[kitkat_new]

> (1) there is no way to migrate to another homeserver (I gave up on Matrix after the third one went bust)

partially true - while there isn't a protocol defined way, you can invite your new account to your rooms, import your encryption keys and leave the rooms with the old accounts

> (2) the homeserver has (!) plaintext access to all traffic on it

hmm, isn't that unavoidable?

> (4) no effort at all to obscure metadata, who you communicate with and when.

There is effort on it, e.g. by going P2P and eliminating dedicated homeservers

> I don't know of any clients that let you manage separate identities at the same time

FluffyChat, Syphon, and others I don't know the names by heart

> Matrix defines a sort of end-to-end encryption, but the ends are homeservers and clients.

The ends are the sessions in a room. The homserver is not an end. How did you get that impression?

> Lack of encryption-at-rest, wherever it is that messages live, seems like a stupendous implementation design flaw, and makes me question all the project's other choices.

Isn't encryption at rest usually done by the operating system?

[mananaysiempre]

>> (2) the homeserver has (!) plaintext access to all traffic on it

> hmm, isn't that unavoidable?

Not only is it avoidable, it’s not actually true AFAIU. It’s unfortunate (if historically justifiable) that Matrix has a non-E2EE mode, but the thing it brands as E2EE is actually deserving of the name, with messages accessible to clients only and the associated hurdles (you literally can’t get access to message history in encrypted chats from a new client on the same account unless you get one of your old clients to cross-sign, even if the homeserver will help mediate the prompt).

Matrix is not free of problems, but it does have federated, multi-party, multi-device, end-to-end encrypted chats with persistent history and forward secrecy. The underlying crypto goes by Megolm[1]. It’s slightly weaker[2] (in particular regarding backward secrecy) than the strictly two-party thing Signal does (however they brand it these days), but nowhere near the point of allowing the homeserver to eavesdrop.

[1] https://blog.jabberhead.tk/2019/03/10/a-look-at-matrix-orgs-...

[2] https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/me...

[heinrich5991]

> Not only is it avoidable, it’s not actually true AFAIU.

Note that new features apparently come unencrypted, even in otherwise encrypted rooms. For example reacting to messages with emoji sends the reaction non-E2E-encrypted for both all home servers to see: https://news.ycombinator.com/item?id=29656282.

[feanaro]

This is an accident of history and will eventually be corrected: https://github.com/matrix-org/matrix-doc/issues/2678.

It is certainly not intended that new features are unencrypted, but unfortunately sometimes it happens in order for features to get added sooner.

[heinrich5991]

Some random comments: I'd say this is something that wouldn't have happened for Signal. The comment I linked didn't make it sound accidental. In the linked issue thread, they talk about aggregation done by the server, which means that the server would still be able to tell that person A, B and C reacted with the same emoji. That sounds like a lot of information leakage to me, e.g. for people who do votes via reactions.

[feanaro]

Signal's and Matrix's position is quite different because Signal doesn't attempt to be a distributed eventually-consistent data store but simply a message transport. This is a trade-off which costs you some metadata leakage and is what leads to aggregations being a thing that is relevant for Matrix. It also gives you a lot of power, because you can now construct generic, distributed E2EE-enabled apps for "free".

That being said, there is still a lot of it that is up in the air. From what I've gathered, there's been talk about leaving aggregations to be done client-side specifically for reactions.

[kitkat_new]

> Note that new features apparently come unencrypted, even in otherwise encrypted rooms.

I checked that. While reactions are not encrypted indeed, a very recent feature - polls which are available in labs on Element Android - is encrypted.

[kitkat_new]

I understood it as the traffic that is received by clients and other homeservers wether it contains encrypted data or not.