Ask HN: Would you recommend such software in your org?

[lukaszwojtow]

Hi, I'm wondering if I'm the only one that feels uneasy with MS Teams, Slack or Google Meets. I'm thinking of building an open-source communicator: 1. Zero–knowledge server for maximum privacy: - users have no passwords, - server doesn’t know who the sender is, - server is unable to see a message content 2. A client software where every message/call must be encrypted and sender/caller is verified. 3. Can be self-hosted or used as a SaaS offering. 4. No lock-in. Designed in such a way that migration to other server does not require cooperation from the current server’s operator. Client software is server agnostic. 5. Fully open source (probably GPL). 6. No central authority that can disable account or deny service. No global central point of failure.

[smoldesu]

Why would I want something like this over Matrix? Even assuming the two products reach the same levels of development.

[lukaszwojtow]

Yeah, I looked at matrix and it's really cool. But: 1. recent security problems make it a hard sell to my manager, 2. People behind Matrix don't seem to care about getting this in commercial usage.

[Arathorn]

What security problems? If you’re talking about https://matrix.org/blog/2022/08/31/security-releases-matrix-..., it’s not that exciting - it’s just a BAU security release; no reason for particular panic.

Meanwhile is https://element.io/matrix-services the people behind Matrix caring about getting this in commercial usage.

[lukaszwojtow]

No, this one: https://matrix.org/blog/2022/09/13/security-release-of-matri... Thanks for the link to EMS.

[smoldesu]

Sure that's bad, but it's not "RCE via iMessage" -bad. The attacker would need to already have access to your homeserver, and be connected to successfully pull off the attack. If that's a concern for you, it's not hard to put Matrix behind a VPN.

This is the part where I'd compare it to the CVEs of other popular messaging apps, but most of them don't have the confidence to be this transparent with their audience. YMMV, but "rolling your own" groupware isn't going to be safer than using an alternative supported by two or more users.

[Arathorn]

The vuln in question here is: “an attacker could take over an IRC channel where a Matrix bridge is present by confusing the bridge into merging it with a different channel”.

It isn’t a bug in Matrix itself, or Matrix servers or clients, but an IRC-specific thing in that IRC bridge implementation. It’s obviously a nasty bug from an IRC perspective, but it really doesn’t feel like something that should stop you promoting Matrix. It feels a bit like we are being penalised for being transparent on publicising security issues…