I have replaced Hangouts, WhatsApp and Messenger front-ends on my phone and laptop with Element. I have been running the Matrix bridges for each[1] and am donating monthly to the creator. It's worth it.
So far the "network effects" have been coincidental: one small group of colleagues registered on matrix.org after one more colleague from our small circle turned out to have a home server. There are 7-ish of us now, 2 with their home servers (myself and the "other colleague"), and 5 with accounts on matrix.org.
To go "native", I see one lacking point with discoverability: I don't know of a way to discover my "contacts" whether they use Matrix without asking them first. Which is not true in any other messaging apps I have tried: Signal and WhatsApp use my address book and their phone numbers, Messenger is tied to my "friends". However, although Matrix allows entering phone and e-mail identifiers, I haven't seen an easy way to "find" them. Any pointers?
Overall, Synapse is easy to install and run. Took about two evenings to configure synapse + 3 bridges (whatsapp, messenger, hangouts).
I just installed element messenger on mobile and it asked for my contact list to find other matrix users, so it appears there is progress on that front.
(I said no, because for my current needs I don't wanna share any contacts with anyone.
Identity servers are currently not federated so everyone needs to use the same one if they want to be able to find each other. That's why no one is talking about hosting their own.
For anyone wondering how it compares to Signal privacy wise:
Signal works with a contact list, for private 1 to 1 and private groups. You need a phone number to use it, and they claim to encrypt almost all metadata, such as message senders. Signal claims they cannot read the content nor the history of users actions (but you have to trust them on that, they claim to use SGX enclave stuff, but can anyone technically verify that they do what they say they are doing?)
Element works with rooms, there is no contact list. A 1 to 1 conversation is a room with 2 people. The homeserver Matrix.org stores all metadata and they are readable (metadata are not private/not encrypted) by Matrix for some features to work. You only need a nickname to use it (at least for now). The content of conversations are e2e encrypted. In theory, i understand it would be possible for a matrix server to delete any metadata/messages once messages are delivered, but some features would not work, and you would also have to trust the server to actually delete the metadata.
Would be happy to read anyone who could correct or complete me.
Matrix: Every home server involved in the chat stores the message, and messages on matrix are therefore most considered permanent.
As matrix is federated, every user can be on their own homeserver, which will be storing a copy of all messages seen by that user.
E2E is more recent and optional. Most rooms are not E2E, and have browsable history.
Signal: Only E2E, with clients themselves storing the only copy of messages. You can only see messages that a device has received.
Any app you did not write/review and compile requires trusting the author, so this is not a signal specific concern. A crypto app can always store and send keys to a server if it wanted.
However, unlike WhatsApp, these apps are open source and can be reviewed and compiled if you so desire.
> Most rooms are not E2E, and have browsable history.
Not sure how this is meaningful especially without further context. A large number of rooms on matrix are public channels to begin with (eg bridged rooms from irc, open source collaboration channels, etc), so they have no need for e2e encryption. All this is really saying is that E2EE is optional, which you already said (and which I'd also argue is probably irrelevant, especially given that E2EE is on by default).
I doubt that most rooms are not E2EE. People usually have more private conversations than public ones.
Private rooms are the default and they default to E2EE.
The main difference is that you can choose your own homeserver and communicate with users on other homeservers which makes the Matrix protocol decentralized or at least distributed. So when I'm @redsolver:matrix.org, I can still chat with @bob:example.com just like with other distributed systems like email.
Element looks like more of a hassle specially for non tech savvy users in my family circle, I'm trying to get them to move to Signal from WhatsApp / FB Messenger.
Out of curiosity, why Signal and not Telegram? I don't know details about either, just that Telegram seems more popular with reportedly a better UI for non-technical people.
Apart from Telegram now having E2E encryption by default, it also invents its own weird and unverified encryption instead of using a more peer-reviewed and robust method. Signal's encryption tech has some strong guarantees and advanced the state-of-the-art when it first appeared.
Worth noting that Matrix's crypto is also based on Signal's algorithm (but extended to support efficient encryption in rooms with a large number of participants).
> Apart from Telegram now having E2E encryption by default, it also invents its own weird and unverified encryption
I was confused since the tone of that sentence sounded weird (Apart from <positive>, it also <negative>), but I think it's a typo - I believe you meant to type "Apart from Telegram not having E2E encryption by default"?
For the most part I think the fears over their crypto is overblown. But their behaviour over the years and not being secure by default means people shouldn't be using it just on principal.
Signal's double ratchet algorithm is easily the gold standard for now and there's little reason for anyone pushing a E2EE privacy narrative to not be using it.
It's sad that Signal has a horrible Desktop Client and isn't much to look at because the security and privacy features are good, if you disregard the forced cell phone number.
Sure, Signal is simpler, but Matrix isn't harder than configuring a new email account on an free provider, and you still get the option of setting up your own if you want to use your own domain name.
And I hate that Signal's identity is linked to a phone number.
I also have mine set up though without a default_policy so I can have the server forget stuff in my bot control rooms cause they get cluttered with useless stuff pretty fast.
"Comms app" isn't exactly what I expect to be 'atomic', or 'simple', either. Aaand "Element Matrix Services"? bitch, please... XD
'Element' is so un-cybery, feels dated. First association is Bam Margera and teenage skateboard consumer culture. The uncool one, lacking punk rock and attitude. Such a 2000s word.
Anyway, naming things is hard and annoying, so I am glad they found something _they like <3
IIRC, I saw in a discussion somewhere that most of the math related names are already taken, and Vector was moved off of for search rankings or some such thing.
Been using Element for a while now (since back when it was called Riot). So far so good. I managed to convince a few friends to switch over from Hangouts and Signal. There's even a Rust Weechat plugin for Matrix, the underlying protocol. Would love to hear feedback if anyone tried it.
I'm surprised Matrix is on the front page as much as it is. I mean, it's cool tech, and I use it myself, but it really seems like it's up there every other day.
It's probably on the front page because of the Prosody post that is on the front page. Matrix is on the front page because it's really the only open protocol that has a chance of gaining non-technical users.
I run a matrix server, which has been nothing but a constant pain. My friends that use it can also use my ircv3 server or xmpp server that I run that use no resources and take up none of my time with maintenance. They do not. The only thing I've run that they like better so far is mattermost. I don't like the open core though. Matrix, xmpp and irc are backed by ldap which is impossible with mattermost.
I remember I spent about 10 minutes looking into setting up my own Matrix server. Seemed like a good day of work, and then I would still need to figure out how to support media uploads and E2E.
The real kicker is that having the data on my own server is certainly nice, but I just don't think it's less likely to be exposed while I'm holding it vs someone else. I remember when everyone had a self-hosted WordPress blog. Eventually you'd get tired of applying patches every 2 weeks and instantly get added to a bot farm. No thank you.
To be fair installing synapse is fairly easy. Media uploads and e2e should "just work". When I recently changed the VPS I was running it on I set up synapse from scratch in about 15 minutes. Of course I have set up synapse many times.
If they're people who want a web client you can look at mod_conversejs: https://modules.prosody.im/mod_conversejs - but it is not as comprehensive a web client as Element, in my opinion.
Well I was running it on a 2GB VPS, I have since November switched to a 4GB VPS, no issues since then but it's still early days. I haven't benchmarked either VPS, the 2GB I had a single dedicated CPU core, some 3.5+ghz xenon. I didn't check what my cpu allotment was on the new VPS, it was a $65 a year black friday thing. Moderation is not an issue, I only have 5 users other than myself.
I saw your comment and considered posting a facetious comment about how you would need 80TB of ram and at least twice as much disk space.... but that would add nothing to the discussion.
I am using postgresql now. That is not a silver bullet for anything though. I switched to postgresql early on (when I first started using matrix I think synapse only supported sqlite?) and I've had less disk space & memory trouble using sqlite than I have postgresql.
Of course I was using sqlite when there weren't nearly as many users as there are today or when I had federation disabled.
People are migrating en masse from WhatsApp to Signal and Telegram. I am pretty sure it's ruffling some feathers considering the vocal people defending and promoting Matrix and federation in every Signal thread and considering this informal poll: https://news.ycombinator.com/item?id=25669864
Telegram
806 points
Zom
3 points
Viber
15 points
Threema
69 points
Signal
1699 points
Discord
102 points
Matrix (added after 25 mins)
374 points
Last I read speculations were that Signal had something like 10 millions users/downloads and Matrix 25 millions users (take that with a boulder of salt).
Cool. Now get 5 friends of yours to join you in a crypted room with each using a phone and then a browser, wait two days, get back to it and manage all the insecure session notices.
Beware, they removed the warning from the android client though. It confused people.
That is only the case when you have verified your friends keys (by qr code or emoji string).
When one of your friends account is hijacked and has someone snooping on messages, you'd want to know that.
Though I see it might be confusing at first for users to understand that they have to sign their devices. Currently, you have to login with a username/password and afterwards (optionaly) get one of your other devices to sign your new device. Which the UI does clearly ask you to do though.
I'm using Element very sparsely, but keep getting annoyed by it. I did not care to touch any settings. I have a persistent tab in my browser and it keeps having the notification dot for silly reasons:
- My connection flaked out (duh, I closed the laptop lid).
- Connection for one of my contacts flaked out (?!).
- Something in the signatures changed.
I get how any of that might be a sign of compromise. But I really don't care, I don't use this for anything sensitive. And with only about 20% of notifications being about an actual message, I've developed a blindness towards it.
Edit: having written that, I've noticed it is not doing this right now. Come think of it, it might have stopped a while ago and I simply didn't notice (c.f. developed blindness).
No, no, no. I have been toying my own Matrix instance and I registered 2 users that I played with, exchanging pictures and messages. There were some glitches in the UI that insiste on flagging some sessions as insecure even though I verified every session.
Sometimes it got resolved all on its own, sometimes it stayed like that. No biggie in the end but you can find some bug reports like that on github. Most probably it's getting worked out or was but it definitely happened.
Downloaded client on Windows. Fine. Installed fine.
Hit the button to make an account, everything went fine. It sent a verification email. I clicked the link. It said "something" was wrong with my setup. I JUST installed it, with the default options.
On a hunch, I went back to the client, and was able to log in. The failure message was entirely spurious. If I hadn't been tech savvy I likely would have been scared off and not bothered, assuming it was just broken.
Did they? I was reading conflicting info. Some were saying that the EU was “excluded” from the change... (not sure how the distinction is made precisely)
Both EU users and non-EU users are required to accept new terms of service or lose access in a month, but the EU terms don't have most of the data-sharing bits that would be likely to violate the GDPR.
Probably the gold rush for decentralized, censorship-resistant platforms for the Right to jump to.
This is bad for any mainstream ambitions by the Matrix team. If it becomes the next Gab/Parler, normal people will avoid being associated with it. I know this association would absolutely sink my friends exploring the platform further while we're exploring alternatives for when Google Hangouts is decommissioned.
> I know this association would absolutely sink my friends exploring the platform further while we're exploring alternatives for when Google Hangouts is decommissioned.
Should there be such rooms (that still fall short of being removed for "abuse") you're not forced to join them. No different than you not joining Google Hangouts full of people you'd rather not talk to.
Chat systems like IRC/Element don't force you to join and speak with anyone you don't want to unlike social media sites which try to have literally everyone in the same pool.
If your standard is "people I don't like are able to use this service" you will find no service that will have 0% of said people.
You may as well say, "There's nothing wrong with Gab/Parler/Voat as long as you stay away from the political discussions". It doesn't matter. Your technical and logical distinctions are minor and irrelevant to most people compared to an overwhelmingly negative reputation.
>You may as well say, "There's nothing wrong with Gab/Parler/Voat as long as you stay away from the political discussions".
It's just a fundamentally different system than what you're comparing it to and has many well established communities that aren't what you appear to be alluding to.
>It doesn't matter. Your technical and logical distinctions are minor and irrelevant to most people compared to an overwhelmingly negative reputation.
Are there any major situations involving matrix that you can point to?
I'm not aware of any major issues and just because it's not one of the major social media platforms (arguably not even social media depending on your definition) doesn't mean it's inherently bad.
> It's just a fundamentally different system than what you're comparing it to and has many well established communities that aren't what you appear to be alluding to.
You may as well be telling me how wonderful BitTorrent is for downloading Linux ISOs and to ignore that whole The Pirate Bay thing.
>You may as well be telling me how wonderful BitTorrent is for downloading Linux ISOs and to ignore that whole The Pirate Bay thing.
The hash checks help validate that the ISO file is properly in tact and not corrupted in transit and the peer to peer nature keeps speeds high by distributing the load between multiple peers.
I don't see people avoiding using phones even though neo-nazi, criminals, redheads and people with sexual preferences radically different from theirs use them constantly.
Matrix is not a platform, it's a protocol and some implementation software developed in the open.
Has the headline “(extremist group) use / flock to WhatsApp to plan (nefarious thing)” ever dissuaded someone from installing WhatsApp? Probably, but it got popular anyway.
You mean in a few years there'll be only 3 or 4 free mail providers with e2e disabled for convenience[0] and data broker objectives (as a mean to pay for the service) and only a selected few can federate (because hey, spam or something) ?
Like Mastodon, Matrix has it built-in in its principles that a federated instance can prevent being contacted from another (this is the whitelist setting). Feel free to correct me, I am not 100% sure.
So, it’s important to get this right. In reputational effects, like this one, we don’t care about
P(I use this | I’m a bad person)
because, like you point out, this obscures cases, like breathing air, where P(I use this) is already high. Instead, we care about
P(I’m a bad person | I use this)
And we especially care if this conditional probability is perceived to be high. This is because then your potential users will worry that if they use your product, others will make the (justified!) Bayesian inference that they are bad people. Because they don’t want to be seen to be bad people, they will avoid it.
Considering the substantial and increasing government/military usage of Matrix, I don't think this is a realistic scenario, but I guess only time can tell.
Big fan of SchildiChat on Android! It's Element but with patches to give it extra optional features like chat bubbles and an (experimental) mode which hides 'complex' features nontechnical users might find confusing.
Worth to be noted: the app and the underlying protocol are protected against unilateral removal or blocking decisions from different app stores or cloud providers.
I guess with the openness of the source code, the multiple clients available, and the ability to host your own instance (Synapse) it would be kinda hard to make it completely inaccessible.
Maybe. Not very good PR when matrix.org is having massive performance issues all the time.
What fascinates me the most about matrix is that an org could setup their own federation bubble. Like a big game company would setup a new synapse instance for each studio they purchase and just federate them all together for a sort of DIY MS Teams alternative.
I am using this as I move from Google Chat (Hangouts). Convincing friends to move over is the hard thing, but the fact that they have a web interface is key in convincing them to switch, compared to competitors.
I have been experimenting with Element for some time. I made accounts for myself and family members on the German host privacytools.io. (I since learned Debian operates two distinct homeservers, on social.debian.org, but cannot tell which is for what.)
The UX is pretty good, but certain oddities stand out.
1. When visiting rooms, it spends a very great amount of time displaying a spinner instead of postings. It displays a banner offering to scroll back to the last read posting, but forgets that you have already seen later ones. It often displays a banner indicating some bot is operating, but no indication what it is for, or any way to control it or find out more.
2. Messages in the scrollback for private rooms are very often replaced with a note, "cannot get key"; and sometimes appear again, much later.
3. Element advertises an ability to conduct audio and video calls, but I have not succeeded in getting the other end to ring, in recent months.
4. There are supposed to be gateways available to direct Signal and SMS traffic to/from one's Matrix client, but I did not succeed in getting them to work--probably just because their documentation was wholly inadequate.
I spent quite a few months on a subscription to Purism's LibremOne homeserver, but abandoned it when it became clear they had no intention ever to maintain it.
I have not been able to determine whether 1, 2, or 3 above are the fault of my homeserver, or matrix.org, or the protocol.
A Matrix client should be able to work in multiple accounts / homeservers at once, as is done with e-mail clients, but I don't know of any that can.
It seems like it should be possible to run a homeserver on local equipment, tunneling to ports on a cheap VPS, but I have not found anything suggesting how.
I tried the iOS client yesterday but could not log in (to a well-known third-party server) and the app just did not work at all. The error stayed on the login screen no matter what I tried, and it did not offer any debug info or help, and I just couldn't get past it.
I've been developing software for 20 years so I know something about buggy software and different stages of completeness so I usually give open source projects more slack but after 30 minutes I just gave up and uninstalled the app.
I really hope these kind of projects get more funding and wind behind them to get a bit more mature so there would be serious alternatives for the likes of Whatsapp.
Depends on what server implementation you're going to go for.
Synapse is the reference implementation currently, but also the most resource hungry. For 100k users I would be looking at 24gb RAM and 256GB+ storage space. Along with multiple cores.
If you don't need as much features, then you can try Dendrite which can have 5x to 10x less resource usage than Synapse.
I’d be surprised if 24gb is sufficient for 100k users. Back when they switched Synapse to Python3, they showed a graph where the matrix.org homeserver had something like 8-10 syncotron processes consuming 8-10gb each.
You would need a serious dedicated server if it was possible at all. Matrix as a protocol is excessively resource hungry, there’s a reason the default matrix.org server runs like treacle.
The reference implementation (Synapse) is written in Python. There's a next-gen golang server in development called Dendrite and also Conduit, which is written in Rust. Both of those are expected to have better performance.
It was probably a good idea to rebrand from Riot to Element after this week's deadly violence at the US Capitol. It's difficult for me to imagine endeavoring to protect tribal, potential violent rhetoric given recent historical events. It seems short-sighted to sell a water poisoning solution to people who don't mind destroying themselves to attack their perceived opponents.
It's ambiguous, but they might not have been implying it occurred after the Capitol event but rather that the idea itself has proven to be a good one especially after such events.
So far the "network effects" have been coincidental: one small group of colleagues registered on matrix.org after one more colleague from our small circle turned out to have a home server. There are 7-ish of us now, 2 with their home servers (myself and the "other colleague"), and 5 with accounts on matrix.org.
To go "native", I see one lacking point with discoverability: I don't know of a way to discover my "contacts" whether they use Matrix without asking them first. Which is not true in any other messaging apps I have tried: Signal and WhatsApp use my address book and their phone numbers, Messenger is tied to my "friends". However, although Matrix allows entering phone and e-mail identifiers, I haven't seen an easy way to "find" them. Any pointers?
Overall, Synapse is easy to install and run. Took about two evenings to configure synapse + 3 bridges (whatsapp, messenger, hangouts).
[1]: https://matrix.org/bridges/