When me and a bunch of friends and acquaintances switched away from Slack a little under a year ago (I think) we looked into Matrix. One of the primary requirements was that even our non-technical friends should be able to use it.
At the time Matrix/Element had recently launched their Matrix 2.0 efforts and I tried setting up the whole stack without resorting to their all in one shell-script meant for non-production use. I did not mind hosting four different servers (Synapse, Matrix Auth Service (MAS), Call, etc), but did find the integration and config job a bit tedious. The main blocker though was the lack of an invite-system in the new Matrix Auth Server. Also the fact that the Element X app uses a new Livekit based call server while other clients/apps use a different approach is also something not great.
We ended up going for Mattermost. One service easily hosted with Docker. One app, and easy invites. While I think federation would be cool, right now Mattermost was a bit simpler to get up and running.
Element seems more focused on enterprise and government contracts than self-hosters. I think this is fine, they need to pay their bills. But Matrix 2.0 for self-hosters might need a better story right now.
When we first announced Matrix 2.0 implementations in Sept 2024 we made a major error by not providing an easy distro, so I feel your pain.
We fast-followed with https://github.com/element-hq/ess-helm as a really easy distribution (albeit using helm charts) based on the paid offering we provide for folks for NATO and the UN and folks. It really is trivial to install now - e.g. here's a live-install from FOSDEM last weekend: https://youtu.be/EngsGD30Ow0?t=929
I am a daily user, family and friends chatting on Matrix.
My take is that there are two layers of friction:
a) people that care about chat encryption and would be willing to change, already did, to Telegram and/or Signal. "I'm not going to install yet another chat app" is a real answer by a friend of mine
b) no one wants to either host their own server, nor pay someone to host it for them. If it wasn't for me and a one of my friends, none of the people I chat with daily would be on Matrix.
And yes, there is the matrix.org server. Out of the ~13 people I chat frequently with, 1 is on matrix.org. "What's the point of changing apps if I'm still going to be using the centralized server" is another answer I've gotten.
I don't know what the solution to this dynamic is other than us, the power users, setting it up and paying for the group of people around us.
> no one wants to either host their own server, nor pay someone to host it for them.
I hear this every time anyone brings up a federated chat/social media/anything service, and I just don't get it. If you don't want to host it, don't. There are plenty of servers out there, and a lot of them are free. Yeah, you have to trust the person hosting it, but why is that only a problem for federated services?
> a) people that care about chat encryption and would be willing to change, already did, to Telegram and/or Signal.
It continues to baffle me that the "telegram is encrypted" spin is still widely believed, even on a forum like this. Telegram is for 99.9% of intents and purposes not encrypted.
And even when you do enable encryption of the chat contents, the unencrypted metadata is often enough for security services to make a suspect out of you. Granted, this is mostly a concern for Russian and Belarusian users.
- iMessage & SMS for most US based family, casual friends and co workers.
- WhatsApp for European Family
- Signal for one group of friends
- Telegram for another group of friends
Every time I message someone I have to remember what app to use. It’s annoying. This in addition to random threads that pick up with the same people on instagram, discord, etc., which I try to redirect to our “standard” channel as aggressively as I can.
I use matrix. Every chat room I use is unencrypted and all have at least one matrix.org user. I assume it can be encrypted but the usability is such that in practice it's cleartext.
Compared to Telegram, it feels like using a laggy MSN Messenger. The experience, both client and server-wise, just feels very unpolished. It's no single big thing, it's more like death by a thousand cuts.
I was bullish on Matrix because it's so extensible, but in the end I realized that only the default client experience matters as that's the one everyone will be using. And it just isn't there yet. In the end, all the group chats I was in migrated to Discord or Telegram, so I had no more reason to use it...
We explicitly built Element X to be competitive with Telegram's UX - I'm guessing that the feedback here is on the crusty old Element Classic app, which hasn't been touched for 3 years now, and definitely did feel like a laggy MSN by comparison.
Meanwhile Element X feels really really good - especially on iOS, but also Android has improved loads in the last few months (after tweaking the rustc ARM compilation flags properly, doh)
I ran a server for a while a couple (maybe a couple of couples) of years ago, and client devices periodically disconnected and had to be re-setup / re-authenticated from scratch, losing the chat history and being a general hassle. It happened often enough that I got jack of it.
I like the idea, a lot, but the implementation at the time annoyed me away from it. I just don't have time / motivation at the moment to have another go. We ended up on Discord for family communication and it works well. I know Discord is on the lower end of 'one of the bad guys', but for the same reason I don't re-setup Matrix I don't move off Discord. At least it's not WhatsApp...
I did try to get them onto Signal, but I don't think Signal did group chat back then - which means it must have been before 2020.
Search is essentially broken and completely useless. If I’m mistaken, maybe someone might chime in and explain how I can make it work. But right now, the only way to search for messages is to export them and search in the text file.
Unencrypted room search should Just Work for unencrypted rooms (it uses postgres FTS under the hood).
Encrypted room search should also Just Work... but only on Element Desktop (which uses tantivy to do clientside search). We are in the process of porting this to Element X (and Element Web), but after an initial spike over the summer we're waiting for either funding or manpower to finish it.
If that's true, it sounds terrible, and a reason enough to not consider it at all. So much of the work in bug organizations is about just searching for past conversations when a similar issue had been discussed... Search must be flawless.
Then you should use proprietary solutions. Open source solutions are written by developers for themselves. They are not writing it for you. They have no reason to write them for you. You are not paying them. It is a labor of love they are doing for themselves.
Yet as a bonus they are offering it to you for free as a gift with the hope that if it doesn't work for you, you can improve it or hire someone you can.
If you only care about consuming open source but not contributing, by all means you should buy proprietary solutions.
This is a subthread of "I wonder why matrix isn't more widespread at this point". When people reply why it doesn't work for them, that's not time for "you didn't say thank you".
> "They are not writing it for you."
From matrix.org[1]: 'The values we follow are: Accessibility rather than elitism. Empathy rather than contrariness.' ... 'act as a neutral custodian for Matrix ... for the greater benefit of the whole ecosystem, not benefiting or privileging any single player or subset of players. For clarity: the Matrix ecosystem is defined as anyone who uses the Matrix protocol. This includes (non-exhaustively): End-users of Matrix clients. Anyone using Matrix for data communications'
> "They have no reason to write them for you."
How are Matrix/Element going to get anywhere with their mission to replace proprietary chat networks if they don't write their new one for millions of ordinary people to be willing to use?
There is no need to get into an online argument with the developers. The open source software is still offered to you as a gift. You can modify it however you need and keep it for yourself.
The developers developed the open source software for themselves. Doesn't work for you? Too bad. But they are not going to develop it for you. Definitely not, when you are not paying them.
If it doesn't work for you, you shouldn't think, "Oh, I need to get into an online argument with the developers." Here's what you do.
1. Develop the fix/feature you need for yourself. If you cannot do it yourself, hire someone who can.
2. Send a pull request to the developers. But don't expect them to merge it. Remember they developed their stuff for themselves. You developed your stuff for yourself. If they merge, great. If they don't merge, you've still got your stuff for yourself.
3. If they don't merge your stuff, you could maintain a fork. Yes, it's a pain to keep your fork updated but you need to do your own work. Nobody else will do your work for you.
If all this is too difficult for you, why even consider open source? Just use proprietary software.
I truly don't understand the self-entitled HN comments that think for some strange reason that someone else should give you a software for free and then do all the work for you.
I use Teams all the time (although not because it is what I'd choose..).
Mostly just completely free tier, although I do have O365.
On the free tier I think the main restriction is the 60 minute limit on groups > 2?
Don't get me wrong, MS are almost as bad as Google in segregating their chat/video call/conferencing offerings, and even if you did know the names last week, they've probably changed them this week.
I publish a Firefox plugin and needed help a few years ago. Not to get too far down that rabbit hole, but they suddenly blocked my plugin because they couldn't build my source code, even though the issue with their build environment was pretty obvious. Anyways, I had to use their Matrix support channel and they recommended Element. I was immensely frustrated with how buggy the experience was, and it turned me off from ever trying it again.
For hosting it you really have to go through some trial-and-error before it works as you'd like, and most self-hosting enthusiasts have pretty short span of said enthusiasm.
For users its easier, but there are some idiosyncrasies in terminology, and concepts.
There are docs but they really would benefit from human editing to become fully useful.
Synapse in particular has a problem of existing in two places on GitHub, and the one which is obsolete somehow comes first in searches, and appears in AI responses constantly. Which I guess shoots quite a lot of first tries in their steps.
For me the issue that prevented me from really using matrix is that none of the big clients support multiple servers. As a non enterprise user, this has prevented me from seriously adopting it several times.
The UX has many rough edges especially in the default element apps. UX was the primary reason my university department passed on switching to matrix from slack so far.
- lots of places kind of Teams by default
- or Slack or discord m, even WhatsApp
- or in intensive cases, things like Refinitiv, Bloomberg, and, Symphony , which is kind of federated, but adds all the automation and also governance stuff needed for 100MM trades via IM and the like.
It's a bit shit at being WhatsApp. Slow, buggy, and feature-poor. The unique selling points are very compelling, but only for a small niche. Fortunately for Matrix, that niche includes a lot of places with big budgets, but it does not include consumers.
Matrix is controlled by a single company Riot.im/Element.io who decides what the protocol is now. Element.io's income stream is hosting these extremely fat synapse servers for government. It doesn't really care about anything else. The Matrix Foundation has abdicated from it's role as of a couple years back. And generally synapse servers RAM and storage requirements grow and grow and grow, with no effective mechanism to trim the DB, until it requires hundreds of GB of ram just to idle and it starts becoming very expensive and infeasible for non-government/corpo pocket books to pay for.
For human people, for small social groups, Matrix in the form of the controlling Synapse server is infeasible over any period longer than a few years. See: https://news.ycombinator.com/item?id=46376201 and the reports there or just ask around. I know Afternet gave up Matrix because of this despite really liking the features too, https://afternet.org/help/matrix
* calls you when their favorite blog doesn't "load"
* every password they've ever had is "password1"
Now you want to tell them to "download this new app, generate a private key, store it as a backup somewhere. When you get a new phone, you need to re-import it"
I assume the government installations are integrating it with LDAP/AD or at least they should. I've integrated a few chat platforms with LDAP. This assumes both chat and LDAP/AD are logging to a SIEM for the auditors.
Matrix is an unserious project and the client ecosystem is a train wreck. The server ecosystem is not much better. The Element people, who are kind of the default Matrix people because as far as I can tell are the only people getting paid, will tell you that this is because a bunch of IT integrator companies unjustly profit off of the open source work by selling services to European companies but contributing none back to either Element or other open source Matrix projects.
The first issue I'd like to address is that one: as a small business, I tried to purchase software from Element and was told that I was not large enough to justify their time. Fair enough, I only wanted a 200 seat license and I was willing to pay per seat, but I guess they really want the high value contracts if they have a limited sales team. However, it is a bit much to go from that experience to their justification about the structure of their project. Maybe they should think about taking some sales opportunities that present themselves?
Then there are branding and release decisions around the clients that Element makes. There are two projects in the client space from Element: a client called Element, and a client called Element X. Element X is the newer one. Element (do you see how this is getting confusing yet) is simultaneously at different times an Electron desktop app, a mobile app, and a web app. Element X is becoming all of those things but the feature parity is not even between them. Element supports "legacy" Jitsi for voice and video calling while Element X supports newer Element call - which is different from legacy Element, Element call is a webRTC implementation native to the Matrix ecosystem while the "legacy" Jitsi is a way to send clients a URL for Jitsi calls and have them shell out to another app to actually implement the call. Fair enough. However, the desktop Element X client does not yet support new Element call but the "old" Element client does support both "legacy" Jitsi and new Element call. And the Element X mobile app cannot call the old Element mobile app - but I think the other way around can. Even getting your head around this as an IT person is confusing.
To add insult to injury the new Element X app on mobile is in some ways a downgrade because they integrated the cloud vendor push notification services into the app, so even though you have "sovereign" and "self-hosted" infrastructure you're still, on a good day, leaking meta-data about your chats back through to the people you were trying to decouple yourself from anyway. You can run your own push notification services for this mostly if you want and all your mobile clients are Android but like, why.
Then, there's desktop client usability. During account setup, Element/Matrix makes a big ceremony out of establishing your cryptographic identity. Perfect. And as part of that you write down a 10-ish something word passphrase that is a recovery sequence for said identity. Perfect. Then some network hiccup happens that disturbs the Element client like some kind of prey animal and it spontaneously logs you out. You log back in, but there are no fields or options visible to use that recovery passphrase to restore your cryptographic identity. Your only option is to reset your identity, which makes all prior chats you have had unreadable. That part at least makes sense but why have this recovery story if it is not tested or usable in the app? This is probably an Element thing but in my research I have not found a client that people say is more robust, though at this point I'm open to trying.
It's also possible that the way most people use this is as a web app, which is to be fair more robust. It does seem worse from a security point of view to have one central web server dealing in most of your users plain text, though. At that point, why not use Mattermost? I guess they're even more hostile to their users/customers, for some reason.
Finally, there's the server ecosystem. The thing that is frustrating to me here is the interplay between Synapse, Matrix Authentication Service (MAS), and OIDC. This, as far as I can tell, is all intentionally hostile to drive you into Element's commercial product offering. Which I find especially galling because they won't sell your their commercial offering anyway, so you're going to have to figure it out for yourself. Synapse has some legacy support for OIDC which you are going to need to enable for backwards compatibility. However, for forwards compatibility with Element X, you are going to need MAS. Synapse is a large, mature Python project. MAS is a single Rust binary which is simultaneously a server and CLI to do user management. You'll need both configured against your OIDC provider. Why didn't the new OIDC features just get integrated into Synapse?
I think that a lot of this is an outcome of the fact that Element is very literally in a "the old world is dying and the new world struggles to be born" situation at this time. I do have a lot of sympathy for being in the position of having huge companies - especially companies as annoying as IT outsourcing and integration - make a line of business out of configuring and installing your open source software. However, I have to say, having spent some of my professional life now also configuring and installing this open source software, I understand why those IT outsourcing companies have a moat. If the open source software was easier to install and use, perhaps those companies would have less of a moat. It seems to me that at least some of the story from Element is that if they make the ecosystem harder to use and understand, then people will take their money and the business will survive. However, in my experience, they won't take your money anyway.
> To add insult to injury the new Element X app on mobile is in some ways a downgrade because they integrated the cloud vendor push notification services into the app, so even though you have "sovereign" and "self-hosted" infrastructure you're still, on a good day, leaking meta-data about your chats back through to the people you were trying to decouple yourself from anyway. You can run your own push notification services for this mostly if you want and all your mobile clients are Android but like, why.
Probably because this is literally the only way to make notifications work reliably on mass market Android and iOS devices? It is no different from Signal or any other secure messenger on the market. Decoupling from these platforms is a story for another day.
I think their main issue is that they seem to have no one who is seriously looking at the Matrix ecosystem from a product perspective. You have all of these pieces of technology in various states of maturity that more or less fit together if you know what you are doing. But there is also a lot of friction and a lot of things breaking on a regular basis etc.
What the project needs is someone who looks at it from a customer perspective and who can direct resources to make sure the entire thing is packaged as one consistent thing that does what the customer needs.
If you install WA or Signal, or if you sign up to Slack, you don't have to wonder which home server you should install and which of a dozen or so available clients you should use and what features are not yet production ready. Instead, it just works.
I think a product focus does exist: Element seems to be a genuine attempt to fully assemble Matrix as one full project. The problem is that it feels like the Element devs are stuck wanting to have their cake and eat it too.
There's some design choices in Matrix that don't really "fit" with what modern messaging infrastructure looks like. (Which to summarize it pretty quickly is a Slack/Discord-esque model, where non-sysadmin users get to fully administer their own spaces, with an expectation for multiple different channels, control over user permissions and user access and so on and so forth.)
Some of these come from the fact that Matrix is pretty blatantly just designed as "what if IRC, but slightly more modern". It's main unit for non-sysadmin moderation is a single channel, with the expectation that one instance of Matrix will never have two channels named #general (as an example). Similarly, it's entirely possible to kick users from a channel... but then have that exact same channel continue independently on a different instance, but under a different label. This makes sense if you look at it as "supercharged IRC", but becomes a complete and utter mess when you factor in things like the encryption between two servers suddenly disagreeing with each other (leading to a bunch of old messages becoming unreadable), content moderation (barely an issue on IRC because message retention is expected to be almost entirely clientside) and so on and so forth.
Element/synapse's people do try to provide for these cases, but you're effectively stuck trying to prod at admin API endpoints, bots to synchronize moderation decisions and they have like 3 different "channel grouping" that's supposed to be their version of the Slack workspace/Discord guild model.
Honestly though, I'm pretty sure that once XMPP gets a proper multi-user multi-channel XEP going (there's one in draft right now which specifically tries to provide workspace-esque support; it's possible to do this already but it's a sysadmin XEP, the proposal aims to give this capability to regular users), it'll just end up blowing Matrix out of the water entirely for most usecases. Unlike Matrix, it's a far more mature protocol that's a lot easier to work with and actually has many different implementations that you can choose from.
The thing about hosting was the same conclusion I drew when I looked into this. I’ve stood up a lot of daemons in my time, and Matrix’s difficulty level is so far outside the norm that… it’s got to be on purpose, right? If it’s not on purpose, man, that’s also worrisome.
I was on a team that evaluated moving a significant portion of a product that should be used for government/healthcare onto Matrix. There were several drawbacks that made us NOT go this route:
- Olm/Megolm does not offer forward secrecy for group messaging
- Olm/Megolm does ensure end-to-end encryption for message data, but not for metadata.
- Federation makes it challenging to be GDPR compliant
- Synapse is very heavy, other implementations are less production ready
- For better or worse, the matrix foundation is under UK jurisdiction.
I'm sure I forget some of the nuance, but these were some of the major points. However, there are several government entities in Germany, France, Poland, etc, that can live with the limitations and DO self-host Matrix servers.
I won't go into the pair of high-severity vulns in 2025 (and the somewhat difficult mitigation) because that could hit anyone.
> Olm/Megolm does not offer forward secrecy for group messaging
Megolm does provide forward secrecy - just in blocks of messages. If a message key gets stolen, an attacker could decrypt subsequent messages from that sending device until the next session begins: by default this happens either after 100 msgs have been sent, a week has elapsed, or if the room membership changes. Most folks consider this to be adequate perfect secrecy.
In terms of the Matrix Fdn being incorporated in the UK… I guess that means one shouldn’t use the Internet, given IETF is US incorporated? :)
Re. security of old keys/sessions/messages after compromise of some current state (i.e. notions like forward security):
Do Matrix clients still keep the oldest version of the Megolm ratchet they have ever received? When I last looked (around 2024), the libraries maintained by the Matrix.org core team did.
This means that, while Megolm has a ratchet that can be used to provide forward security, no Matrix implementation that I am aware of does this. This seems to me to be because other features of the Matrix specification rely on continued access to these old keys (like Megolm key backups and history sharing).
Re. security of new keys/sessions/messages after compromise of some current state (i.e. notions like post-compromise security, future secrecy):
My understanding is that, while a _sender_ will rotate Megolm sessions every 100 or so messages, recipients tend not to: clients will accept ciphertexts sent from those old sessions for an indefinite period of time. Again, I haven't been following developments in the Matrix world for a little while, so please correct me if I'm wrong.
This seems (to me) to be for similar reasons to the above: recipients keep around the recipient sessions so they can be backed up and shared with new devices (for history sharing). But (!) Matrix could get way better authentication guarantees if they just _disabled accepting messages_ from these old sessions at the same schedule as the sender stops using them.
--
These are not a unreasonable compromises (there aren't too many attempts to square this circle, and most that I'm aware of are quite academic) but it's worth making clear that just because Olm/Megolm/the Matrix spec have particular features, it doesn't mean they are used properly to give the security guarantees we would naively expect from their composition. At least, this is the case for almost all Matrix clients that I'm aware of.
> In terms of the Matrix Fdn being incorporated in the UK… I guess that means one shouldn’t use the Internet, given IETF is US incorporated? :)
The outputs of the IETF are RFCs. The Matrix foundation does more directly oversee the "de-facto" Matrix, so has more influence, could bow to government pressure or changing laws, etc. etc.
The cryptography is sound, however, it's also frequently changing, in addition to straying from standards more or less. This makes it difficult to give a firm answer.
This ETH (i.e. Zurich) paper[0] identified several exploitable vulnerabilities (bad), which were quickly addressed by delta chat (good).
So overall, I'd see it as a good messenger, but with downsides.
I deleted my matrix account after I receive some very nasty spam in form of Element Android notification. I think it wasn't Matrix direct fault, but as I used some Matrix chat groups and the list of member was public .. But I got really alarmed and angry when I receive so disgusting spam.
I wonder why matrix isn't more widerspread at this point. It's open, it's e2ee, it works, it has client lib for integration with any tool..
What makes it not more popular ? Is it the federated approach ? The client applications that don't look really fancy ?
When me and a bunch of friends and acquaintances switched away from Slack a little under a year ago (I think) we looked into Matrix. One of the primary requirements was that even our non-technical friends should be able to use it.
At the time Matrix/Element had recently launched their Matrix 2.0 efforts and I tried setting up the whole stack without resorting to their all in one shell-script meant for non-production use. I did not mind hosting four different servers (Synapse, Matrix Auth Service (MAS), Call, etc), but did find the integration and config job a bit tedious. The main blocker though was the lack of an invite-system in the new Matrix Auth Server. Also the fact that the Element X app uses a new Livekit based call server while other clients/apps use a different approach is also something not great.
We ended up going for Mattermost. One service easily hosted with Docker. One app, and easy invites. While I think federation would be cool, right now Mattermost was a bit simpler to get up and running.
Element seems more focused on enterprise and government contracts than self-hosters. I think this is fine, they need to pay their bills. But Matrix 2.0 for self-hosters might need a better story right now.
When we first announced Matrix 2.0 implementations in Sept 2024 we made a major error by not providing an easy distro, so I feel your pain.
We fast-followed with https://github.com/element-hq/ess-helm as a really easy distribution (albeit using helm charts) based on the paid offering we provide for folks for NATO and the UN and folks. It really is trivial to install now - e.g. here's a live-install from FOSDEM last weekend: https://youtu.be/EngsGD30Ow0?t=929
Meanwhile if you're allergic to k8s I went and published a trivial docker-compose at https://github.com/element-hq/element-docker-demo/ too.
I am a daily user, family and friends chatting on Matrix.
My take is that there are two layers of friction:
a) people that care about chat encryption and would be willing to change, already did, to Telegram and/or Signal. "I'm not going to install yet another chat app" is a real answer by a friend of mine
b) no one wants to either host their own server, nor pay someone to host it for them. If it wasn't for me and a one of my friends, none of the people I chat with daily would be on Matrix.
And yes, there is the matrix.org server. Out of the ~13 people I chat frequently with, 1 is on matrix.org. "What's the point of changing apps if I'm still going to be using the centralized server" is another answer I've gotten.
I don't know what the solution to this dynamic is other than us, the power users, setting it up and paying for the group of people around us.
> no one wants to either host their own server, nor pay someone to host it for them.
I hear this every time anyone brings up a federated chat/social media/anything service, and I just don't get it. If you don't want to host it, don't. There are plenty of servers out there, and a lot of them are free. Yeah, you have to trust the person hosting it, but why is that only a problem for federated services?
> a) people that care about chat encryption and would be willing to change, already did, to Telegram and/or Signal.
It continues to baffle me that the "telegram is encrypted" spin is still widely believed, even on a forum like this. Telegram is for 99.9% of intents and purposes not encrypted.
And even when you do enable encryption of the chat contents, the unencrypted metadata is often enough for security services to make a suspect out of you. Granted, this is mostly a concern for Russian and Belarusian users.
> “I’m not going to install yet another chat app”
This is legitimate.
I have to use:
- iMessage & SMS for most US based family, casual friends and co workers. - WhatsApp for European Family - Signal for one group of friends - Telegram for another group of friends
Every time I message someone I have to remember what app to use. It’s annoying. This in addition to random threads that pick up with the same people on instagram, discord, etc., which I try to redirect to our “standard” channel as aggressively as I can.
The relevant xkcd is Chat Systems https://xkcd.com/1810/
What about maintaining encryption for an entire room of clients? I heard it's very difficult and prone to errors. Do you enforce it?
I use matrix. Every chat room I use is unencrypted and all have at least one matrix.org user. I assume it can be encrypted but the usability is such that in practice it's cleartext.
Compared to Telegram, it feels like using a laggy MSN Messenger. The experience, both client and server-wise, just feels very unpolished. It's no single big thing, it's more like death by a thousand cuts.
I was bullish on Matrix because it's so extensible, but in the end I realized that only the default client experience matters as that's the one everyone will be using. And it just isn't there yet. In the end, all the group chats I was in migrated to Discord or Telegram, so I had no more reason to use it...
We explicitly built Element X to be competitive with Telegram's UX - I'm guessing that the feedback here is on the crusty old Element Classic app, which hasn't been touched for 3 years now, and definitely did feel like a laggy MSN by comparison.
Meanwhile Element X feels really really good - especially on iOS, but also Android has improved loads in the last few months (after tweaking the rustc ARM compilation flags properly, doh)
I ran a server for a while a couple (maybe a couple of couples) of years ago, and client devices periodically disconnected and had to be re-setup / re-authenticated from scratch, losing the chat history and being a general hassle. It happened often enough that I got jack of it.
I like the idea, a lot, but the implementation at the time annoyed me away from it. I just don't have time / motivation at the moment to have another go. We ended up on Discord for family communication and it works well. I know Discord is on the lower end of 'one of the bad guys', but for the same reason I don't re-setup Matrix I don't move off Discord. At least it's not WhatsApp...
I did try to get them onto Signal, but I don't think Signal did group chat back then - which means it must have been before 2020.
Search is essentially broken and completely useless. If I’m mistaken, maybe someone might chime in and explain how I can make it work. But right now, the only way to search for messages is to export them and search in the text file.
Unencrypted room search should Just Work for unencrypted rooms (it uses postgres FTS under the hood).
Encrypted room search should also Just Work... but only on Element Desktop (which uses tantivy to do clientside search). We are in the process of porting this to Element X (and Element Web), but after an initial spike over the summer we're waiting for either funding or manpower to finish it.
If that's true, it sounds terrible, and a reason enough to not consider it at all. So much of the work in bug organizations is about just searching for past conversations when a similar issue had been discussed... Search must be flawless.
It’s open source right? You know what to do ;)
This is the fastest way to get people to say "I hate proprietary solutions but at least they work"
Then you should use proprietary solutions. Open source solutions are written by developers for themselves. They are not writing it for you. They have no reason to write them for you. You are not paying them. It is a labor of love they are doing for themselves.
Yet as a bonus they are offering it to you for free as a gift with the hope that if it doesn't work for you, you can improve it or hire someone you can.
If you only care about consuming open source but not contributing, by all means you should buy proprietary solutions.
This is a subthread of "I wonder why matrix isn't more widespread at this point". When people reply why it doesn't work for them, that's not time for "you didn't say thank you".
> "They are not writing it for you."
From matrix.org[1]: 'The values we follow are: Accessibility rather than elitism. Empathy rather than contrariness.' ... 'act as a neutral custodian for Matrix ... for the greater benefit of the whole ecosystem, not benefiting or privileging any single player or subset of players. For clarity: the Matrix ecosystem is defined as anyone who uses the Matrix protocol. This includes (non-exhaustively): End-users of Matrix clients. Anyone using Matrix for data communications'
> "They have no reason to write them for you."
How are Matrix/Element going to get anywhere with their mission to replace proprietary chat networks if they don't write their new one for millions of ordinary people to be willing to use?
[1] https://matrix.org/foundation/about/
Get into an online argument with the developers about what is the right approach and which dependency is to blame?
There is no need to get into an online argument with the developers. The open source software is still offered to you as a gift. You can modify it however you need and keep it for yourself.
The developers developed the open source software for themselves. Doesn't work for you? Too bad. But they are not going to develop it for you. Definitely not, when you are not paying them.
If it doesn't work for you, you shouldn't think, "Oh, I need to get into an online argument with the developers." Here's what you do.
1. Develop the fix/feature you need for yourself. If you cannot do it yourself, hire someone who can.
2. Send a pull request to the developers. But don't expect them to merge it. Remember they developed their stuff for themselves. You developed your stuff for yourself. If they merge, great. If they don't merge, you've still got your stuff for yourself.
3. If they don't merge your stuff, you could maintain a fork. Yes, it's a pain to keep your fork updated but you need to do your own work. Nobody else will do your work for you.
If all this is too difficult for you, why even consider open source? Just use proprietary software.
I truly don't understand the self-entitled HN comments that think for some strange reason that someone else should give you a software for free and then do all the work for you.
You need to learn how to read sarcasm.
You need to learn https://en.wikipedia.org/wiki/Poe%27s_law
Enterprises get Teams for free with O365, or use Slack if they really care about the experience.
Most individuals don't care and use iMessage/WhatsApp. Those that do use Signal since it's dramatically easier.
Teams has not been free with O365 for years now.
I use Teams all the time (although not because it is what I'd choose..).
Mostly just completely free tier, although I do have O365.
On the free tier I think the main restriction is the 60 minute limit on groups > 2?
Don't get me wrong, MS are almost as bad as Google in segregating their chat/video call/conferencing offerings, and even if you did know the names last week, they've probably changed them this week.
I publish a Firefox plugin and needed help a few years ago. Not to get too far down that rabbit hole, but they suddenly blocked my plugin because they couldn't build my source code, even though the issue with their build environment was pretty obvious. Anyways, I had to use their Matrix support channel and they recommended Element. I was immensely frustrated with how buggy the experience was, and it turned me off from ever trying it again.
You’re not alone, their iOS apps have 3.4 and 3.6 star ratings. Anything below 4.0 isn’t good.
I’ve downloaded them, and neither has proper dark mode icons. Instant fail.
Matrix is not out-of-the-box thing.
For hosting it you really have to go through some trial-and-error before it works as you'd like, and most self-hosting enthusiasts have pretty short span of said enthusiasm.
For users its easier, but there are some idiosyncrasies in terminology, and concepts.
There are docs but they really would benefit from human editing to become fully useful.
Synapse in particular has a problem of existing in two places on GitHub, and the one which is obsolete somehow comes first in searches, and appears in AI responses constantly. Which I guess shoots quite a lot of first tries in their steps.
For me the issue that prevented me from really using matrix is that none of the big clients support multiple servers. As a non enterprise user, this has prevented me from seriously adopting it several times.
Fluffychat does and I would argue is one of the big ones. Its however quite mobile optimized (basically more like WhatsApp, less like slack).
Element X finally has this on Android (in Labs) now. Web & iOS will follow.
I enjoy self hosting stuff with Docker. Matrix/synapse is one of the more difficult / PitA projects I’ve ever gotten up and running.
The UX has many rough edges especially in the default element apps. UX was the primary reason my university department passed on switching to matrix from slack so far.
I think it’s a few things
- lots of places kind of Teams by default - or Slack or discord m, even WhatsApp - or in intensive cases, things like Refinitiv, Bloomberg, and, Symphony , which is kind of federated, but adds all the automation and also governance stuff needed for 100MM trades via IM and the like.
> governance stuff needed for 100MM trades via IM
We have come a long way from Yahoo messenger days.
https://www.reuters.com/article/technology/oil-traders-prepa...
Consensus. People like to follow what the majority does even if it's suboptimal.
not just like to follow, but are forced to follow.
It's a bit shit at being WhatsApp. Slow, buggy, and feature-poor. The unique selling points are very compelling, but only for a small niche. Fortunately for Matrix, that niche includes a lot of places with big budgets, but it does not include consumers.
I don't remember why but I had to download a separate notification app that pushed notis
Bloated server implementation with lack of alternatives and a complicated protocol.
Matrix is controlled by a single company Riot.im/Element.io who decides what the protocol is now. Element.io's income stream is hosting these extremely fat synapse servers for government. It doesn't really care about anything else. The Matrix Foundation has abdicated from it's role as of a couple years back. And generally synapse servers RAM and storage requirements grow and grow and grow, with no effective mechanism to trim the DB, until it requires hundreds of GB of ram just to idle and it starts becoming very expensive and infeasible for non-government/corpo pocket books to pay for.
For human people, for small social groups, Matrix in the form of the controlling Synapse server is infeasible over any period longer than a few years. See: https://news.ycombinator.com/item?id=46376201 and the reports there or just ask around. I know Afternet gave up Matrix because of this despite really liking the features too, https://afternet.org/help/matrix
tldr; the synapse server uses too many resources.
The UIs are terrible. I've tried it a few different times with friends and we gave up each time.
Imagine your parents:
* need to use size 18 font on their phone
* refer to the phone as "that fancy music player"
* calls you when their favorite blog doesn't "load"
* every password they've ever had is "password1"
Now you want to tell them to "download this new app, generate a private key, store it as a backup somewhere. When you get a new phone, you need to re-import it"
Good luck with that.
I assume the government installations are integrating it with LDAP/AD or at least they should. I've integrated a few chat platforms with LDAP. This assumes both chat and LDAP/AD are logging to a SIEM for the auditors.
The UK is the number one enemy of security and encryption. Did you read and compile all of the libraries and clients yourself?
mostly the federate aproach. Most people dont want to think about anything network related.
Element is ok as an app imho
Matrix is an unserious project and the client ecosystem is a train wreck. The server ecosystem is not much better. The Element people, who are kind of the default Matrix people because as far as I can tell are the only people getting paid, will tell you that this is because a bunch of IT integrator companies unjustly profit off of the open source work by selling services to European companies but contributing none back to either Element or other open source Matrix projects.
The first issue I'd like to address is that one: as a small business, I tried to purchase software from Element and was told that I was not large enough to justify their time. Fair enough, I only wanted a 200 seat license and I was willing to pay per seat, but I guess they really want the high value contracts if they have a limited sales team. However, it is a bit much to go from that experience to their justification about the structure of their project. Maybe they should think about taking some sales opportunities that present themselves?
Then there are branding and release decisions around the clients that Element makes. There are two projects in the client space from Element: a client called Element, and a client called Element X. Element X is the newer one. Element (do you see how this is getting confusing yet) is simultaneously at different times an Electron desktop app, a mobile app, and a web app. Element X is becoming all of those things but the feature parity is not even between them. Element supports "legacy" Jitsi for voice and video calling while Element X supports newer Element call - which is different from legacy Element, Element call is a webRTC implementation native to the Matrix ecosystem while the "legacy" Jitsi is a way to send clients a URL for Jitsi calls and have them shell out to another app to actually implement the call. Fair enough. However, the desktop Element X client does not yet support new Element call but the "old" Element client does support both "legacy" Jitsi and new Element call. And the Element X mobile app cannot call the old Element mobile app - but I think the other way around can. Even getting your head around this as an IT person is confusing.
To add insult to injury the new Element X app on mobile is in some ways a downgrade because they integrated the cloud vendor push notification services into the app, so even though you have "sovereign" and "self-hosted" infrastructure you're still, on a good day, leaking meta-data about your chats back through to the people you were trying to decouple yourself from anyway. You can run your own push notification services for this mostly if you want and all your mobile clients are Android but like, why.
Then, there's desktop client usability. During account setup, Element/Matrix makes a big ceremony out of establishing your cryptographic identity. Perfect. And as part of that you write down a 10-ish something word passphrase that is a recovery sequence for said identity. Perfect. Then some network hiccup happens that disturbs the Element client like some kind of prey animal and it spontaneously logs you out. You log back in, but there are no fields or options visible to use that recovery passphrase to restore your cryptographic identity. Your only option is to reset your identity, which makes all prior chats you have had unreadable. That part at least makes sense but why have this recovery story if it is not tested or usable in the app? This is probably an Element thing but in my research I have not found a client that people say is more robust, though at this point I'm open to trying.
It's also possible that the way most people use this is as a web app, which is to be fair more robust. It does seem worse from a security point of view to have one central web server dealing in most of your users plain text, though. At that point, why not use Mattermost? I guess they're even more hostile to their users/customers, for some reason.
Finally, there's the server ecosystem. The thing that is frustrating to me here is the interplay between Synapse, Matrix Authentication Service (MAS), and OIDC. This, as far as I can tell, is all intentionally hostile to drive you into Element's commercial product offering. Which I find especially galling because they won't sell your their commercial offering anyway, so you're going to have to figure it out for yourself. Synapse has some legacy support for OIDC which you are going to need to enable for backwards compatibility. However, for forwards compatibility with Element X, you are going to need MAS. Synapse is a large, mature Python project. MAS is a single Rust binary which is simultaneously a server and CLI to do user management. You'll need both configured against your OIDC provider. Why didn't the new OIDC features just get integrated into Synapse?
I think that a lot of this is an outcome of the fact that Element is very literally in a "the old world is dying and the new world struggles to be born" situation at this time. I do have a lot of sympathy for being in the position of having huge companies - especially companies as annoying as IT outsourcing and integration - make a line of business out of configuring and installing your open source software. However, I have to say, having spent some of my professional life now also configuring and installing this open source software, I understand why those IT outsourcing companies have a moat. If the open source software was easier to install and use, perhaps those companies would have less of a moat. It seems to me that at least some of the story from Element is that if they make the ecosystem harder to use and understand, then people will take their money and the business will survive. However, in my experience, they won't take your money anyway.
> To add insult to injury the new Element X app on mobile is in some ways a downgrade because they integrated the cloud vendor push notification services into the app, so even though you have "sovereign" and "self-hosted" infrastructure you're still, on a good day, leaking meta-data about your chats back through to the people you were trying to decouple yourself from anyway. You can run your own push notification services for this mostly if you want and all your mobile clients are Android but like, why.
Probably because this is literally the only way to make notifications work reliably on mass market Android and iOS devices? It is no different from Signal or any other secure messenger on the market. Decoupling from these platforms is a story for another day.
I think their main issue is that they seem to have no one who is seriously looking at the Matrix ecosystem from a product perspective. You have all of these pieces of technology in various states of maturity that more or less fit together if you know what you are doing. But there is also a lot of friction and a lot of things breaking on a regular basis etc.
What the project needs is someone who looks at it from a customer perspective and who can direct resources to make sure the entire thing is packaged as one consistent thing that does what the customer needs.
If you install WA or Signal, or if you sign up to Slack, you don't have to wonder which home server you should install and which of a dozen or so available clients you should use and what features are not yet production ready. Instead, it just works.
I think a product focus does exist: Element seems to be a genuine attempt to fully assemble Matrix as one full project. The problem is that it feels like the Element devs are stuck wanting to have their cake and eat it too.
There's some design choices in Matrix that don't really "fit" with what modern messaging infrastructure looks like. (Which to summarize it pretty quickly is a Slack/Discord-esque model, where non-sysadmin users get to fully administer their own spaces, with an expectation for multiple different channels, control over user permissions and user access and so on and so forth.)
Some of these come from the fact that Matrix is pretty blatantly just designed as "what if IRC, but slightly more modern". It's main unit for non-sysadmin moderation is a single channel, with the expectation that one instance of Matrix will never have two channels named #general (as an example). Similarly, it's entirely possible to kick users from a channel... but then have that exact same channel continue independently on a different instance, but under a different label. This makes sense if you look at it as "supercharged IRC", but becomes a complete and utter mess when you factor in things like the encryption between two servers suddenly disagreeing with each other (leading to a bunch of old messages becoming unreadable), content moderation (barely an issue on IRC because message retention is expected to be almost entirely clientside) and so on and so forth.
Element/synapse's people do try to provide for these cases, but you're effectively stuck trying to prod at admin API endpoints, bots to synchronize moderation decisions and they have like 3 different "channel grouping" that's supposed to be their version of the Slack workspace/Discord guild model.
Honestly though, I'm pretty sure that once XMPP gets a proper multi-user multi-channel XEP going (there's one in draft right now which specifically tries to provide workspace-esque support; it's possible to do this already but it's a sysadmin XEP, the proposal aims to give this capability to regular users), it'll just end up blowing Matrix out of the water entirely for most usecases. Unlike Matrix, it's a far more mature protocol that's a lot easier to work with and actually has many different implementations that you can choose from.
The thing about hosting was the same conclusion I drew when I looked into this. I’ve stood up a lot of daemons in my time, and Matrix’s difficulty level is so far outside the norm that… it’s got to be on purpose, right? If it’s not on purpose, man, that’s also worrisome.
Thank you, I was about to post a response similar to yours sans the "trying to buy licenses" part.
Yeah they told me to fuck off when I wanted to purchase Element One for server-side administration.
I was on a team that evaluated moving a significant portion of a product that should be used for government/healthcare onto Matrix. There were several drawbacks that made us NOT go this route:
- Olm/Megolm does not offer forward secrecy for group messaging
- Olm/Megolm does ensure end-to-end encryption for message data, but not for metadata.
- Federation makes it challenging to be GDPR compliant
- Synapse is very heavy, other implementations are less production ready
- For better or worse, the matrix foundation is under UK jurisdiction.
I'm sure I forget some of the nuance, but these were some of the major points. However, there are several government entities in Germany, France, Poland, etc, that can live with the limitations and DO self-host Matrix servers.
I won't go into the pair of high-severity vulns in 2025 (and the somewhat difficult mitigation) because that could hit anyone.
> Olm/Megolm does not offer forward secrecy for group messaging
Megolm does provide forward secrecy - just in blocks of messages. If a message key gets stolen, an attacker could decrypt subsequent messages from that sending device until the next session begins: by default this happens either after 100 msgs have been sent, a week has elapsed, or if the room membership changes. Most folks consider this to be adequate perfect secrecy.
In terms of the Matrix Fdn being incorporated in the UK… I guess that means one shouldn’t use the Internet, given IETF is US incorporated? :)
Re. security of old keys/sessions/messages after compromise of some current state (i.e. notions like forward security):
Do Matrix clients still keep the oldest version of the Megolm ratchet they have ever received? When I last looked (around 2024), the libraries maintained by the Matrix.org core team did.
This means that, while Megolm has a ratchet that can be used to provide forward security, no Matrix implementation that I am aware of does this. This seems to me to be because other features of the Matrix specification rely on continued access to these old keys (like Megolm key backups and history sharing).
Re. security of new keys/sessions/messages after compromise of some current state (i.e. notions like post-compromise security, future secrecy):
My understanding is that, while a _sender_ will rotate Megolm sessions every 100 or so messages, recipients tend not to: clients will accept ciphertexts sent from those old sessions for an indefinite period of time. Again, I haven't been following developments in the Matrix world for a little while, so please correct me if I'm wrong.
This seems (to me) to be for similar reasons to the above: recipients keep around the recipient sessions so they can be backed up and shared with new devices (for history sharing). But (!) Matrix could get way better authentication guarantees if they just _disabled accepting messages_ from these old sessions at the same schedule as the sender stops using them.
--
These are not a unreasonable compromises (there aren't too many attempts to square this circle, and most that I'm aware of are quite academic) but it's worth making clear that just because Olm/Megolm/the Matrix spec have particular features, it doesn't mean they are used properly to give the security guarantees we would naively expect from their composition. At least, this is the case for almost all Matrix clients that I'm aware of.
> In terms of the Matrix Fdn being incorporated in the UK… I guess that means one shouldn’t use the Internet, given IETF is US incorporated? :)
The outputs of the IETF are RFCs. The Matrix foundation does more directly oversee the "de-facto" Matrix, so has more influence, could bow to government pressure or changing laws, etc. etc.
Thanks for the info, what do you think about Delta chat?
The cryptography is sound, however, it's also frequently changing, in addition to straying from standards more or less. This makes it difficult to give a firm answer.
This ETH (i.e. Zurich) paper[0] identified several exploitable vulnerabilities (bad), which were quickly addressed by delta chat (good).
So overall, I'd see it as a good messenger, but with downsides.
[0]: https://www.usenix.org/system/files/usenixsecurity24-song-yu...
Which tool did you guys end up using?
Never heard of Matrix before (as a protocol) what's it's advantage over XMPP?
https://xkcd.com/927/
Why govt needs e2ee? Transparency is all we need.
I deleted my matrix account after I receive some very nasty spam in form of Element Android notification. I think it wasn't Matrix direct fault, but as I used some Matrix chat groups and the list of member was public .. But I got really alarmed and angry when I receive so disgusting spam.