Why use Signal over XMPP and Matrix? Signal is centralized and wants you to stay in check, using their crappy client, giving away your phone number, and all your presence, social graph and other privacy sensitive information to a single actor (which can’t be yourself, because you can’t self host signal) and that has nothing to back it up other than “trust me bro, I’m gonna do no harm, but also I control all your communications under my own terms and conditions and there’s nothing you can do about it”.
Matrix was found leaking metadata, it’s not like Matrix is bad or anything. But it just doesn’t get the attention it needs.
For WhatsApp users that do want better privacy and security, Signal is a solid choice.
XMPP, by default with no configuration doesn’t really have encryption and also, it has issues with metadata leakage as well.
For the average joe, Signal is a simple app that has privacy and security out of the box.
Sure, it would be awesome if Matrix was widely adopted, but it isn’t.
What Matrix metadata leakage are you talking about? Regarding XMPP, I am not aware of anything like it, and I suspect that this leakage you are talking about is just standard client-server signaling, where in federated protocols like Matrix and XMPP you can chose whom to trust (or self-host) whereas in all other cases your metadata isn’t just centralized and consolidated, you have no recourse and knowledge about what’s being done with it.
On the side of XMPP, OMEMO (which is XMPP’s take on double ratchet encryption à la Signal) is standard across the board of all maintained clients, so you wouldn’t be less secure there than on e.g. Signal or Telegram, so your take on XMPP’s security isn’t factual.
When talking about messaging apps, you’ve to use the one that’s easiest to use even for the most noob tech person.
Signal uses phone number, because that’s how people generally communicate. It’s easy to use, setup. No privacy nightmares compared to WhatsApp, or security nightmares compared to Telegram (where E2EE is not even on by default). It’s open source, regularly audited and can be used on any device (no more proprietary green bubble nonsense). There’s still a market for Threema and Matrix, etc. It just never will be mainstream.
My whole point was that between Signal and WhatsApp, none is intrinsically better than the other in this regard. Both are centralized and collect the same amount of privacy-sensitive data about you (your online presence and patterns, your IP, your network graph, the routing of your messages and their nature…), because they need that to function. Whether they log it (irrespective of what they advertise) is one thing nobody but themselves can verify and where opensource plays no role.
Matrix/XMPP are only better because you can self-host if you trust no one, or choose whom to trust, or change whom to trust along the way without incurring a total loss of your contacts, histories, assets, …
IMO, the sales pitch for XMPP/Matrix shouldn’t be “we are better/more secure/more privacy focused by design” (and it’s pretty clear that the tech-illiterate majority doesn’t care anyway), it should be “with us, you will no longer have to jump ship every 5 years in avg. because facebook/google/amazon/some oligarch/… broke their promise/used their absolute power over your account to their discretion”.
XMPP arguably has some of of the strongest crypto functionality there is, it’s just too dependent on the app to feel safe, since all of the vulnerabilities in these ecosystems are basically down to the client implementation.
Absolutely, and an argument can be made about captive ecosystems controlling both clients and servers. They also represent a single point of failure, so there’s no magic bullet. In practice it’s also not that different than keeping up with your browser’s/OS’/phone’s updates and XMPP has that for itself that it has (unlike Matrix) a vibrant community of clients and servers supported by diverse parties (commercial and not).
Because one is an app and the others are a technology standard. I can install Signal on my phone and use it to talk to people securely.
Where do I go to get XMPP or Matrix? Can I trust app makers to have correctly implemented the protocols? When it comes to security I tend to trust larger entities versus the garage startup.
Why use Signal over XMPP and Matrix? Signal is centralized and wants you to stay in check, using their crappy client, giving away your phone number, and all your presence, social graph and other privacy sensitive information to a single actor (which can’t be yourself, because you can’t self host signal) and that has nothing to back it up other than “trust me bro, I’m gonna do no harm, but also I control all your communications under my own terms and conditions and there’s nothing you can do about it”.
Matrix was found leaking metadata, it’s not like Matrix is bad or anything. But it just doesn’t get the attention it needs. For WhatsApp users that do want better privacy and security, Signal is a solid choice. XMPP, by default with no configuration doesn’t really have encryption and also, it has issues with metadata leakage as well.
For the average joe, Signal is a simple app that has privacy and security out of the box. Sure, it would be awesome if Matrix was widely adopted, but it isn’t.
What Matrix metadata leakage are you talking about? Regarding XMPP, I am not aware of anything like it, and I suspect that this leakage you are talking about is just standard client-server signaling, where in federated protocols like Matrix and XMPP you can chose whom to trust (or self-host) whereas in all other cases your metadata isn’t just centralized and consolidated, you have no recourse and knowledge about what’s being done with it.
On the side of XMPP, OMEMO (which is XMPP’s take on double ratchet encryption à la Signal) is standard across the board of all maintained clients, so you wouldn’t be less secure there than on e.g. Signal or Telegram, so your take on XMPP’s security isn’t factual.
Huh, some things might have changed then. My memory is from around 2021-2022, so things might have changed.
When talking about messaging apps, you’ve to use the one that’s easiest to use even for the most noob tech person.
Signal uses phone number, because that’s how people generally communicate. It’s easy to use, setup. No privacy nightmares compared to WhatsApp, or security nightmares compared to Telegram (where E2EE is not even on by default). It’s open source, regularly audited and can be used on any device (no more proprietary green bubble nonsense). There’s still a market for Threema and Matrix, etc. It just never will be mainstream.
My whole point was that between Signal and WhatsApp, none is intrinsically better than the other in this regard. Both are centralized and collect the same amount of privacy-sensitive data about you (your online presence and patterns, your IP, your network graph, the routing of your messages and their nature…), because they need that to function. Whether they log it (irrespective of what they advertise) is one thing nobody but themselves can verify and where opensource plays no role.
Matrix/XMPP are only better because you can self-host if you trust no one, or choose whom to trust, or change whom to trust along the way without incurring a total loss of your contacts, histories, assets, …
IMO, the sales pitch for XMPP/Matrix shouldn’t be “we are better/more secure/more privacy focused by design” (and it’s pretty clear that the tech-illiterate majority doesn’t care anyway), it should be “with us, you will no longer have to jump ship every 5 years in avg. because facebook/google/amazon/some oligarch/… broke their promise/used their absolute power over your account to their discretion”.
Signal is an installable App from an app store… Where’s your matrix and xmpp? That’s why they use it over element/etc
XMPP arguably has some of of the strongest crypto functionality there is, it’s just too dependent on the app to feel safe, since all of the vulnerabilities in these ecosystems are basically down to the client implementation.
Absolutely, and an argument can be made about captive ecosystems controlling both clients and servers. They also represent a single point of failure, so there’s no magic bullet. In practice it’s also not that different than keeping up with your browser’s/OS’/phone’s updates and XMPP has that for itself that it has (unlike Matrix) a vibrant community of clients and servers supported by diverse parties (commercial and not).
Matrix and XMPP have plenty of apps installable from those stores as well, not sure what your argument is about?
Their names are not matrix or xmpp… It’s not as easy as saying “Install Signal” is my point.
that’s not even true, if you search “matrix”, element is your first result, if you type XMPP, you get “Conversations”, exactly as you would expect.
Which is a €4 app. Also, Signal is 4th in the results.
Yep, that’s more or less how much WhatsApp was costing you before you became the product. That didn’t prevent it getting millions of users.
Because one is an app and the others are a technology standard. I can install Signal on my phone and use it to talk to people securely.
Where do I go to get XMPP or Matrix? Can I trust app makers to have correctly implemented the protocols? When it comes to security I tend to trust larger entities versus the garage startup.
While that’s a fair point, element.io is the defacto matrix implementation and effectively the group that started matrix.