monero.town 4 points 1 year ago* (last edited 1 year ago) (1 children)

Meh, I use it. I'll take it over Discord or Telegram any day. But I don't use it for anything that may be sensitive or anything involving IRL people.

It's leaky. I remember all media were uploaded unencrypted and available over https, I don't know if it is still like that. Lots and lots of metadata out in the open. To be searchable you have to give your phone number to a centralized service. The protocol is overly complex, all messages live on all servers of everyone involved in the conversation, lots of duplication, but ActivityPub is like that too and we are on Lemmy...

If I set my own stuff up, I prefer XMPP, and increasingly Simplex. If some project uses matrix, I have an account and will talk to them there.

Overall I'm not a fan, but I don't outright hate it.

[–] ninchuka@lemmy.one 6 points 1 year ago* (last edited 1 year ago) (1 children)

You don't have to give them your phone number to be searchable, just use your matrix ID

Files in encrypted rooms are encrypted

Your not wrong about the metadata but xmpp leaks the same amount it just doesn't goto every server that has a user in the room

[–] mister_monster@monero.town 1 points 1 year ago (2 children)

No, to be searchable by your friends you have to attach your matrix ID to your phone number and upload it to an identity server, which anyone can run of course but which is useless unless its the new vector identity server. It's a central database of verified matrix IDs.

[–] ninchuka@lemmy.one 2 points 1 year ago (1 children)

you dont, users can find me just fine without sending my phone number to an idenity server, please stop spreading FUD

[–] mister_monster@monero.town 1 points 1 year ago (1 children)

OK... Google "matrix identity server" since you don't know what I'm trying to say.

[–] ninchuka@lemmy.one 1 points 1 year ago

I know exactly what it is and you dont need one to be found

[–] dngray@lemmy.one 2 points 1 year ago (1 children)

you have to attach your matrix ID to your phone number

Yes, this is FUD, it's not necessary, and entirely opt-in. Also you don't even need to connect to the identity server.

[–] mister_monster@monero.town 1 points 1 year ago (1 children)

Yeah, you don't have to. But to be able to easily prove you are who you are to IRL people you will. And the decision tells you something about the product and protocol design.

[–] ninchuka@lemmy.one 2 points 1 year ago

what? no you dont and the founders have said they dont like them at all since they go against the core of matrix but they make alot of sense in businesses for an internal chat app

[–] SJ0@lemmy.fbxl.net 4 points 1 year ago (1 children)

To me, the biggest problem with Matrix is that Synapse and Dendrite are both really heavy. I use an alternative server called Matrix Conduit that's more like an xmpp server in how light it is. Only problem then is that Conduit doesn't have that many resources so it's always a few steps back from Synapse or Dendrite.

[–] ninchuka@lemmy.one 2 points 1 year ago

synapse has gotten lighter, but its still heavy if you join a big room like HQ with a few thousand servers in and a complex state

[–] MangoPenguin@lemmy.blahaj.zone 3 points 1 year ago (1 children)

My main complaint about it is it just seems so resource heavy and complex for what it offers. It's nowhere near a viable alternative for Discord yet unless all you do is text chat.

[–] ninchuka@lemmy.one 1 points 1 year ago

do you mean servers or clients?

[–] PublicLewdness@burggit.moe 2 points 1 year ago (1 children)

I use Matrix; XMPP; Session; Jami; and am looking into Briar. Some of what the article says is valid but other parts are weird such as when they list Riot as "the Matrix client". Matrix has many clients. I don't use Riot at all. I use Fluffy Chat and Cinny Mainly. A lot of their list of issues don't apply to me. For instance my phone number isn't tied to my Matrix account and while they may get my IP I am usually on a VPN so that limits what they get. They talk of Matrix being centralized but that only really applies if you use the Matrix home server, there are many alternatives.

In the end they have some valid concerns but it really depends on what Matrix is being compared to. Even with these issues is it betetr than Discord for privacy and security ? Yes it is. Discord is clsoed source so nobody knows what it gives up or does in the background. No closed source program can be trusted over a FOSS option. If you want to trust any of the options I mentioned over Matrix then feel free to but don't trust Discord over it.

[–] dngray@lemmy.one 2 points 1 year ago* (last edited 1 year ago) (1 children)

For instance my phone number isn’t tied to my Matrix account

It isn't for anyone using any client unless they optionally decide to provide it.

They talk of Matrix being centralized but that only really applies if you use the Matrix home server, there are many alternatives

Indeed: https://joinmatrix.org/servers/ and that's not even getting started on the private ones or unlisted ones.

is it betetr than Discord for privacy and security ?

100% Discord has no privacy no encryption, the company sees absolutely everything.

Discord is clsoed source so nobody knows what it gives up or does in the background

That doesn't necessarily impact privacy, and we know exactly what it does in the background based on their privacy policy, which in itself is quite ambiguous in parts. They're quite happy there to admit they will tie identities together if you use social media logins and features like that.

No closed source program can be trusted over a FOSS option

I would say be careful here, because something is open source doesn't necessarily mean anyone cares about what the code is actually doing. In the case of Matrix it is a very active project with a lot of community engagement and a well thought out specification so that everyone can "get up to speed". That is extremely important. Nobody is going to sift through a tarball of source code "it's open source", if the development is not. It's also totally possible for a patched version to be running in production that doesn't reflect the source code.

That is why it's very important not to confuse FOSS with privacy.

[–] PublicLewdness@burggit.moe 1 points 1 year ago (1 children)

You can say how FOSS programs don't equate to privacy because people may not catch things or be watching but with closed source options nobody gets to audit the code at all outside the project. How is that better for privacy ? FOSS at least gives us a chance at privacy.

[–] dngray@lemmy.one 1 points 1 year ago* (last edited 1 year ago) (1 children)

If the audits are public and they are actually funded with proper scope that may very well be better than some very small project nobody can be bothered looking at. I'm not saying having source is a bad thing, quite the opposite. Privacy is generally gained through security controls, and just because something is open source doesn't mean it is secure, likewise if something is closed source that doesn't necessarily mean it is insecure as this post describes.

[–] PublicLewdness@burggit.moe 1 points 1 year ago (2 children)

My issue with closed source is we don't know if it is insecure or secure because nobody can find out. It's a pandora's box of privacy and security. It may be the most private and secure code known to man or it may be sending anything and everything about you somewhere but we'll never really know. As for public audits who picks who gets to audit the code ? The company who made it ? You can do as you please but I refuse to trust closed source code. I'm not saying all open source code is good but at least we can find out if it's good or not through independant means rather than trusting people that the company who made it picks to tell us.

[–] M4rkF@fosstodon.org 2 points 1 year ago

@PublicLewdness @dngray

The concept of security by obscurity in general is just absurd. It's maddening that this is the preferred option in Enterprise.

[–] M4rkF@fosstodon.org 1 points 1 year ago

@PublicLewdness @dngray

security by obscurity... this is an absurd concept

[–] Nakres@lemmy.one 1 points 1 year ago

I would prefer session but messages aren't reliable. They can come late or out of order, if the core functionality makes you trouble you can't make convince other people to use it.

load more comments
view more: next ›