this post was submitted on 19 Jul 2025
224 points (94.1% liked)
Technology
72988 readers
2640 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
The protocol is bloated to hell so third-party clients stand no chance, and the foundation spends more time bikeshedding or pissing away money than they do developing. It's a doomed project.
You can interact with Matrix server through basic curl commands... and I thought the documentation was pretty good. There are plenty of third-party clients.
Sure, E2EE, keys and cross-signing is not trivial, but I don't know where it is.
I didn't imply that you can't strip the protocol down to its bare essentials and still use it, but what's the point of a protocol if everyone is on their own personalized version of it? Version / Feature fragmentation is a massive problem and basically none of the third party clients are up to snuff. Synapse is a massive bowl of lukewarm dog water, and most alternatives to it die in a year because it's impossible to keep up. There's too much shit in the protocol.
So what's left? Jabber?
Slrpnk hosts an XMPP/Jabber for our users, mods and admins to communicate. Its worked pretty darn well for the past couple years, with very low resource needs.
The clients are pretty slick now too, such as Cheogram or Monocles for mobile, and movim is an excellent web app with support for group calls.
I'd certainly recommend it over Matrix/element.
I wouldn't call either of those, or any other XMPP clients "slick" and it's my biggest complaint about the protocol.
Not to mention you can run a server on anything pretty much and for surprisingly big amount of users. Toaster or potatoes will do just fine.
What's the protection in the clients assuming compromised infrastructure, like e.g. in https://notes.valdikss.org.ru/jabber.ru-mitm/ ?
Significant improvements to certificate pinning and validation have been added to all major XMPP clients as a result of this incident, but it should also be clear that hosting a server on infrastructure under control by an antagonist government (see also Signal) is a very bad idea and hard to mitigate against.
Signal is under control by the government? 🤔
Their server infrastructure is (run by Pentagon and NSA best buddies AWS).
And that means the government controls it?
The infrastructure is under control of an antagonistic government, yes. Hetzner is also technically a private company, but they obviously willingly complied with requests from the German government.
And what are the implications of that control? It doesn't mean they can access anything on it. Especially not data that doesn't exist.
They have live access to all of the metadata and can easily correlate that with phone numbers that Signal stores and shares on request of governments. Just because Signal claims they don't store anything doesn't mean that the ones that 100% run all the servers Signal uses don't access and store anything. You are being extremely naive if you believe Signals BS marketing.
I'd love to see the evidence you have for this.
I don't believe in marketing. I believe in open source code, security audits, and the entirety of the privacy and security community.
Look, if you run the server you have access to metadata of clients connecting to it. That is networking 101. And that Signal shares phone numbers and connection timestamps is well established by court documents.
The security audits are of the code and encryption algorithm, not the infrastructure.
So you don't have any evidence.
They do not share phone numbers. Phone numbers are the identifier, meaning if anyone wants the timestamps, they need to have it already.
The only timestamps shared are when they signed up and when they last connected. This is well established by court documents that Signal themselves share publicly.
I don't need evidence for water being wet 🤷
I can observe that water is wet. I cannot observe that the NSA is collecting mountains of metadata from Signal servers.
You can observe that your Signal client connects to IPs that belong to AWS, which is the same thing.
LOL no it's not.
Signal doesn't suffer anything worse than DoS if a hostile party controls the central service. That's its point and role. It's based on the assumption that such hostile parties as governments don't like DoS'ing central services, they prefer to be invisible.
For other points and roles other solutions exist. One can't make an application covering them all, that never happens.
Briar again (I've finally read on it and installed it, and I love how it works and also the authors' plans on the future possibilities based on the same protocols, but not for IM, say, there's an article discussing possibility of RPC over those, which, for example, can give us something like the Web ; I mean, those plans are ambitious and if I want them to succeed so much, I should look for ways to defeat my executive dysfunction and distractions and learn Java). Except it would be cool if it allowed to toss data over untrusted parties, say, now if two Briar users in the same group are not in each other's range, but there's a third Briar user not in that group between them, their group won't synchronize (provided they don't have Internet connectivity). If one could allow allocating some space for such piggybacked data, or create some mesh routing functionality, then it would become a bit cooler.
You are very naive if you think that is all the US government can do in regards to Signal, but suit yourself 🤷
Anything that's been proven/confirmed?
OK, so what else in your opinion can it do?
A lot, but please educate yourself, this topic has been extensively discussed here and in other places.
Thanks for the advice.
This is noise, not an argument.
I dunno what's the purpose of this comment. I asked for specific things, not for noise.
Whenever anybody on the internet tells you to educate yourself, but refuses to provide the information they allude to, they're lying. They know they're lying.
Signal has issues, like SVR.. which are worth discussing on their own without this weird vague eliteism
Yes, I know that.
Especially the "this has been discussed before" thing, I dunno about other countries and cultures, but in Russia this is the most common obnoxious shit people without arguments and thinking they have authority use.
Yeah it's like appealing to authority and social pressure all in one. We already discussed it. Bah.
End to end encryption between clients (also for groups) seems to partly address the issue of a bad server. As for self-hosting, any rented or cloud sevices are very vulnerable to an evil maid. So either in-house hosting or locked cages with tamper-proof hardware remain an option.
I'm afraid that's quite outside my field of expertise. I can only report how my experience on XMPP has been as a user, though perhaps @poVoq@slrpnk.net, who hosts it, may be able to weigh in on that. Edit: ah, I see you already have 😄
Though from my untrained eye, it seems that Jabber.ru was compromised due to not enabling a particular feature on their server
And it seems that hosting it externally on paid hosting service (hetzner and linode) left them particularly vulnerable to this attack, and tgat it could've been mitigated by self hosting the XMPP locally, as well as activating that feature.
Back to IRC we go...
It is entirely insecure.
Not when the entirety of your conversations are jargon and in-jokes!
/s
Define secure. You can run your own network.
xmpp isn't.
(Ok I get xmpp alone is but every modern client supports the same two encryption methods so judge for yourself)
Depends what your goal is. Revolt seems pretty cool, but I don't think it has any kind of encryption. It is based in Europe, though, so it gets GDPR protection, and it's open source, so it could be forked to fit other needs and uses.
No, Revolt checks neither of my boxes unfortunately.
What about delta?