I think it would be a mistake to reject Matrix outright. Even if it's not perfect, it would still be a good starting point from which to build something better. Besides, you don't have to replace Discord with the perfect solution, just with something that's better than Discord and where there's no company behind it that can steer it in a negative direction again, as happened with Discord.
The writer of this blog is a cryptographer. They're primarily focused on security, first and foremost, and when people ask for their advice, they're probably concerned about security, too.
The Matrix devs demonstrated an alarmingly cavalier attitude towards fundamental security issues that the writer pointed out in the past, so they are naturally not going to encourage its use.
The devil is in the details on this. The core concern was that libolm (the obsolete C impl of e2ee in Matrix) used crypto primitives which don’t protect from timing attacks.
However, in practice, this was not exploitable: the only way to exercise these primitives was over the network, where network latency and request rate limiting mitigates such attacks.
Meanwhile, we had already rewritten and replaced libolm with vodozemac, a pure rust implementation using robust primitives, shipped in the major Matrix SDKs and implementations like Element and Element X.
I’m not sure this counts as alarmingly cavalier. I do regret libolm ever going into production with substandard primitives from a hygiene perspective, but we fixed it as soon as we could via vodozemac, and meanwhile included the safety warning.
The part that was "alarmingly cavalier" was when you admitted to knowing about these problems for years and not fixing them or telling the ecosystem of competing clients about them so they could mitigate their risk. https://news.ycombinator.com/item?id=41249371
You visibly deprecated Olm after my disclosures went public. When I last checked, only Element and its forks actually use vodozemac, so the rest of the ecosystem which still binds libolm was still vulnerable, and probably still is today.
I mean, that's the entire issue. There's very little tangibly better than Discord. I like the idea of Matrix, but it's complete garbage in practice.
At least for now, the solution lies more in mass outrage and action rather than any technological migration. The post raises this and I think it's a good point.
Also, the fetishism for federation has got to stop. It's only barely workable in asynchronous environments like the Fediverse, but on a live chat service it's ruinous. It's feels like it's half of what's suffocating Matrix.
IDK, XMPP group chats have always "jest werked" for me (though admittedly I haven't used them much).
The difference between XMPP group chats and Matrix group chats is that Matrix servers replicate all the message history, whereas XMPP group chats are hosted on a single server. IMO the "bring your own account to a central server" model of XMPP is a good thing, but the "replicate all the things" model of Matrix is not.
Element is way better these days. Not many people know this but Matrix team upgraded synapse last year to support hundreds of simultaneous voice/video users without the need for that shitty jitsi. They aren’t advertising bullshit to you all the time. The ACLs for spaces and rooms more granular and expressive. Your data isn’t training AI models used by people that want to enslave you. You have control where your data resides for protections by jurisdiction. Element has web embeddings for links now, it has all the platforms supported, it’s easy to verify sessions and backup your key. They support SSO external auth. What more can you want?
Ultimately nothing can match the ux of discord, but if you can convince someone to accept a bit of jank in exchange for freedom, matrix is the best choice.
Why are Zulip and Mattermost not considered here? To be clear I am a former Mattermost user who would no longer recommend them, but considering Zulip now as a replacement
My community (30 members or so) of hackers switched to Matrix last October because we were expecting draconian policy which would attempt to unmask and chronicle our members identities and sentiments. We now spend more than we did with Discord but the data sovereignty is worth it. Not a plug per se, but we host our international community members content out of Germany using federated.computer.
In recent days people have been coming out of the woodwork trying to join again.
I think it would be a mistake to reject Matrix outright. Even if it's not perfect, it would still be a good starting point from which to build something better. Besides, you don't have to replace Discord with the perfect solution, just with something that's better than Discord and where there's no company behind it that can steer it in a negative direction again, as happened with Discord.
The writer of this blog is a cryptographer. They're primarily focused on security, first and foremost, and when people ask for their advice, they're probably concerned about security, too.
The Matrix devs demonstrated an alarmingly cavalier attitude towards fundamental security issues that the writer pointed out in the past, so they are naturally not going to encourage its use.
The devil is in the details on this. The core concern was that libolm (the obsolete C impl of e2ee in Matrix) used crypto primitives which don’t protect from timing attacks.
However, in practice, this was not exploitable: the only way to exercise these primitives was over the network, where network latency and request rate limiting mitigates such attacks.
Meanwhile, we had already rewritten and replaced libolm with vodozemac, a pure rust implementation using robust primitives, shipped in the major Matrix SDKs and implementations like Element and Element X.
I’m not sure this counts as alarmingly cavalier. I do regret libolm ever going into production with substandard primitives from a hygiene perspective, but we fixed it as soon as we could via vodozemac, and meanwhile included the safety warning.
The part that was "alarmingly cavalier" was when you admitted to knowing about these problems for years and not fixing them or telling the ecosystem of competing clients about them so they could mitigate their risk. https://news.ycombinator.com/item?id=41249371
You visibly deprecated Olm after my disclosures went public. When I last checked, only Element and its forks actually use vodozemac, so the rest of the ecosystem which still binds libolm was still vulnerable, and probably still is today.
That's alarmingly cavalier.
>just with something that's better than Discord
I mean, that's the entire issue. There's very little tangibly better than Discord. I like the idea of Matrix, but it's complete garbage in practice.
At least for now, the solution lies more in mass outrage and action rather than any technological migration. The post raises this and I think it's a good point.
Also, the fetishism for federation has got to stop. It's only barely workable in asynchronous environments like the Fediverse, but on a live chat service it's ruinous. It's feels like it's half of what's suffocating Matrix.
It works fine in chat, been using it for years
IDK, XMPP group chats have always "jest werked" for me (though admittedly I haven't used them much).
The difference between XMPP group chats and Matrix group chats is that Matrix servers replicate all the message history, whereas XMPP group chats are hosted on a single server. IMO the "bring your own account to a central server" model of XMPP is a good thing, but the "replicate all the things" model of Matrix is not.
Element is way better these days. Not many people know this but Matrix team upgraded synapse last year to support hundreds of simultaneous voice/video users without the need for that shitty jitsi. They aren’t advertising bullshit to you all the time. The ACLs for spaces and rooms more granular and expressive. Your data isn’t training AI models used by people that want to enslave you. You have control where your data resides for protections by jurisdiction. Element has web embeddings for links now, it has all the platforms supported, it’s easy to verify sessions and backup your key. They support SSO external auth. What more can you want?
Ultimately nothing can match the ux of discord, but if you can convince someone to accept a bit of jank in exchange for freedom, matrix is the best choice.
Why are Zulip and Mattermost not considered here? To be clear I am a former Mattermost user who would no longer recommend them, but considering Zulip now as a replacement
https://github.com/zulip/zulip/issues/6096
Still not implemented.
Maybe they are not for furries?
Related:
Discord Alternatives, Ranked
https://news.ycombinator.com/item?id=46949564
What about SimpleX? Is it good? Did somebody try it?
It's basically a replacement for SMS, not anything near what Discord does.
My community (30 members or so) of hackers switched to Matrix last October because we were expecting draconian policy which would attempt to unmask and chronicle our members identities and sentiments. We now spend more than we did with Discord but the data sovereignty is worth it. Not a plug per se, but we host our international community members content out of Germany using federated.computer.
In recent days people have been coming out of the woodwork trying to join again.
[dead]
[dead]