Element/Matrix

Alan_the_coder

I found an article from Wire saying that Element/Matrix isn't secure and doesn't always comply with privacy regulations.
I am now a little bit worry and not sure if there is any alternative to Element? I would go with Molly but I don't really like the idea of giving my phone number for registration (in my country we need an ID to activate a line).
I just need something to discuss with my family, as a replacement for SMS.

ryrona

Alan_the_coder I found an article from Wire saying that Element/Matrix isn't secure and doesn't always comply with privacy regulations.

Element is fine. The end-to-end encryption is correctly implemented and fully secure, and the project takes security issues seriously. Matrix home servers also need to comply with privacy regulations like anyone else, and does.

Element, Session and SimpleX are the only sensible options if you want anonymity towards the provider as well as those you chat with, while also having strong end-to-end encryption.

Some comparison to help you choose and understand implications:

Session and SimpleX are using cryptographic identities as handles, making sure the network cannot MITM attack your connection. Element and Signal do not inherently protect against these attacks, but require additional verification, for example by you and the one you chat with scanning each others QR codes IRL.

Session, SimpleX and Signal promises to delete your activity data from their servers, such as messages sent and so, after a certain time. Element on the other hand never deletes your data. It is still fully end-to-end encrypted though, so cannot be read by them or anyone else that can get access to the data.

Session, SimpleX and Signal are all trying to hide metadata about your communication from the network operators, such as information about who you chat with. Element is not hiding this metadata from the home servers. This might be an issue, especially if you are not anonymous to the network operator.

Session and SimpleX are allowing sign-ups without providing any information at all. Element is allowing sign-ups with only providing an e-mail address or invite code, which can still preserve your anonymity, as long as you connect through Tor or a VPN when signing up. Signal on the other hand requires proof of your identity for sign-up, typically through verifying your phone number.

SimpleX allows you to have a different pseudonym and handle per chat. Element and Session both also allows you to have an anonymous pseudonym, but it will be the same one for all your chats, so might mean somewhat higher risk of deanonymization of all your activity if one of your chats gets deanonymized. Signal has up to recently only allowed using your real identity as a handle, your phone number, and all participants in chats you are in would see it. They have recently added support for setting a pseudonym, but this is not the default behavior.

Element and Signal are driven as non-profits using donations alone, like most reputable security and privacy focused projects are. On the other hand, Session is tied to a cryptocurrency, and SimpleX have intentions to also implement a revenue making method into their network. Neither is necessarily better or worse than the other, but the implications of tying the network to a profit and financial incentive is not well understood.

As far as I know, none of the networks pad the file size of attachments, which might reveal their identity. But all networks end-to-end encrypt file attachments in a secure way too, like the rest of the chat.

Usage of voice and video calls may not preserve your anonymity or privacy. It is recommended to disable that if you need anonymity and privacy. I know Element and Signal fully end-to-end encrypts voice and video calls in a secure way, I am less certain about Session and SimpleX. I know at least Element and Signal leak your IP address to the other party by default, I don't know if Session and SimpleX also suffers from this issue. I know in Element and Signal you can change the settings to hide your IP address from the other party. Sharing the IP address is likely not an issue if you use a VPN anyway.

Stewart

Use SimpleX, I don't think you need a phone number, avic Signal is the only recommended application.
Element/Matrix isn't that secure it seems to me and it's more of a replacement for Discord than SMS.

mmobder

Stewart
if you want your phone to last half of a day instead of a day - that's the best recommendation https://github.com/simplex-chat/simplex-chat/issues/5474

"Battery usage of SimpleX is around 61% while the phone is not in active use."

chinook

Probably SIgnal?

SimpleX / cwtch spat was interesting to follow: https://discuss.privacyguides.net/t/simplex-vs-cwtch-who-is-right/19256

I don't have strong opinion on any this. With my family I use Signal. Lots of sticker packs for younger family members :)
I used Session in the past but I kind of stopped after reading this (wasn't big thing, it was only with 2 people), and I use SimpleX a lot to share small things/information between my multiple profiles/devices/systems (it's really really convenient).

Element/Matrix isn't indeed considered secure (some reasons why)

cuckflared

There is a reply from Element:
https://element.io/blog/addressing-fear-uncertainty-and-doubt-thrown-at-element-and-matrix/

There is also some other criticism of Matrix/Element (and some criticism of SimpleX founder):
https://blog.cyrneko.eu/matrix-is-cooked

Stewart

cuckflared It is noticeable that the criticisms levelled at the founder of SimpleX stem from the fact that he has made anti-vaccine Covid comments, homophobic/transphobic comments and that he supports Donald TRUMP, no criticism concerning technology, in short criticisms that are more ideological than technical.

CueHD

I use Signal. I also think that SimpleX and XMPP are worth considering.

These comparison tables can be useful to help you make your decision:
https://www.messenger-matrix.de/messenger-matrix-en.html
https://eylenburg.github.io/im_comparison.htm
https://web.archive.org/web/20241223233714/https://www.freie-messenger.de/en/systemvergleich/
https://web.archive.org/web/20241223233714/https://www.freie-messenger.de/en/warumnicht/

cuckflared

Stewart That's correct. Regarding the tech, there is also a discussion (with SimpleX dev) on Privacy Guides regarding SimpleX vs Cwtch shortcomings:
https://discuss.privacyguides.net/t/simplex-vs-cwtch-who-is-right/19256/

I didn't follow it thoroughly. It's not possible for an average person to be 100% sure which project is superior or it would take too much time. And then it's difficult to convince friends to even use Signal, not to mention some more "niche" project.

raccoondad

Stewart ideological than technical

Ideological is the technological, when you use an online service you put trust in the service provider and ideology can effect how the service is ran and if you trust the person.

An example I believe majority would agree here, we believe user data should be given with active consent, not passive, yet Google believes user data can be given even with passive consent.

Hence, we don't trust Google user data and analytics collection, and GOS allows user data collection to be more active consent based.

This is why many tech projects tends to not touch politics unless its directly related to them, because doing so would open untrustworthiness. The ones that do usually are for political purposes and as such want to rally a like minded group (think riseup or truth social).

The writer of the blog seems to not trust a service provided by someone with such an ideological view. The simplex founder associated his beliefs with his project by being open about his beliefs, and people will make decisions on if they can trust him now with their user data.

All software works like this, because software is human at the end of the day. Same with online services.

There is also an aspect that as a service grows, and such services are used for political means, eventually you will be asked for implications as a service provider. That as well sort of 'forces' politics into software, even when you try to avoid it.

A good, but minor and non-controversial, example would be GOS and the conscription of one of their senior devs. Obviously GOS had to say something, and explain how it harmed the project, which inherently does say 'war harms people and community projects.'

Not the most thought provoking or controversial opinion ever, but it is political. I'm sure you can think of plenty of other examples, I obviously went with one that wouldn't cause any debate.

yooooh

cuckflared I didn't follow it thoroughly.

Here's what I found a good summary of the thread:
https://discuss.privacyguides.net/t/simplex-vs-cwtch-who-is-right/19256/112

Stewart

raccoondad For me, the most important thing is to remain rational and to keep things in perspective, despite the fact that the developer of SimpleX is homophobic/transphobic etc, it will always be more interesting for the LGBTQ community and all that follows behind to use SimpleX (if Signal didn't exist) in terms of security and privacy than to use Whatsapp, Telegram and others.

mmobder

Stewart btw, simplex is the app from russia

chinook

mmobder I don't observe that myself. I use Simplex (to quickly transfer small amounts of data/text/etc) between profiles and devices for quite a long time, and my _unused phone lasts up to two days, my used ones usually a full day.

cuckflared

yooooh Thanks!

Stewart

mmobder Your pro-Western reasoning is completely ridiculous, the most important thing is the end result, who cares if SimpleX is Russian, it's still recommended by the privacy communities, GOS included.
I'd remind you that we recommend a whole bunch of applications from the United States, which is the worst country in the world in terms of mass surveillance.

mmobder

Stewart
just to remind you - GOS sits on the product from google) from "worst country in the world in terms of mass surveillance.", so either you're delusional, or it doesn't adds up (there's a 3rd option - gos is a Google product;) but it's just ridiculous)
and yes, simplex as well as telegram are from russians

raccoondad

mmobder bro it was a one line comment 🙏😭

mmobder

chinook
What's your sync settings? do you have battery set to unrestricted to guarantee that msgs are received properly (like it works for Element X with ntfy without crazy battery drain)?
If you don't use it for real chat, but rather for artificial scenarios (why don't use https://github.com/VentralDigital/InterProfileSharing then?), then of course https://github.com/simplex-chat/simplex-chat/issues/5474 is not relevant. Otherwise, for real-world scenarios - battery is dead.

chinook

mmobder Hmmm, no, I don't have it unrestricted indeed, except for perhaps one app I don't care about the delay in delivery.

That might be the reason indeed, thanks.

mmobder

chinook
also, the simplex itself has Settings - Notifications - Notification service (when open, starts periodically, always on)
for me, proper notifications were working only having always on which drains battery as described in the github issue