[jeroenhd]

Matrix allows for unencrypted messages so it's inherently less encrypted than Signal. The federation capability also means messages leak metadata. Furthermore, encrypted messages also contain some metadata in the unencrypted envelope. Some protocol features (emoji reactions) also ended up outside of the encrypted envelope because of that. It's a risk with any protocol that has encryption bolted on and optional.

On the other hand, you can host your own Matrix server and still participate in the network, whereas Signal will have you convince your friends and family to install a custom Signal client if you want to run your own Signal server, for instance because you don't want to rely on Amazon's servers (Signal was down when Amazon went down this morning).

Signal sacrifices network openness for encryption capabilities.

There's also the MLS/MIMI side of things, but AFAIK that work hasn't been completed yet (MIMI isn't even a full RFC yet).

Element/Matrix, with some modifications, has been chosen as the messenger of choice by the French government (Tchap) as well as the German military (BwMessenger, BundesMessenger) and healthcare (TI-Messenger).

[fsflover]

> Matrix allows for unencrypted messages so it's inherently less encrypted than Signal.

But that logic, Matrix is less encrypted than Whatsapp, too, which is a crazy thing to say.

> The federation capability also means messages leak metadata.

It's the opposite: The centralized architecture means that there is a single target server to attack for the metadata. With decentralization, you can't easily scale up your attack to all users.

[jeroenhd]

> But that logic, Matrix is less encrypted than Whatsapp, too, which is a crazy thing to say.

From a protocol perspective, it is. Without an open-source WhatsApp client and independent protocol security analysis, it's hard to judge the effectiveness of the encryption, of course.

> means that there is a single target server to attack for the metadata

Signal does not collect or provide much metadata. It has IP:port mappings, for sure, and keeps track of when a user last checked in, but the protocol itself is extremely well-suited to resist analysis.

A lot of information Matrix provides you for "free" once you break the HTTPS tunnel needs advanced analysis to get it out of Signal. Signal's protocol security is really impressive, I don't think there's anything comparable out there.

[tptacek]

It's not a crazy thing to say. It's a complicated question.

[nxor]

Somewhat related - Can someone explain this to me? France and Germany want to lessen dependence on American organizations, so they choose Matrix, also an American organization.

[jeroenhd]

Matrix, the organisation, takes care of the open source side of things.

BwMessenger is a partnership with "ELEMENT SOFTWARE SARL" (according to https://messenger.bwi.de/datenschutz), the French entity of the commercial side of the people originally behind the open Matrix ecosystem (https://element.io/legal/company-information). I'm not sure why the French entity is doing business with the Germans as Element also has a German entity, but either way the American side is not the one doing the work.

For the American entity, a lot (most?) of the work that's not from unrelated open source contributors seems to be coming in from either EU countries or the UK.

[nxor]

Thank you, it looks like my assumption was wrong

[Arathorn]

Matrix isn’t US at all; it’s a UK Non Profit.

Element is also UK headquartered, albeit with French/German/US subsidiaries when selling to those respective governments. BWI buy via France because when we started working with them we didn’t have a German legal entity yet.

[nxor]

It appears to have been started by Americans: https://en.wikipedia.org/wiki/Matrix_(protocol), https://en.wikipedia.org/wiki/Amdocs

Who perhaps chose the UK in an effort to distance themselves from the US

As I said, I see now my assumption was wrong

[tguvot]

Amdocs is actually Israeli company

[jazzyjackson]

Signal and any kind of Slack SaaS: US infrastructure, US law around data governance. Matrix (and Zulip, for that matter, and mattermost too) encourage self-hosting on your own infrastructure, or at least in-country, even if the upstream security patches are coming from US developers.

[nxor]

Thank you, that helps me understand it better

Oh, and as everyone has said. Only some of the developers are from the US

[dijit]

If it's open source (and libre software) then it's not as important where the main development offices are (or where the company is incorporated). You still have control.

Seems like the majority of the team are in the EU anyway: https://matrix.org/foundation/about/

[nxor]

Thank you, and I see it's registered in the UK. I think it started in the US? Well, not like it's relevant anymore. And can you answer this question: If everyone has secure chat, then won't that benefit criminal organizations? I struggle to understand the love for private communication when it seems like that would benefit, for example, religious sects and sex abuse rings. NOT that I like that Zuckerborg keeping all my messages.

[dijit]

> If everyone has secure chat, then won't that benefit criminal organizations? I struggle to understand the love for private communication when it seems like that would benefit, for example, religious sects and sex abuse rings. NOT that I like that Zuckerborg keeping all my messages.

Yes, sort of.

The thing is, the government is already not permitted to wiretap people, at least without reasonable suspicion.

Wiretaps themselves are not admissible in court, and can only be offered as a mechanism to correlate behaviour anyway. At least in the UK. (Which, is ironic when you consider what's going on there with online speech, but I digress).

Factually speaking, in order to do a crime you have to physically do a crime, the police knowing when and where do not require access to your communications to figure out. They will sting people, get people to turn on other people or simply catch red-handed when doing ordinary police work.

If we legitimately believe what the governments of the world are saying: that we need to embolden the police. Then funding them properly is the right start, yet nobody seems to be doing that. The EU has been making cross border communication easier though, which is in-line with emboldening the police, so I'll give them that.

Having more information will do very little to help, for the same reason that phone taps aren't given out freely (and never have been) - because even if you have the data, you have to choose how to act on it, and you'd need the resources to investigate and follow-through.

There is a distinct irony that unencrypted SMS is more secure than online messengers, because there are legal protections.

[nxor]

Funding police outweighs the benefit organized crime may get from communicating securely ?

[jcynix]

So you think that if normal people aren't allowed to use encryption that would hinder organized crime to use encryption? :-0

[dijit]

Very much so.

[bigstrat2003]

> If everyone has secure chat, then won't that benefit criminal organizations?

Probably. But criminal organizations also benefit from having electricity, or cars, or a million other things that we all would be much worse off if we didn't have them. Just because something benefits criminal organizations as a side effect is not really a reason to not do it for the benefit of ordinary citizens.

[nxor]

My point wasn't that we should or shouldn't have it. I just get the impression that the same people calling for privacy will be highly outraged the next time, for example, an Austin Wolf (gay porn 'star' who used Telegram to share thousands of files showing abuse of children) situation arises, or it's inevitably revealed that religious sect xyz coordinated over it. Europeans trash talk Telegram (and that is fine), but somehow Matrix is different? How?

[bigstrat2003]

Oh I don't think it's different at all in that respect. I think that many people are very ignorant about the inherent double-edged sword that is freedom, and think that it's possible to deny it to only bad people. On top of that, many people don't particularly value private communications, considering it to be a theoretical issue that doesn't affect them. So yeah there will certainly be outrage in cases like you mentioned.

[heinrich5991]

Telegram isn't end-to-end encrypted btw, so when law enforcement asks for data, Telegram actually has it.

[detaro]

Freedoms tend to also benefit criminals, yes. That's kind of unavoidable.

[nxor]

Then crime will increase

[fsflover]

See also: https://support.torproject.org/abuse/#abuse_what-about-crimi...

[JadedBlueEyes]

the Matrix foundation is a UK company.

[jonesjohnson]

so what? all the specification and all the code is open.