529
this post was submitted on 23 Sep 2023
529 points (99.4% liked)
Technology
59646 readers
3583 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
This breakdown makes me much more hesitant to ever use Signal over Matrix. Signal is storing the keys themselves, where as Matrix is storing messages that can’t be decrypted and no keys. If the keys on Signal’s servers are ever stolen, you can kiss all of your message privacy goodbye. If a Matrix server is hacked, the user can’t do anything with the messages because they’re encrypted and no keys are stored.
You also have the option to host your own Matrix server and have more control—something that is not an option with Signal.
The key that is stored server-side by Signal are only used to decrypt your profile, your contacts and groups, and your app settings. It is not used to decrypt your messages. And my understanding is that if you set a secure password instead of a pin, the key will be encrypted by your password before being uploaded, anyway, meaning that it’s e2ee, too.
Also, you can host your own Signal server, though I suspect doing so is more complicated than hosting a Matrix server. The code is almost fully open source (and I only say “almost” because, in the past it was not uncommon for the code on Github to be several months out of date - the license is a FOSS license). However, Signal isn’t federated, so you wouldn’t be able to talk to anyone using the Signal app or a fork on the main Signal server - unless you forked the app and made it able to manage accounts on multiple different servers.
Matrix also doesn’t encrypt metadata and it syncs conversation metadata to every involved server. As recently as 2022 Matrix had several critical vulnerabilities discovered (and patched). I wasn’t able to find any record of the audits mentioned in that article, so I have no clue how they performed, but regardless, even if just based on the metadata alone, currently Signal is more secure.
From a FOSS perspective, it makes sense to prefer Matrix over Signal (or maybe XMPP?). Signal - Moxie specifically - has been downright hostile to forks (refusing to allow them to use the Signal server with their frontend fork) and I remember him rejecting PRs and being rude toward contributors, too, though my memory’s a bit fuzzy on the specifics. That was a few years ago, so maybe it’s gotten better, but even if so, Signal isn’t federated and likely never will be, so any developer would have a lot more flexibility building things for Matrix or contributing to existing Matrix projects.