All of the people recommending matrix don’t understand why signal is secure. Matrix offers the same level of end to end encryption as Facebook Messenger, but it’s federated so people who care more about federation than privacy like to misrepresent its safety
That’s fair! If you’re on these type of forums, there are a lot of Signal haters and a lot of Matrix lovers, and sometimes they like to make confusing or just straight up inaccurate statements. The crux of the issue is not about the encryption of the text of messages themselves, which both platforms are capable of doing. Personally, I wish there was something like Signal but without the centralization, but the reality is such a thing doesn’t exist.
Signal (as in the Signal server and by extension the legal entity behind Signal) does not know what groups you’re in, does not know who’s in your contact list, does not know which groups you are sending messages to, doesn’t know which groups exist, and can’t tell the difference between a message, a reaction, a read receipt, a remote delete (“delete for everyone”), an edit… etc. Signal doesn’t have a way to send anything between two parties that the server can see. Signal has received a number of subpoenas which they typically fight, and if/when they lose they over all of the information they have about the subject of the subpoena, which tends to be whether or not they have a Signal account, when they registered the account and when they last used it. You can see these at https://signal.org/bigbrother/
Matrix (as in the Matrix server you’re registered on as well as the servers of whoever you’re talking to, for groups that means everyone in the group, notably this is not necessarily the same as the legal entity behind Matrix, but in practice a LOT of people use matrix.org for their home server so it frequently is) can see basically all of the things I listed above. The text of normal messages is encrypted. The group membership list isn’t encrypted. reactions aren’t encrypted. read receipts aren’t encrypted. Group membership lists are stored in plain text.
“theoretically” being the operative word here. Most people don’t. And if they did, they wouldn’t be able to talk to anyone else without the metadata getting copied to that person’s server. Probably okay if it’s between two information security experts who operate their secure own servers, but in reality most people don’t do that. This could be summarized as: Matrix offers a lot of easy ways to be less secure, Signal does not.
As for WhatsApp, I know they have paid or maybe still do pay Signal for their encryption. I believe Facebook Messenger did or does as well. I’m not sure what the actual implementation looks like and neither is anyone else, because it’s closed source.
On the other hand, matrix offers anonymous chat, while signal requires a phone number.
What software is really executed on signal servers knows only signal’s team - so, it is still, a matter of trust.
But that’s not what’s being said here. In this post people op is asking for federated Signal. People are saying matrix is just as secure. This is wrong and I am pointing that out so people don’t go thinking this is correct. Making misleading statements about the security of this sort of thing is dangerous.
Facebook Messenger offers optional end to end encryption just like Matrix. Just like Matrix, the server knows who you’re talking to, what groups your in, who else is in those groups, how many messages you sent to which group, who’s messages you react to, etc. But the actual text of the message is technically encrypted so Facebook can’t respond to subpoenas for your messages. I use Facebook Messenger as an example because Facebook is (correctly) generally considered not private or safe.
All of the people recommending matrix don’t understand why signal is secure. Matrix offers the same level of end to end encryption as Facebook Messenger, but it’s federated so people who care more about federation than privacy like to misrepresent its safety
I will admit I don’t understand why Signal would be more secure than Matrix. I understood Signal to have E2EE just like Matrix.
That’s fair! If you’re on these type of forums, there are a lot of Signal haters and a lot of Matrix lovers, and sometimes they like to make confusing or just straight up inaccurate statements. The crux of the issue is not about the encryption of the text of messages themselves, which both platforms are capable of doing. Personally, I wish there was something like Signal but without the centralization, but the reality is such a thing doesn’t exist.
Signal (as in the Signal server and by extension the legal entity behind Signal) does not know what groups you’re in, does not know who’s in your contact list, does not know which groups you are sending messages to, doesn’t know which groups exist, and can’t tell the difference between a message, a reaction, a read receipt, a remote delete (“delete for everyone”), an edit… etc. Signal doesn’t have a way to send anything between two parties that the server can see. Signal has received a number of subpoenas which they typically fight, and if/when they lose they over all of the information they have about the subject of the subpoena, which tends to be whether or not they have a Signal account, when they registered the account and when they last used it. You can see these at https://signal.org/bigbrother/
Matrix (as in the Matrix server you’re registered on as well as the servers of whoever you’re talking to, for groups that means everyone in the group, notably this is not necessarily the same as the legal entity behind Matrix, but in practice a LOT of people use matrix.org for their home server so it frequently is) can see basically all of the things I listed above. The text of normal messages is encrypted. The group membership list isn’t encrypted. reactions aren’t encrypted. read receipts aren’t encrypted. Group membership lists are stored in plain text.
Well, matrix, does not require your phone. You, theoretically, can selfhost a matrix server.
On the other hand, one can say that signal provides same level of e2e encryption and protection as WhatsApp, right?
“theoretically” being the operative word here. Most people don’t. And if they did, they wouldn’t be able to talk to anyone else without the metadata getting copied to that person’s server. Probably okay if it’s between two information security experts who operate their secure own servers, but in reality most people don’t do that. This could be summarized as: Matrix offers a lot of easy ways to be less secure, Signal does not.
As for WhatsApp, I know they have paid or maybe still do pay Signal for their encryption. I believe Facebook Messenger did or does as well. I’m not sure what the actual implementation looks like and neither is anyone else, because it’s closed source.
Agree.
On the other hand, matrix offers anonymous chat, while signal requires a phone number. What software is really executed on signal servers knows only signal’s team - so, it is still, a matter of trust.
Signal also not good in cross device usage.
It looks there is no ideal options
But that’s not what’s being said here. In this post people op is asking for federated Signal. People are saying matrix is just as secure. This is wrong and I am pointing that out so people don’t go thinking this is correct. Making misleading statements about the security of this sort of thing is dangerous.
You are right. One still, must not forget that signal knows you phone number, though.
I would say matrix is the closest what exist.
Can you please explain that in a bit more detail, for those of us who use these systems but aren’t up on the architecture?
Facebook Messenger offers optional end to end encryption just like Matrix. Just like Matrix, the server knows who you’re talking to, what groups your in, who else is in those groups, how many messages you sent to which group, who’s messages you react to, etc. But the actual text of the message is technically encrypted so Facebook can’t respond to subpoenas for your messages. I use Facebook Messenger as an example because Facebook is (correctly) generally considered not private or safe.