this post was submitted on 02 Mar 2021
154 points (97.5% liked)
Privacy
35064 readers
436 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I never used Signal. I use P2P apps instead. I wonder why people still use centralized messengers. Theres a lot of P2P messengers available. Theres a few here
Because centralized messengers
Edit: Here are a few examples of what metadata Signal protects that Matrix doesn't:
This is definitely currently the case, and could be factual but I think the fundamental difference is minuscule. People are currently using QR codes or phone numbers to find each other (both supported my Matrix) and regularly use emails. You can probably argue that the @domain.example suffix to IDs is a hurdle to UX but I think it is incredibly minor.
So I hold out hope that UX of decentralized messengers will approach or surpass the centralized ones.
Maybe for "pure-P2P" but for services that still use servers this isn't the case. (Like Matrix, and IIUC there are XMPP extensions for using external push services that put battery usage on par with any of the centralized ones)
This is also only a concern for "pure-P2P" services. Furthermore many pure-P2P services have solutions to this via distributed buffers and logs. In fact for optimal privacy you don't want to directly connect to the recipient anyways.
Some of them. However some open-source ones have also be audited and have research done on them. I would love to see enough funding for some of the open-source messengers to get official audits.
citation needed. To be fair signal is very good in this regard. However there are better decentralized options and worse centralized options. I don't think this claim can be applied to centralized or decentralized messengers in general.
I do agree with most of what you said here but here are a few things:
What I call centralized/federated are things like XMPP/Matrix, which require servers to function but are interoperable. What I call P2P are apps that don't need any servers (beside a few bootstrap nodes) to function like Tox. As you said, when it comes to battery, Matrix/XMPP work fine with push notifications, and users don't need their phones to be on all the time.
A lot of UX could be improved in Element, that is completely separate from the fact that it is federated. I have never used XMPP though. The #1 problem is that apps for federated services will always have to present you a screen "what instance are you using ?", and ask you to do your own research to find a decent one, whereas centralised services can just create your account on the fly.
Can you share some sources for that? Last time I checked I failed to find any info on Matrix passing (or not) third party audits. If you have something about another decentralised protocol with audited implementations I'd be happy to have it.
That's fair, I was just lazy in my first post. I don't think it's impossible to develop a federated protocol that leaks very little metadata like Signal, but it would be a pain to get different clients/server version to handle it correctly. One aspect is also that with whatever metadata still leaks, you will have to trust two servers (receiving and sending) instead of just one.
Here are a few examples of what metadata Signal protects that Matrix doesn't:
There haven't been many, funding for it would be great. But at least some XMPP OTR implementations have been audited: https://www.eff.org/pages/secure-messaging-scorecard. But this isn't really different between centralized and decentralized, it is just individual. (And usually connected to how much money they have)
For sure. As I said Signal is a very good protocol. But not because it is centralized, just because it was designed to be very privacy friendly.
Also for what it is worth a lot of that group metadata can be undone because they have some idea who is sending and receiving the messages along with timing. Of course it is still better that they have the sealed sender and encrypted group data but it definitely isn't perfect.
And yes, Matrix does intentionally leave more of that in the open. Everything is tradeoffs.
citation needed. On the contrary, any network observer can perform a timing attack by correlating messages being exchanged to/from clients and servers. Having centralized servers only makes it easier.
Briar, on the other hand, is P2P and uses Tor as transport network making such attack way more difficult.
I edited the comment with citation.
Briar suffers from the problems I mentioned about P2P requiring more battery and not being able to use push notifications. It also has the works UX of the lot, since you can't even begin communicating with someone without being in having a way to get them a cryptographic identifier/QR code. No way anyone but the most tech savvy will ever use it. Also, it's still not available on IOs.
To protect users metadata including the type of application, protocol, and timing push notifications cannot be used. Equally, direct connections to centralized servers are not suitable. That's a reason for Briar to use Tor.
The thread is about centralized vs decentralized. Availability on OSes, polished UIs and so on are besides the point.
Yes, your are obviously right. Who cares about the end user? /s
Oh ya "conveniency" again ! 😂😂😂
For 99% of the people that use messaging services, convenience is the number 1 priority.
Then you must teach them ethics. If you see that, it is in your hand try it, so it is a moral obligation.
Ya which is stupid
I hate that they downvoted you for pointing out facts. Convenience is slavery, more you prefer it the lazier you become.
This is such a stupid take. Do you plant your food yourself? No, you buy your rice and potatoes washed without dirt on them?
Also your definition of lazy, lmao
If it is something in your hand and you don't make it, yes, you are being lazy (in the case here). If not, you are not lazy but a victim.
Lol I love how black and white you are XD Someone is either such a lazy loser it effectively lives on a couch and stares at the TV and does nothing else, or a self sufficent superhuman who can satisfy all of it's needs all by itself! XD You are totally right I'm a lazy POS for not planting my food, building my house, hunting other animals, using my imagination to satisfy my communication needs and walk everywhere. It's totally the exact same thing as people being too lazy to learn a couple irc commands and using other software for voice and video calls and using the spyware that is Discord instead :D I don't think I will present you arguments anymore, you wouldn't get it anyway, it's best to just ignore it :)
The metadata part is kinda valid, no?