what do people think of matrix (the open standards end to end encrypted message platform)

[michel_cryptadamus]

less technical friend asked me recently whether this matrix.to (that's the URL) was legit so I was doing some research and the team seemed pretty legit. curious what people know about this platform. if it works as advertised it seems like a small step forward into the cypherpunk future.

also wondering about the various matrix clients - anyone have any recommendations or security concerns about any of them.

ps seemed like the first time I saw the term "web3" and it actually made some sense.

[hyperreality]

I think Matrix is great. It doesn't require a phone number, is federated, and e2ee. Popular with open source and pro-privacy communities. The main challenges are around UX - even Riot is simply not as polished to use as any mainstream chat client, and really hard to get people to use it at the moment. For instance you have to manage your own encryption keys to ensure you can decrypt past messages on new devices, because the server can't store the key for you.

On CryptoHack we offer both a Discord community and a Matrix mirror, but hardly anyone wants to use Matrix, they prefer Discord.

Edited November 23, 2022 by hyperreality

[michel_cryptadamus]

glad to hear confirmation because it looked pretty great to me based on the team and history. I also think I have dim memories of hearing about it years ago from some of my more rabidly pro-privacy friends which increased confidence.  

re: clients - I took a look at the Element client and it seemed at least alright? maybe not quite as flashy as slack or discord but not like miles off either. will check out Riot.

[NeonPayload]

I know a few security communities uses bridges for everything. They had a IRC/Discord/Matrix and bridged them all together so anyone can use any platform. But, I bet it would be a mess behind the scene, plus you lose a lot of functionally for the chat clients. I think a lot of the trouble is getting adoption. Most people are not interested in ee2e as most people just assume that everything they have is already out there.

 

[gnugro]

16 hours ago, michel_cryptadamus said:

less technical friend asked me recently whether this matrix.to (that's the URL) was legit so I was doing some research and the team seemed pretty legit. curious what people know about this platform. if it works as advertised it seems like a small step forward into the cypherpunk future.

also wondering about the various matrix clients - anyone have any recommendations or security concerns about any of them.

ps seemed like the first time I saw the term "web3" and it actually made some sense.

I've asked this question in several channels, including here, and good to see folks responding.  Some clients have limited functionality but Element (formerly Riot) and a spinoff SchildiChat have full features including the audio/video chat and audio chat messages.

I haven't created any bridges, though this project https://github.com/spantaleev/matrix-docker-ansible-deploy uses ansible to deploy the Matrix server and the many bridges and features, and options to keep the matrix server and bridges updated.

Getting access to past messages in an e2ee room is possible from a new device (client software) if you have the saved key.  Another method it uses is to exchange the keys from the one device you have access to the new device.  For example, if you join a room from the web device and then join from your mobile device, you can use the web access to verify the mobile device and exchange keys that way.

[deleted]

https://nebuchadnezzar-megolm.github.io/

[gnugro]

On 11/26/2022 at 2:31 PM, deleted said:

https://nebuchadnezzar-megolm.github.io/

This always comes up in conversations about Matrix.  What does surprise me is that folks provide the links to the vulnerabilities but not that the most egregious vulnerabilities were fixed in collaboration with the researchers in the link above. https://matrix.org/blog/category/security. It also isn't mentioned that the folks who develop Matrix have been having independent audits of their software performed to help validate its crypto implementations.

[michel_cryptadamus]

On 12/3/2022 at 3:47 PM, gnugro said:

This always comes up in conversations about Matrix.

Roughly akin to saying "don't use SSH because this heartbleed bug got fixed"