I do agree, I don’t use really use direct messaging as a way to communicate with people I don’t know, it’s for friends and family, so people I already know IRL. Signal wasn’t designed with the goal of communicating with people you don’t know (because you are exposing your phone number). They are working on it though.
From what I understood, signal e2ee protocol doesn’t scale with multiple device per user as they rely on a single source of truth.
What? You can have multiple devices for Signal (Phones + Desktop client) for the same account. Matrix uses the Signal protocol for its own encryption (as I said it is now the golden standard) so I don’t really get what your are talking about.
but I think that it should aim at providing a way to quickly deploy the service with minimal technical knowledge
Good point, but Signal uses a lot of security measures that can’t be deployed trivially, I guess that their use of Intel’s SGX enclaves are a pain to set up. Matrix doesn’t use theses security features. And even then, Synapse’s (Matrix’s official server) is known to be quite resource intensive. Also, relying on non-professional to run instances can be a security risks, as instances are more likely to get hacked than Signal’s servers.
For organisations, options like Matter/Rocket chat and Twake are cheaper to host and will be more en user friendly.
When it comes to authoritarian regimes, I’m not sure that decentralisation is actually the solution. Instances can be shut down, and how can you know which other instances are trustworthy? Decentralised protocols often leak a lot more metadata (at least that is the case for Signal vs Matrix vs Tox), so trusting your instance is important. Also, if you are using Matrix’s webclient, you have to trust that the server is sending you the right JavaScript, otherwise it could completely bypass the E2EE.
When Encrypted client hello becomes standard, centralisation will be an advantage, as any website’s traffic hosted on a major cloud vendor will be indistinguishable from the rest of the traffic hosted by the same cloud provider, which will make it pretty much impossible to block. I’m pretty sure that Signal will be quick to deploy ECH when it is standardised, while many Matrix instances won’t.
Both approaches have their merits and downsides, and both have talked about it:
I suggest you read/watch both, as they make really good points. But for now, only one of those solution reaches the goals of being usable by the masses, and does so while being praised by nearly every security researcher out there. Signal is FLOSS, is backed by a non profit and a billionaire (Brian Acton, co-founder of What’sApp) as well as donations. This lead me to believe that it’s won’t go to shit any time soon, unlike proprietary apps, so my choice is made. Sure, Signal doesn’t fit every use cases, but it fits all the ones I need, and is evolving to fit the ones it doesn’t fit yet.
deleted by creator
I do agree, I don’t use really use direct messaging as a way to communicate with people I don’t know, it’s for friends and family, so people I already know IRL. Signal wasn’t designed with the goal of communicating with people you don’t know (because you are exposing your phone number). They are working on it though.
What? You can have multiple devices for Signal (Phones + Desktop client) for the same account. Matrix uses the Signal protocol for its own encryption (as I said it is now the golden standard) so I don’t really get what your are talking about.
Good point, but Signal uses a lot of security measures that can’t be deployed trivially, I guess that their use of Intel’s SGX enclaves are a pain to set up. Matrix doesn’t use theses security features. And even then, Synapse’s (Matrix’s official server) is known to be quite resource intensive. Also, relying on non-professional to run instances can be a security risks, as instances are more likely to get hacked than Signal’s servers. For organisations, options like Matter/Rocket chat and Twake are cheaper to host and will be more en user friendly.
When it comes to authoritarian regimes, I’m not sure that decentralisation is actually the solution. Instances can be shut down, and how can you know which other instances are trustworthy? Decentralised protocols often leak a lot more metadata (at least that is the case for Signal vs Matrix vs Tox), so trusting your instance is important. Also, if you are using Matrix’s webclient, you have to trust that the server is sending you the right JavaScript, otherwise it could completely bypass the E2EE.
When Encrypted client hello becomes standard, centralisation will be an advantage, as any website’s traffic hosted on a major cloud vendor will be indistinguishable from the rest of the traffic hosted by the same cloud provider, which will make it pretty much impossible to block. I’m pretty sure that Signal will be quick to deploy ECH when it is standardised, while many Matrix instances won’t.
Both approaches have their merits and downsides, and both have talked about it:
Signal’s blog post
Moxie’s talk
Matrix’s answer
I suggest you read/watch both, as they make really good points. But for now, only one of those solution reaches the goals of being usable by the masses, and does so while being praised by nearly every security researcher out there. Signal is FLOSS, is backed by a non profit and a billionaire (Brian Acton, co-founder of What’sApp) as well as donations. This lead me to believe that it’s won’t go to shit any time soon, unlike proprietary apps, so my choice is made. Sure, Signal doesn’t fit every use cases, but it fits all the ones I need, and is evolving to fit the ones it doesn’t fit yet.